Data protection in South Korea: Why you need to pay attention

15 August 2018

Much media attention has been focused on the EU’s comprehensive new data privacy law, the General Data Protection Regulation (GDPR). But Europe is not the only place where multinationals need to be concerned about privacy.

South Korea has some of the world’s strictest privacy laws, according to the International Association of Privacy Professionals. If you’re considering doing business in South Korea, here’s what you need to know.

Personal Information Protection Act

The Personal Information Protection Act (PIPA) is South Korea’s main privacy law. Similar in structure to the GDPR, PIPA gives South Koreans controls over how their personal information is collected and used. Personal information is defined as anything that identifies an individual or can easily be combined with other information to do so.

Here is a summary of the rights the law gives to citizens. You will notice many similarities to the GDPR.

Disclosure: Companies must explain what data they intend to collect and what they intend to do with it. They must say for how long they will use and retain the data, and they must inform subjects of their rights.

Opt-out: Companies must allow users to opt out of providing personal information for data collection purposes.

Third parties: If a company intends to share personal information with a third party, it must obtain separate consent and explain how the other party will use the data.

International transfers: South Koreans must consent to having their personal information — including data related to employment — transferred to another country.

Copies: Upon written request, companies must supply individuals with a copy of the personal information they have collected. Unlike the GDPR, PIPA doesn’t specify that the copy must be electronic.

Correcting errors: Companies are required to maintain accurate data and must correct errors that are pointed out to them.

Deletion: Individuals have the right to have their personal information deleted. 

Companies must also follow rules for keeping personal information secure and provide notifications in the event of a data breach. They must appoint a data privacy officer, who does not have to register with the government but who will deal with authorities in the event of a violation.

Network Act

In addition to PIPA, South Korea has a law known as the Network Act that applies specifically to information gathered over the internet. This law was updated last year to include regulations for online advertising.

Companies that collect information about consumers' interests and preferences in order to serve up customized ads must inform consumers about the type of information they collect, allow them to opt out, and let them know how long the data will be retained. They must name any third parties to whom they provide the information and tell subjects who they can complain to if they feel they've been wronged.

Companies should minimize the amount of information they collect and refrain from using “sensitive” personal data — which includes information about beliefs, personal relationships, academic background or illness — without specific consent.

App service providers and smartphone manufacturers must obtain consent for users’ personal data stored on smartphones. They must distinguish between optional and necessary reasons for access and allow users to opt out when legally permissible.

Credit Information Act

South Korea has a law that applies specifically to credit information and ratings. To collect credit information, businesses need to obtain a license from the Financial Services Commission. They need to make clear the purposes of collection or investigation, keep credit information accurate and up-to-date, and follow retention and deletion regulations. Information they collect can only be used to determine creditworthiness for specified commercial transactions.


Finally, the country has a separate law governing transactions in the financial industry, which says that banks may not reveal information (except to relevant legal authorities) about transactions related to a deed or trust without written consent from the owner or trustee. If they receive a legal information request, they must let clients know within 10 days what information was transferred and where it went. Another part of the law says that financial institutions must conduct business only with people using their real names.

Stiff Penalties

South Korea takes its privacy laws seriously, especially when it comes to protecting personal data from outsiders. Fines of over $4 million have been assessed for data breaches.

Recent updates to the Network Act allow the government to charge companies penalties of three times the amount of damages suffered by their customers if they send data internationally without proper consent. They can also be charged up to 3 percent of revenue they made from unauthorized overseas data transfers. Criminal prosecution, though rare, is also possible.

South Korea’s early adoption of data privacy laws and its commitment to upholding them demonstrates that emphasis on individual rights is not limited to the West. Companies with customers or employees in South Korea should review their data privacy laws and keep abreast of changes to make sure they stay in compliance.


Paul Sutton, Head of Legal Advisory Group, contributed to this article.