South Korea has enacted stricter penalties for violations of data protection or privacy requirements by telecommunications and online service providers, including potentially steep damages in the wake of a data breach.
The amendment (the “Amendment”) to South Korea’s Act on the Promotion of IT Network Use and Information Protection (“Network Act”) became law on March 22, 2016 and will become effective on September 23, 2016.
The increased penalties and stricter privacy standards are consistent with recent amendments in other Korean privacy laws, such as the Personal Information Protection Act and the Utilization and Protection of Credit Information Act.
Some of the key changes in the Amendment are summarized below.
- Punitive Damages Provision. Service Providers may be liable for fines amounting to three times actual damages where a Plaintiff/Information Subject can demonstrate that personal information was breached as the result of intentional or gross negligence by the Service Provider (Article 32, Clauses 2 and 3).
- Forfeiture of Profits. Any profits that a Service Provider gains through privacy-related violations of the Network Act are subject to confiscation and forfeiture (Article 75, Clause 2).
- 3% Fine of Related Revenue. Service Providers that transfer personal information outside of Korea for access, management and storage abroad (“Overseas Transfer”) must obtain prior consent from the Information Subject. If a Service Provider fails to obtain prior consent, it may be subject to fines of up to three percent of the revenue related to the Overseas Transfer (Article 32, Section 2).
- Accountability of Senior Officers. For violations of the Network Act by Service Providers, the Korean Communications Commission may also recommend disciplinary action against the chief executive officer or other senior officers of the Service Provider (Article 69, Section 2).