Hello. This is Attorney Lee Young-kyung from Cheongchul Law Firm.

Today, I would like to analyze in detail the main contents and practical implications of the amended Personal Information Protection Act, which will take effect from September 15, 2024, based on the press release from the Personal Information Protection Commission dated September 12, 2024.

1. Background of the Amendment and Key Changes

The Personal Information Protection Commission has implemented meaningful legal amendments to improve the long-standing practice of 'mandatory consent.' For about 20 years since the amendment of the Telecommunications Network Act in 1999, online service providers have been required to obtain consent from data subjects to provide services, and data subjects were unable to use services if they did not consent. In the public and offline sectors, since the enactment of the Personal Information Protection Act in 2011, the practice of mandatory consent has continued for entering and fulfilling contracts, except in 'inevitable cases.'

This practice has caused two significant problems. First, companies had to obtain separate consent even for personal information that was clearly necessary for fulfilling service contracts. Second, a side effect occurred where the responsibility for processing personal information was passed onto the data subjects through a formal consent procedure.

2. New Personal Information Processing Standards Under Article 15 of the Amended Law

The key aspect of this amendment is to clarify the legal grounds for processing personal information. According to Article 15 of the law, personal information can be collected and used without the consent of data subjects in the following cases:

-       When necessary for entering and fulfilling contracts with data subjects

-       When necessary for complying with legal obligations

-       When necessary for protecting the life, body, or property of data subjects or third parties

-       When necessary for achieving the legitimate interests of the personal information processor (only if it prevails over the rights of the data subject)

Notably, if consent is requested in a way that contradicts the free will of the data subject or if the contents of the consent are not clearly communicated, it will not meet the legal requirements of Article 15.

3. Detailed Standards for Provision to Third Parties

The amended law provides the following detailed criteria for the provision of personal information to third parties:

(1) Provision for the Purpose (Article 17 of the Law)

If providing to a third party is inevitable for the fulfillment of a contract, relevant facts can be disclosed and mandatory consent can be obtained.

Example: Providing delivery service information to a courier for an online shopping mall

(2) Provision for Other Purposes (Article 18 of the Law)

Separate consent is required, and the substantial choice of the data subject must be guaranteed.

Example: Providing customer information for affiliate marketing

(3) Cases of Additional Provision Without Consent (Article 14-2)

If the additional provision is reasonably related to the original purpose of collection, does not disadvantage the data subject, and is within a predictable range, it can be provided without additional consent.

4. Specific Compliance Requirements When Obtaining Consent

Article 17, Paragraph 1 of the Enforcement Decree of the amended Personal Information Protection Act clearly outlines the principles that must be met when obtaining 'consent' from data subjects. This is consistent with existing Supreme Court rulings, indicating its incorporation into the law.

▸ The data subject must be able to determine whether to consent based on free will

▸ The content for which consent is sought must be specific and clear

▸ Language that is easy to read and understand must be used

▸ A method that allows the data subject to clearly indicate their consent must be provided

5. Processing of Sensitive Information and Unique Identifiers

In cases where sensitive information or unique identifiers (excluding resident registration numbers) must be processed due to the nature of the service, the following standards apply:

If the information is essential for the execution of a contract or the provision of services, explicit separate consent is required.

Example: Processing passport numbers for issuing airline tickets, processing driver's license numbers for rental car services

However, processing may be permitted without consent when based on legal grounds

6. Future Response Directions

As the system for collecting and using personal information under the Personal Information Protection Act changes from a 'consent' basis to a 'trust' basis, significant confusion is expected on the ground. Therefore, the Personal Information Protection Commission plans to provide more detailed guidelines through the 'Integrated Guide for Personal Information Processing' by the end of 2024. Companies and personal information processors will need to continuously monitor the application cases of the law by the relevant authorities under the amended Personal Information Protection Act.

Cheongchul Law Firm has extensive experience and expertise related to consulting on the Personal Information Protection Act and related cases. If you have concerns regarding such cases, please feel free to contact us.