On March 3, 2022, Korea’s central data privacy regulator, the Personal Information Protection Commission (the “PIPC”) published the so-called “Easy-to-Understand Handbook on Consent for Personal Data Processing” (the “Handbook”) and the “Guidelines for Writing Privacy Policies” (the “Guidelines”).
1. Background
Regulations under the Personal Information Protection Act (the “PIPA”) not only affect consumers (data subjects), but also have practical significance and consequences for businesses (data controllers). However, many have pointed out that obtaining a data subject’s consent to process his/her personal data often do not occur properly as required under the PIPA, and that companies often write privacy policies that are overly formal.
To respond to such concerns, the PIPC has published the Handbook and the Guidelines, in which the PIPC focused on reflecting personal data protection principles and guaranteeing data subjects’ rights.
2. Key Aspects of the Handbook on Consent for Personal Data Processing
Need for data controllers to improve how to obtain data subjects’ consent
A data subject’s consent to the use and processing of his/her personal data is the most significant means for a data subject to exercise his/her right to self-determination under the Korean Constitution and to control how his/her personal data is processed. However, questions have been consistently raised over the effectiveness of the consent, due to how data controllers obtain data subjects’ consent. Specifically, concerns have been raised with the scope of personal data (for which data controllers ask for consent) being too excessive or broad, and that the process of obtaining a data subject’s consent is often too formal.
Four principles for data controllers to follow when obtaining consent
In response, the PIPC has specified the following four principles that data controllers should follow when obtaining a data subject’s consent to process his/her personal data.
- Minimize the scope of necessary personal data: Data controllers should not ask for a broad consent from data subjects, anticipating the data controllers’ future business expansion or needs. Instead, data controllers should receive consent to process the minimum necessary scope of personal data that is necessary at the time of requesting/obtaining consent.
- Provide clear notice to data subjects on the details of what his/her consent means: Data controllers should provide clear notice to data subjects on who will process his/her personal data and the details of how his/her personal data will be processed. This is so that data subjects can make informed decisions on whether to give consent, considering the specific circumstances.
- Confirm the data subject’s actual intent to provide his/her consent: Data controllers should write the details of the consent in plain language, which is easy for the data subject to understand. In this way, the consent allows data controllers to confirm that the data subject actually understands to what he/she is consenting. For example, when obtaining consent to the processing of personal data online, data controllers should make sure that the “I Agree” checkbox is not already checked off as the default option. Also, important aspects of the consent, such as the retention period,1 should be made easier for data subjects to read. Specifically, the important aspects must be in at least a 20% bigger font size than the rest of the text contained in the consent form, and the minimum font size used to highlight the important aspects should be at least in a 9-point font.
- Guaranteeing the data subjects’ right of choice: Data controllers should not refuse to provide goods or services, or otherwise disadvantage a data subject, when the data subject refuses to consent to the personal data controller’s processing of his/her personal data beyond the minimum scope necessary to use the company’s (personal data controller’s) services. For instance, if the personal data subject (consumer/end user) cannot proceed to the next page when using the company’s (data controller’s) website, unless a data subject consents to the data controller processing his/her personal data beyond the minimum scope necessary, then the data subject’s consent cannot be actually deemed to constitute proper consent.
3. Privacy Policy Writing Guidelines: Key Aspects
Under the PIPA, data controllers must prepare and publish details concerning personal data processing in the privacy policy to enhance transparency of personal data processing. However, the 2021 Personal Data Protection Survey conducted by the PIPC revealed that only 36.1% of data subjects actually read a company’s privacy policy (in detail). Since most data subjects do not read a company’s (data controller’s) privacy policy, many have indicated that there are limits to guaranteeing data subjects’ rights (e.g., as the wording is too complicated to understand, or since the privacy policy is too formal).
Improvements to the PIPC’s Guidelines on writing privacy policies
To address these issues, the PIPC has made several improvements to the Guidelines. These improvements include:
- Recommendation for including important matters: The Guidelines specify matters that must be included under the personal data protection laws and regulations, and those matters that are merely recommended to be included in a company’s privacy policy. Additionally, the Guidelines specify which matters among the “recommended to be included list” would be important to include (but are not required to be included in a company’s privacy policy under the personal data protection laws and regulations). These include international transfer of personal data, consent by children under the age of 14, and urgent processing of personal data.
- Recommendation to label key matters: The Guidelines also recommend that a summary of the important matters contained in the company’s privacy policy be labeled at the top of its privacy policy, or to otherwise indicate next to each important provision of the privacy policy. This is so that a data subject can easily recognize the key aspects of the company’s privacy policy.
- Guidelines for each type of business/entity: In addition to the general provisions, the Guidelines also provide considerations that are specific to the characteristics of each type of business or entity (e.g., medical services, private educational institutions, travel-related business, and public institution). In this way, data controllers across a wide range business may be given more business-specific and relevant guidance.
4. Implications
In 2020, the PIPC was established as the central data privacy regulator to oversee personal data protection, following the amendments to the so-called “Three Major Data Privacy Laws.”2 Since its establishment, the PIPC has pushed for reform of personal data protection regulation, and the publication of the Handbook and the Guidelines are part of such reform efforts.
The processing of personal data without the proper consent of the data subject or the failure to create and publish a legitimate privacy policy may subject the relevant data controller (company) to administrative sanctions by the PIPC. As such, it is necessary for a company to obtain proper consent and to write proper privacy policies.
Also, it should be noted that prior to publishing the Handbook and the Guidelines, in September 2021, the PIPC submitted a bill to amend the PIPA (“second PIPA amendment bill”) to the National Assembly. This was part of the PIPC’s efforts to improve the requirements for collecting personal data by relaxing the requirements for consent in executing a contract with a data subject.3 The PIPC also added a provision in the bill, by which “the PIPC may assess the appropriateness of the privacy policy, such as compliance with the Guidelines and recommend improvements [in the Guidelines], based on the [PIPC’s] assessment.”4
5. Conclusion / Recommendation
Since we do not know yet whether the PIPC’s current regulatory reform efforts will lead to the tightening or relaxing of personal data protection regulations, it is necessary to monitor personal data protection regulations and to prepare appropriate response measures.
The publication of the Handbook and the Guidelines will serve as an opportunity to review the company’s consent procedures for personal data processing and the company’s privacy policy. Moreover, special interest and attention should be paid to the Guidelines, since the Guidelines may be used by the PIPC as criteria to determine compliance of the company’s privacy policy, if the National Assembly passes the bill to amend the PIPA.
1 Other examples of “important aspects” of a consent that should be made easier to read include the fact that a data subject’s personal data may be used to advertise or solicit goods or services to the data subject, or the recipients of the data subject’s sensitive or personally identifiable information.
2 The PIPA, the Network Act, and the Credit Information Act.
3 Article 15(1)(iv) of the proposed draft of the second PIPA amendment bill.
4 Article 30-2 of the second PIPA amendment bill.
About Shin & Kim
Shin & Kim’s data protection and security experts provide comprehensive advice on personal information protection and data security based on our in-depth experience in the relevant areas, including data protection regulations of Korea and other countries, such as Korea’s Personal Information Protection Act (“PIPA”) and the EU GDPR, responding to personal information leakage, establishing a personal information protection/data privacy compliance system, among others. In particular, our professionals have advised numerous public and private sector clients, performing leading roles in the amendments to Korea’s “Three Major Data Privacy Laws” and its subordinate regulations. Our team of experts continues to advise numerous private sector clients, both domestic and foreign, in their efforts to improve their data protection and compliance systems.
Should you have any questions or comments on the contents of this newsletter, or if you wish to further discuss the Handbook or the Guidelines, please do not hesitate to contact us.
[Korean version] 개인정보 보호위원회, 개인정보 처리 동의 안내서 및 처리방침 작성지침 공개
