I am a Senior CIAM Solution Engineer. While doing research to prepare for a client conversation, I discovered a number of International Data Protection laws that are less talked about than GDPR or CCPA, but are important considerations for global brands. To help you better navigate the complex realm of global data privacy regulations, I'm compiling my research into a series of blog posts.
First, I'm going to discuss the Personal Information Protection Act (PIPA) and the "Act on Information Network Promotion and Safety Act" (Network Act) in South Korea.
About South Korea's Data Privacy Laws
The laws apply to any "Personal Information Controller" which can be "a public institution, legal person, organization, individual...that processes personal information directly or indirectly to operate the personal information files for official or business purposes." With this broad scope, PIPA has a very direct impact on all businesses in South Korea or doing business with South Korean citizens. These laws describe what personal information is, how it can be processed, when consents are required and the legal rights of a data subject. They also describe the governing body that will be formed to protect the public, enforce the laws and levy fines accordingly.
From PIPA - Chapter 1, Article 4 (Rights of Data Subjects)
A data subject has the following rights in relation to the processing of his/her own personal information:
1. The right to be informed of the processing of such personal information;
2. The right to consent or not, and to elect the scope of consent, to the processing of such personal information;
3. The right to confirm the processing of such personal information, and to request access (including the provision of copies; hereinafter the same applies) to such personal information;
4. The right to suspend the processing of, and to request a correction, erasure, and destruction of such personal information;
5. The right to appropriate redress for any damage arising out of the processing of such personal information in a prompt and fair procedure.
Penalties for Data Breaches
The original PIPA penalties are focused on fines levied and collected when data breaches occur. The addition of the Network Act allows the government to Levy fines for data sent internationally without proper consent. This can be up to 3% of the revenue they made from unauthorized overseas data transfers. These organizations can also be criminally prosecuted. These penalties are substantial and very much in line with the penalties related to regulations such as GDPR (EU General Data Protection Regulation) or CCPA.
Impact on Businesses
While I'm not an international law expert, I have worked with brands throughout the globe to implement customer identity and access management (CIAM) systems that meet their business objectives, whether eliminating data silos, enabling omnichannel application access, personalizing customer experiences, or complying with data privacy regulations.
It's my experience that many businesses must adjust their marketing and data management practices to comply with regional data privacy regulations, such as PIPA and the Network Act, or otherwise risk steep fines, criminal prosecution, and consumer mistrust. CIAM is a solution many brands choose to eliminate data silos that make actioning many of the data subject rights difficult. With a CIAM system, brands can more easily implement granular consent management, scoped access by user and for downstream applications, and respond to data subject requests to review, correct or erase their personal information.
If you're interested in learning more about global data privacy regulations and CIAM, read our white paper, GDPR, CCPA, and Beyond: How Identity Governance Helps Companies Comply and Improve Customer Trust.
Full English version of PIPA - http://law.go.kr/lsInfoP.do?lsiSeq=195062&urlMode=engLsInfoR&viewCls=engLsInfoR#0000
Privacy Laws in South Korea Wiki Page
Well written blog post about the South Korean Privacy Laws that started my deeper reading.
Network Act Details