The South Korean privacy regulator has announced that updated privacy laws will come into effect next week, addressing contentious issues like data sharing in life-threatening situations.
In a press statement released on Tuesday, the Personal Information Protection Commission (PIPC) confirmed that amendments to the Personal Information Protection Act and associated legislation have received final approval. The green light came during a cabinet meeting held on September 5, officially sanctioning the legal changes.
In the statement, Ko Hak-soo, the chairperson of the PIPC, remarked, “This marks the first comprehensive revision to the legislation by the South Korean government since the law’s inception in 2011. We’ve been diligent in heeding the calls from our citizens demanding enhanced civil rights protections, as well as feedback from industry professionals seeking more refined regulations.”
Among the key updates, the PIPC has fine-tuned the privacy law to enable swifter sharing of crucial personal information in life-threatening scenarios. The prior version of the law permitted exceptions for data controllers to disseminate personal data to third parties in clear-cut situations—such as protecting life, body, or property—when the individual in question or their representative couldn’t express consent or was unreachable.
The legislation attracted considerable attention in 2021 when SOCAR, a car-sharing company, declined to release information about a customer implicated in criminal activities, citing data privacy laws. The company came under heavy fire from the public after a delayed handover of the critical information hindered police efforts to prevent the individual from committing a sexual assault on a 13-year-old girl.
“Previously, due to the two conditions outlined in the old law, entities handling personal data often interpreted it quite restrictively, fearing potential violations,” an official from the Personal Information Protection Policy Division at the PIPC told The Readable. “In the updated legislation, we’ve removed these conditions, opting instead for clearer phrasing.”
Meanwhile, the PIPC has standardized the time frame for data breach notifications to 72 hours. Under the previous law, personal information controllers were required to report data leaks to regulators within five days, while information and communication service providers had just 24 hours to report their situation.
“We sought a middle ground between the two differing timelines,” said an official from the General Investigation Division at the PIPC. “The aim of this amendment is to align our regulations with international standards. We’ve adopted the 72-hour notification requirement, which is consistent with the General Data Protection Regulation (GDPR).”
