DIGITAL LAW AND REGULATION

FINAL REPORT – GROUP #2

2023-12-03

REPORT ON KOREAN PERSONAL INFORMATION

PROTECTION ACT

GROUP MEMBERS:
1. ANDRES ALCIVAR ALBAN

2. BALJINNYAM JAVZANDULAM

3. BANDEKE DIEUDONNE QASSIM

4. BEKALE SYRIELLE CLEMENCE

 REPORT ON KOREAN PERSONAL INFORMATION PROTECTION
ACT
To address the relevant topics of this law, as a group we have planned the following structure:

• General description of the Personal Data Protection Law: In this section, we will analyze
the rights and obligations that the law grants to the different stakeholders.
• Consequences of non-compliance with the law: In this section, we will analyze the legal
consequences that may arise from non-compliance with the law.
• Enforcement of the law: In this section, we will analyze the mechanisms established to
ensure compliance with the law.
• Conclusions: In this section, we will summarize the main findings of the report.

1. Overview of the Personal Information Protection Act

The Personal Information Protection Act (PIPA) is a type of legislation that aims to safeguard
the privacy and personal data of individuals. The primary purpose of PIPA is consistent: to regulate
the collection, use, and disclosure of personal information in a manner that respects the rights and
privacy of individuals.

The Korean Personal Information Protection Act deals with aspects like Definition of Personal
Information, Data Collection and Consent, Purpose Limitation, Data Security, Data Retention and
Deletion, Access and Correction, Data Transfer, Accountability of Data Controllers, Enforcement
and Penalties, Notification of Data Breaches, and Rights of Data Subjects.

2. Rights and Obligations

The Korean Personal Information Protection Act deals with various aspects like definition of
personal information, data collection and consent, purpose limitation, data security, data retention
and deletion, access and correction, data transfer, accountability of data controllers, enforcement
and penalties, notification of data breaches and rights of data subjects

The amended Personal Information Protection Act (PIPA) of South Korea is a comprehensive and
forward-looking privacy law that introduces several new obligations and rights for data controllers
and data subjects, respectively. This new and updated law is set to come into force on September
15, 2023.

1
Data controllers under the amended PIPA will have the following obligations:

The data controllers must obtain consent from data subjects before collecting, using, or
disclosing their personal data, unless certain limited circumstances apply. Personal data should be
kept secure through technical and organizational security measures. It should also be retained only
for as long as necessary for the purposes for which it was collected. Data subjects have the right to
access, correct, or delete inaccurate or incomplete personal data and withdraw their consent at any
time. Finally, data controllers must respond to complaints about the handling of personal data in a
timely and effective manner to build trust and ensure ethical and responsible handling of personal
data.

Data subjects under the amended PIPA will have the following rights:

Under the amended Personal Information Protection Act (PIPA) of South Korea, data subjects
have several new and updated rights. These include the right to know whether a data controller
holds personal information about them and to access that information, including the purpose of
processing, categories of personal data processed, and recipients or categories of recipients to
whom the personal data has been or will be disclosed.

Data subjects also have the right to request that a data controller correct or delete inaccurate or
incomplete personal information about them, the right to withdraw consent to the collection, use, or
disclosure of their personal information at any time, and the right to object to the processing of their
personal information for certain purposes, such as direct marketing.

Additionally, data subjects have the right to data portability, which allows them to receive their
personal data in a machine-readable format and transmit it to another organization without
hindrance. They also have the right to request an explanation from a data controller in relation to
decisions made based on fully automated means without any human involvement, such as AI-driven
systems, if such decisions significantly affect their rights or obligations.

3. Consequences of non-compliance with the act

This section points out some consequences of non-compliance with the Korean Personal
Information Protection act:

Administrative Sanctions and Fines: the Personal Information Protection Commission (PIPC) in
South Korea has the authority to impose administrative sanctions on organizations (data controllers)
that fail to comply with the PIPA. Sanctions may include warnings, corrective orders, suspension of
personal information processing, and fines.

Criminal Penalties: in cases of serious violations like intentional negligent breaches of the Act,
individuals responsible for the violations may face criminal penalties, including imprisonment.

Business Suspension: the PIPC may have the authority to suspend an organization's business
operations if it determines that the violation is severe and ongoing.

2
Compensation for Damages: individuals whose rights have been violated due to non-compliance
with the PIPA may have the right to seek compensation for damages through legal action against
the responsible organization (data controller).

Reputational Damage: non-compliance with data protection laws can lead to reputational damage.
News of privacy violations can erode public trust, and businesses may suffer from a negative public
perception.

Mandatory Corrective Measures: the PIPC may require organizations (data controllers) to take
specific corrective actions to address the non-compliance. This could include implementing new
policies, conducting privacy impact assessments, or making changes to data processing practices.

Data Processing Restrictions: in cases of serious non-compliance, the PIPC may order
restrictions on an organization's (or data controllers) ability to process personal information. This
could impact the normal operations of the business.

Global Impact: if a business operates in multiple jurisdictions, non-compliance with data protection
laws in one region can have a cascading effect. It may lead to investigations or sanctions in other
regions where the company operates.

4. Enforcement of the act

The consequences of non-compliance with the law allow its satisfactory performance, but we also
need to know specifically the enforcement of this law. PIPA is a crucial piece of legislation in South
Korea that safeguards the privacy of individuals by regulating the collection, use, and disclosure of
personal data. Its enforcement has gained momentum in recent years, driven by several compelling
factors.

The proliferation of data-intensive industries like artificial intelligence (AI), big data analytics, and
machine learning has led to an unprecedented demand for personal information. These businesses
rely on vast amounts of data to train algorithms, develop personalized services, and gain insights
into consumer behavior. Consequently, the potential for misuse or unauthorized access to personal
data has heightened, necessitating stricter regulations to protect individual privacy.

PIPA mandates that organizations clearly define the purpose for collecting personal information
before obtaining consent from individuals. This ensures that data is not collected for purposes
unrelated to the individual's knowledge or expectations, preventing the potential for misuse.
Additionally, PIPA advocates for data minimization, requiring organizations to only collect the
minimum amount of personal information necessary for the specified purpose. This principle
prevents the unnecessary collection and storage of sensitive data, reducing the potential for data
breaches and unauthorized access.

Furthermore, PIPA establishes clear timelines for retaining personal information, ensuring that it is
not stored indefinitely. This safeguard prevents organizations from using individuals' personal data

3
for purposes beyond their original consent, protecting individuals from having their data exploited for
unauthorized purposes. Additionally, PIPA promotes transparent data processing practices,
mandating that organizations provide clear and accessible information to individuals about how their
personal information is being collected, used, and shared. This transparency empowers individuals
to make informed decisions about their data and exercise their data rights effectively.

The enforcement of PIPA is a testament to South Korea's commitment to safeguarding the privacy
of its citizens in the face of a rapidly evolving digital landscape. By strengthening data protection
measures and empowering individuals to control their personal information, the country is fostering
a more secure and trustworthy digital ecosystem.

5. Conclusions

In conclusion, the PIPA constitutes a significant regulatory framework that has contributed to privacy
protection in South Korea. The law has played a pivotal role in fostering a culture of privacy
awareness and has endowed South Korean citizens with a set of rights and safeguards for their
personal data.

The Personal Information Protection Act of South Korea, PIPA, represents a milestone in privacy
protection and the ethical handling of personal information. Its balanced approach between
individual rights and corporate responsibilities, supported by substantial penalties, is crucial for its
effectiveness.

The sanctions stipulated by the PIPA for non-compliance are substantial, underscoring the gravity
with which data protection is regarded in South Korea. Fines and penalties can exert a significant
monetary impact on offending entities, serving as a potent incentive for organizations to rigorously
adhere to regulatory standards, thereby reinforcing a compliance culture.

The efficacy of any law hinges on its practical application. In the case of the PIPA, proper
enforcement is essential to ensure its success. As technology evolves and the associated risks in
data management change, enforcing authorities must stay abreast of developments and proactively
address emerging challenges.

Nevertheless, the PIPA is not without its imperfections. One of its primary limitations lies in its failure
to adapt to technological changes. As technology evolves, so do the risks associated with data
management. The PIPA must exhibit flexibility to accommodate these changes; otherwise, it may
risk losing its effectiveness.

In our assessment, the PIPA stands as a robust regulatory framework that has positively impacted
privacy protection in South Korea. However, it is imperative that the legislation remains current and
adaptable to technological changes to continue serving as an effective advocate for privacy in the
digital age.

4
NAME: BANDEKE DIEUDONNE QASSIM

COUNTRY: BURUNDI

Implications and learnings from the Korean Personal Information Protection Act in relation
to Burundi’s Law
Personal information is the lifeblood of the digital economy. It powers personalized services, drives targeted advertising,
and fuels the growth of data-driven businesses. However, this reliance on personal data also raises significant concerns
about privacy and security. Individuals are increasingly worried about how their personal information is collected, used,
and shared, and they are demanding greater control over their digital identities.

The South Korean Personal Information Protection Act (PIPA) is a crucial piece of legislation that safeguards the rights
of individuals regarding their personal information. This act aims to establish a standard for the collection, use, and
disclosure of personal information by organizations within a specific jurisdiction. The PIPA contains many features which
arguably reflect the general trend in modern data privacy statutes.

As for Burundi, the country does not have a law that specifically regulates personal data protection. However, several
laws and regulations currently in force contain data protection provisions or impose confidentiality obligations on specific
types of personal information. An example is for example, employment, banking, telecommunications and health sector
laws impose some data protection requirements. Such provisions generally require covered entities to maintain the
confidentiality of personal information.

The Prevention and Repression of Cybercrime Law no. 1/10 of March 16, 2022: this framework aims to prevent and
repress all cyber offenses committed in Burundi or outside Burundi if these offenses have produced their effects in
Burundi, as well as all criminal offenses whose detection requires the collection of ICT proof.

Under Law n° 1/012 of May 30, 2018, on the Code of Health Care and Health Services Provision in Burundi, healthcare
institutions are required to maintain the confidentiality of patient information, unless confidentiality is waived in cases
provided for by law.

Law No. 1/17 of August 22, 2017, governing banking activities: Article 133 imposes confidentiality obligations on
customer and account information. This article provides that any person who contributes to the operation, control or
supervision of a banking institution is bound to professional secrecy. Violations are enforced under penal code provisions
without prejudice to disciplinary proceedings.

While the PIPA places a particular emphasis on Data Subjects’ consent, there are some features which need
improvement in modern data privacy trends. For instance, unless exceptions apply, obtaining consent is a crucial
prerequisite for transborder transfer of Personal Information. With this consent, Personal Information can cross borders
without limitation, and, in principle, there is no room for regulators to intervene regarding transborder flows of Personal
Information. This contrasts with some modern approach, under which regulators are expected to play a more active role,
whether individuals have consented to information transfers so that transborder transfer of personal information is
permitted to be made to entities in countries with an adequate level of personal information protection.

To conclude, I may say that personal information protection is a complex and evolving issue. As technology continues
to develop, new challenges will emerge. It is essential for individuals, businesses, and governments to work together to
develop effective solutions and best practices for protecting personal information in the digital age.

5
 NAME: BEKALE SYRIELLE CLEMENCE

COUNTRY: CAMEROON

Obligations of businesses and Organizations under the act in South Korea

This report provides an overview of the key obligations imposed on businesses and organizations operating in the
telecommunications sector in South Korea under the Information and Communications Network Act (ICNA). The ICNA
plays a pivotal role in regulating various aspects of the telecommunications industry, encompassing issues such as data
protection, network security, consumer rights, and compliance with regulatory authorities.

Introduction:
The Information and Communications Network Act (ICNA) in South Korea serves as the primary legislative framework
governing the telecommunications sector. Enacted to promote the responsible utilization of information and
communications networks, the ICNA outlines specific obligations that businesses and organizations within this sector must
adhere to.

Protection of Personal Information:

One of the paramount obligations imposed by the ICNA is the protection of personal information. Telecommunications
entities are mandated to implement robust measures to safeguard user data, ensuring compliance with stringent
guidelines governing data collection, storage, and processing.

Network Security:
The ICNA emphasizes the importance of maintaining the security of information and communications networks.
Telecommunications businesses are obliged to establish and uphold measures that prevent unauthorized access, data
breaches, and other cybersecurity threats, contributing to the overall resilience of the sector.

Compliance with Regulatory Authorities:

Businesses and organizations operating in the telecommunications sector must adhere to the directives and regulations
set forth by the regulatory authorities, notably the Korea Communications Commission (KCC). Compliance with regulatory
frameworks ensures the orderly functioning of the industry and facilitates the achievement of broader national
telecommunications objectives.

Emergency Services Support:

The ICNA recognizes the critical role of the telecommunications sector in emergency situations. Telecommunication
service providers are obligated to support emergency services and collaborate with relevant authorities to ensure effective
communication during emergencies or disasters.

Interconnection Obligations:
Interconnection obligations are integral to the ICNA, requiring telecommunication operators to establish seamless
connections with other operators. This facilitates interoperability and contributes to the overall efficiency and effectiveness
of telecommunications services.

Conclusion:
In conclusion, the obligations outlined under the ICNA in South Korea form a comprehensive framework designed to
regulate and enhance various aspects of the telecommunications sector. Adherence to these obligations is essential for
businesses and organizations to contribute to the growth and development of a robust and consumer-friendly
telecommunications environment in the country. As legislative landscapes evolve, ongoing attention to compliance and
regulatory updates remains paramount for stakeholders in the telecommunications industry.

6
NAME: ANDRES ALCIVAR ALBAN

COUNTRY: ECUADOR

Impact on the application of the Personal Data Protection Law in Ecuador

Personal information has become the most valuable resource in the digital age, comparable to oil in
the traditional economy and a fundamental currency in the digital economy. The rapid pace of
technological progress has brought with it risks of vulnerability, which has motivated the need to
adjust data protection regulations to address this phenomenon.

This is why the enactment of the Personal Information Protection Act in South Korea (PIPA) has
significant implications that reverberate beyond its national borders, directly impacting the reflection
and application of similar regulations in other countries, such as Ecuador, which in 2021 established
the Organic Law on Personal Data Protection.

The implementation of this data protection law is essential, not only to meet international
expectations, but also to safeguard the fundamental rights of citizens in an increasingly
interconnected world.

For this reason, I believe that the adoption of stricter privacy principles can help to foster greater
awareness and respect for data protection in all sectors of Ecuadorian society. By recognizing the
importance of privacy, businesses and organizations could invest in safer and more ethical practices
in the management of personal information, generating a positive cultural shift in favor of privacy
protection.

However, it is crucial to keep in mind that the successful implementation of a data protection law in
Ecuador, inspired by examples such as the PIPA, will require careful adaptation to local realities and
challenges. Considering the particularities of the Ecuadorian context, including socioeconomic and
cultural aspects, will be essential to ensure that the legislation not only meets international
standards, but is also effective and accessible to all citizens.

In conclusion, the application of the data protection law in Ecuador is significant and offers a valuable
opportunity to strengthen and modernize current legislation. However, this process must be carefully
adapted to local realities, considering both global benefits and the specific needs of Ecuadorian
society, without forgetting the exponential growth of technology worldwide.

7
NAME: BALJINNYAM JAVZANDULAM

COUNTRY: MONGOLIA

Impact on the application of the Personal Data Protection Law in Mongolia

The Personal Data Protection Law (PDPL) in Mongolia has had a significant impact on the application of
personal data since its implementation on May 1, 2022.

One of the most notable changes brought about by the new law is the increased transparency and control for
individuals. The PDPL provides individuals with greater rights to access, correct, erase, and restrict the
processing of their personal data. Mongolian Law also has the right to data portability and objection to
automated decision-making. Another important area of impact is the enhanced data security. The PDPL
requires data controllers to implement appropriate technical and organizational measures to protect personal
data from unauthorized access, use, disclosure, alteration, or loss. It must maintain records of their data
processing activities and conduct risk assessments to identify and mitigate risks to personal data. The PDPL
also imposes compliance obligations on data controllers and processors. It must enter into contracts that
specify their respective roles and responsibilities. Certain organizations may also be required to appoint a
data protection officer, and data.

Personal data protection laws in Mongolia and Korea reveal that both countries have implemented Personal
Data Protection Laws (PDPLs) to regulate the handling of personal data within their respective jurisdictions.
Although, share similar goals of protecting individual privacy, there are also key differences in their scope,
specific provisions, and enforcement mechanisms.

The similarities between the two laws are that they grant individuals similar rights, including access,
rectification, erasure, restriction of processing, portability, and objection to automated decision-making. Both
laws also require data controllers to obtain informed consent from individuals before collecting or processing
their personal data, implement appropriate security measures to protect personal data from unauthorized
access, use, disclosure, alteration, or loss, and notify the relevant authorities and affected individuals in the
event of a data breach. Additionally, both laws require data controllers to comply with various obligations,
including recordkeeping, risk assessments, and data protection impact assessments.

The Mongolia PDPL and the Korea PDPL have some differences in their scope, definitions, consent
requirements, and enforcement mechanisms. The Mongolia PDPL applies to all organizations that process
personal data of individuals in Mongolia, while the Korea PDPL applies to all organizations that process
personal data of individuals in Korea, regardless of their location. Additionally, the Mongolia PDPL has a
broader definition of personal data, including sensitive data such as biometric data and political opinions,
whereas the Korea PDPL has a narrower definition, focusing on data that can be used to identify an individual.
The Mongolia PDPL requires opt-in consent for most processing activities, while the Korea PDPL allows for
opt-out consent in certain cases. In terms of enforcement mechanisms, the Mongolia PDPL has relatively
weak enforcement mechanisms, while the Korea PDPL has strong enforcement mechanisms, including
administrative fines and criminal penalties