Hogan Lovells - Asia-Pacific Data, Privacy and Cybersecurity Guide 2025 - Flipbook - Page 51
Asia-Pacific Data Privacy and Cybersecurity Guide 2025
51
South Korea
South Korea has firmly established itself as
one of the toughest jurisdictions for data
protection and privacy compliance in APAC.
Provisions of the over-arching Personal
Information Protection Act (PIPA) and
the IT Network Act are supplemented by
sector-specific laws, creating a very difficult
compliance environment.
South Korea’s rigorous approach to data
protection is reflected in the European
Commission’s adoption, in December 2021, of a
finding that South Korea has broadly equivalent
standards of data privacy protection, meaning
that there are no additional requirements for
transfers of personal data from the EU to South
Korea (such as the use of standard contractual
clauses or binding corporate rules).
The PIPA is well known for its requirement of
separate, unbundled consents for a number
of data collection and processing contexts,
including international transfers of personal
data (save in limited circumstances where
international transfer is permissible without
consent), and the need to notify data subjects
of the specific identity of data processors.
Relatively uniquely for the APAC region, the
PIPA does provide some scope for “legitimate
interests” processing of personal data without
data subject consent (although, this is
narrower than the “legitimate interests” under
the GDPR).
However, the practical scope of this exception
is very limited, applying only in cases where
the data controller’s legitimate interests clearly
override the rights of the data subject. Official
guidelines provide that the preparation of
supporting materials for the collection of
service fees or the collection of debts, and
the commencement or continuation of legal
action are examples of what may constitute a
‘legitimate interest’.
In February 2023, the National Assembly
passed the proposed amendments to the PIPA
(the Amendment Act), which later
took effect.
Notably, the key features of the Amendment
Act are, amongst other things:
· New data portability right: a data subject
will have the right to request that a data
controller, which meets specific, transfer
personal data to a government-designated
specialised personal data management
agency or another data controller that meets
similar standards (to be defined).
· The Personal Information Protection
Commission (“PIPC”): under the Amendment
Act, the PIPC will be granted the additional
power to order a data controller to suspend
cross border transfers of personal data in
the event that it determines such transfer
breaches the PIPA or where there is a high
risk of harm to data subjects.
