The Constitutionof the Republic of Korea provides for the protection of secrecy and liberty of private life. Article 16 states, "All citizens are free from intrusion into their place of residence. In case of search or seizure in a residence, a warrant issued by a judge upon request of a prosecutor has to be presented."[2400] Article 17 states that "the privacy of no citizen shall be infringed."[2401] Article 18 states, "The privacy of correspondence of no citizen shall be infringed."[2402] In general, the government respects the integrity of the home and family.[2403]
South Korea has adopted a data protection regime similar to the United States and Japan, with one act covering the public sector and sectoral legislation for the private sector.[2404] The statute in the former category is the 1994 Act on the Protection of Personal Information Maintained by Public Agencies,[2405] which is generally applicable to the automated processing of personal data in the public sector, but not to manual records.[2406] This statute has a provision recommending that private entities respect the data protection principles in the statute, but it has no appropriate administrative or enforcement mechanism to that effect.[2407]
The Act on the Protection of Personal Information Maintained by Public Agencies imposes an obligation on public agencies to maintain records of personal information databases and to report these databases to the Ministry of Government Administration and Home Affairs (MOGAHA), the ministry responsible for the Act.[2408] The MOGAHA publishes lists of these databases in an official journal, which is publicly available.[2409] In addition, the MOGAHA can request relevant information from the data holding entities and issue opinions on their data processing practices.[2410] A 'data subject' has a right of access to and correction of personal information held by public agencies.[2411]
The Act establishes a Data Protection Review Commission, under the Premier's Office, headed by the Vice-Minister of the MOGAHA, to recommend and review proposals on improving data protection policy.[2412]
The Act has been criticized for its ineffectiveness.[2413] The MOGAHA has placed little emphasis on rigorous application of the legislation and reportedly has little will to uphold privacy versus administrative efficiency. In January 1999, the Act was amended to give even more power to the MOGAHA, streamline the procedure for access to personal information by data subjects, and limit exemptions to disclosure. However, there remains no independent oversight of government application of the Act.
Acts governing the collection, use and disclosure of personal information in the private sector include the Protection of Communications Secrets Act(1993);[2414] the Telecommunications Business Act(1991);[2415] the Medical Service Act(1973);[2416] the Real Name Financial Trade and Secrecy Act;[2417] the Use and Protection of Credit Information Act (1995);[2418] the Framework Act on Electronic Commerce(1999);[2419] and the Digital Signatures Act (1999).[2420]
As early as 1997, legislators and academics proposed a general privacy law for the private sector.[2421] However, the government proposed and later adopted a narrower alternative that targeted only the information and telecommunications industries. The Act on Promotion of Information and Communications Network Utilization and Data Protection,[2422] modeled after the German Online Service Data Protection Act of 1997,[2423] came into effect in 2000. The Act adopts common "fair information principles"[2424] and rules for the collection, use, and disclosure of personal data by "providers of information and communications services," such as common carriers, Internet service provider and other intermediaries, particularly content providers. The Act also covers specific off-line service providers such as travel agencies, airlines, hotels, and educational institutes.
The Act requires that "data users" seek consent from "data subjects" for the collection, use, and disclosure of data to a third party "beyond the notification as prescribed in the Act or the limit specified in a standardized contract for the utilization of the information and communication services."[2425] Data users should collect as little personal data as is necessary[2426] and are prohibited from collecting sensitive personal information, including ideology, faith and medical data without explicit consent of the data subject.[2427] However, consent is not required when it is necessary to give effect to a contract, adjust fees, or when the personal information is provided after having been rendered unidentifiable to the individual, such as for the compilation of statistics, academic research or market surveys.[2428]
The Act allows the data subject to withdraw consent for the collection, use and disclosure of data at any time and requires the data user to comply unless the preservation of such personal information is required by another Act. Further, every data subject has a right to access and correct his or her personal information.[2429]
A data user must obtain consent from an appropriate legal guardian when collecting, using or disclosing personal information from children under fourteen, and may request appropriate minimum information of the guardian in order to effect that consent. A legal guardian has a right to access and correct to the child's personal information and upon receiving a guardian's request for correction, the data user must cease to use or disclose erroneous information until they have made the correction.[2430]
The Act prohibits one from sending unsolicited commercial e-mail contrary to an addressee's explicit refusal of such mails.[2431] All unsolicited commercial e-mails must contain the word "Advertisement" in the subject line of each and every message and must contain opt-out instructions and contact information for the sender.[2432] Additionally, several direct marketers established the Association for the Improvement of the E-Mail Environment in early 2002 to help cope with the increasing number of unsolicited commercial e-mails problem in Korea.[2433]
The government imposes criminal and administrative penalties for breaches of data protection principles. The processing of personal information without consent or beyond the scope of the purpose for which the collection was made attracts either penalties of up to one year in prison or a fine of WON10 million.[2434] Data subjects may file damage claims for breaches of the Act with the Personal Information Mediation Committee or with a court. The onus is on the data user to prove either good faith intentions to comply, or non-negligence.[2435]
There is significant overlap between the aforementioned act and the Framework Act on Electronic Commerceand the Digital Signatures Act. For this reason and others, some legal commentators have called for comprehensive reform.[2436] The Framework Act on Electronic Commerce (FAEC) requires data users to give data subjects sufficient information regarding purpose of collection to give informed consent.[2437] Under this act, the data user must obtain explicit consent from the data subject prior to collecting personal information and is prohibited from using the personal information collected for inconsistent purposes.[2438] Additional requirements of the FAEC include appropriate security,[2439] and a right of access, correction or deletion.[2440] The Digital Signatures Act(DSA) prohibits an individual from fraudulently using another person's private key or issuance of a key.[2441] It also has data protection provisions[2442] similar to the Electronic Commerce Act and penalties equal to the Acton Promotion of Information and Communications Network Utilization and Data Protection.
In October 2000, the MIC proposed a cyber-crime prevention system to combat an increase in fraud, gambling, and privacy intrusion on the Internet. The system would establish a monitoring network, a cyber conflict coordination committee, and damage control centers.[2443] In March 2001 the MIC announced that it would invest WON277.7 billion (around USD237 million) over the next five years to develop the country's information security industry, including public-key infrastructure, biometrics, and high-density/high speed ciphers.[2444]
In December 2001, the MIC established the Personal Information Dispute Mediation Committee, as an alternative to civil litigation, to facilitate a prompt, convenient and appropriate settlement of data protection disputes.[2445] Members of the Committee, which includes lawyers, IT engineers, professors, consumer advocates and representatives from industry, are appointed for three year terms.
Both data subjects or data users can initiate mediation, free of charge. The Committee first engages in informal fact-finding and makes non-binding recommendations for settlement. If parties cannot reach a settlement, they can begin formal mediation. If parties fail to reach a mediated settlement, they can pursue matters in a competent civil court. They can also bypass the Committee process altogether and go directly to court.[2446]
The Korea Association of Information and Telecommunication (KAIT) has instituted a privacy 'trust mark' for web sites and other online businesses that satisfy appropriate data processing standards. Regarding personal information, qualified trust mark applicants provide notice and purpose of collection, use and disclosure. In addition, the applicants provide special treatment for children under fourteen, and offer remedies for data subjects.
Extending the doctrine of privacy law, Korean courts have tacitly recognized a "right of publicity," an individual's right to control the commercial use of his or her identity.[2447]
Plaintiffs in invasion of privacy and defamation tort cases have the burden of proving that both the facts and the standard for the action are met.[2448] If successful, plaintiffs are entitled to compensatory relief for damages resulting from as little as "hurt feelings."[2449] Putative damages, however, are unavailable.[2450] Actions related to the right of privacy or defamation are rarely brought before Korean courts due to the cultural dislike against bringing private matters into such a public forum.[2451]
In an attempt to resolve the tension between the right of privacy and the constitutionally protected "freedom of speech and press"[2452] or "freedom of the arts,"[2453] Korean courts have held that "a decedent's right of privacy should be recognized only if his personal honor would be severely injured."[2454] In another case, a Seoul court found that five female university students were entitled to damages when a Newsweek photographer published a photo of them at school without their permission in conjunction with an unfavorable accompanying article.[2455]
State security services have a history of conducting surveillance of political dissidents. The Korean Government designed the Protection of Communications Secrets Actof 1993 and the reform of the National Intelligence Service (NIS, formerly known as the National Security Planning Agency) to curb the government surveillance of civilians. According the US Department of State, these measures "appear to have succeeded."[2456]
The Protection of Communications Secrets Actlays out broad conditions under which the monitoring of telephone calls, mail, and other forms of communication are legal.[2457] This Act requires government officials to secure a judge's permission before placing wiretaps, or, in the event of an emergency, soon after placing them. The Act also provides jail terms for persons who violate this law. Some human rights groups argue that a considerable amount of illegal wiretapping, shadowing, and surveillance photography still occurs, and they assert that the lack of an independent body to investigate whether police have employed illegal wiretaps hinders the effectiveness of the anti-wiretap law.
The NIS has been under attack due to alleged illegal wiretapping. Politicians of the opposition Grand National Party (GNP) charged that the NIS illegally wiretapped conversations during their election campaigns.[2458] The GNP plans to introduce a bill in September, 2003 that would disband the NIS and form a new agency whose sole focus would be foreign intelligence.[2459]
Under previous administrations, there were widespread surveillance and wiretapping abuses by intelligence and police officials. In October 1998, President Kim Dae-jung ordered a full-scale probe into illegal wiretapping. Rep. Kim Hyong-o of the opposition Grand National Party ("GNP") stated that he believed that over 10,000 taps were actually placed in 1998.[2460] The government proposed amendments to the Telecommunications Law in November 1999 that would allow victims of illegal wiretapping to sue in court, limit the number of crimes for which wiretapping is allowed, and provide for notice to targets of wiretapping. The government set up a wiretapping complaint center under the MIC in October 1999.[2461] The United Nations Human Rights Commission heard testimony on Korean wiretapping at its meeting in October 1999.[2462]
In 1998, several opposition legislators broke into the NIS liaison office in the National Assembly and removed documents that they claim substantiated allegations that the NIS was conducting surveillance of Assembly members.[2463] The members further alleged that their homes, offices, and cellular telephones were tapped. These members called for either tightening or abolishing a provision in the existing law that allows government officials to obtain retroactive judicial permission to monitor a conversation (especially a cellular telephone call) in the event of an emergency.[2464]
According to statistics released by the MIC in 2001, the number of wiretapping cases conducted by prosecutors and police in the computer communications field stood at 224, up 23.8 percent from a year earlier. In particular, the number of cases in which communications service providers rendered assistance to investigators' wiretapping increased 222.3 percent from 1,075 to 3,465. Eavesdropping on wired and wireless telecommunications decreased 26.4 percent from 3,234 in 1999 to 2,380 in 2000, but cases of telecom operators providing data on communications to authorities such as subscriber names, addresses and communications records increased 3.9 percent from 154,390 to 160,485 during the period.[2465]
Fresh on the heels of similar developments in Hong Kong, the MIC stated in December 2001 that mobile service providers have been neglecting rules regarding user privacy and that companies need to clarify their legal obligations with respect to subscriber privacy. The MIC is proposing a measure to require mobile phone companies to require location detecting technology in their phones.[2466] The measure would allow mobile service providers to offer location information to third parties under specific conditions.[2467] Privacy advocates are concerned about the proposed measure, particularly because Korean mobile service providers have a bad track record of protecting consumer information. Most recently, provider Korea Telecom Freetel (KTF) admitted a data leak occurred when an Internet site revealed the exact location of KTF subscribers with GPS enhanced mobile phones.[2468]
Amnesty International reports that the Korean government continued to require released political prisoners to report regularly to the police under the Social Surveillance Law.[2469] According to the US State Department, under the National Security Law, it is forbidden for South Koreans to listen to North Korean radio in their homes or read books published in North Korea if the government determines that they are doing so to help North Korea. However, in 1999 the government made it legal for South Koreans to view North Korean satellite telecasts in their private homes. The government also allows the personal perusal of North Korean books, music, television programs, and movies as a means to promote understanding and reconciliation with North Korea. Student groups make credible claims that government informants are posted on university campuses.[2470]
The Act Relating to Use and Protection of Credit Information of1995 protects credit reports.[2471] In July 2001, three large credit card companies were fined under this law. The companies were found to have disclosed personal information on their customers (including bank account numbers, pay levels and credit card transaction records, and customer identifiers such as names, addresses, phone numbers and resident-registration numbers) to insurance companies without giving notice to their customers or obtaining their consent in advance.[2472] Postal privacy is protected by the Postal Services Act.[2473]
Since January 2002, Korea has maintained a DNA database of missing children.[2474] Registry in the database is voluntary, and it is available to parents and children in orphanages.[2475] The Supreme Public Prosecutor's Office (SPPO) analyses the samples, and the information is stored in a database maintained by Biogrand, a private company.[2476] Privacy advocates are concerned by the fact that the SPPO, an office engaged in criminal prosecutions, collects the DNA samples.[2477] The SPPO maintains that they do not have access to personally identifiable information aside from age and sex when they receive a DNA sample, and that the database's use is strictly for family relationships.[2478] Privacy advocates are nevertheless wary because there are no specific laws that address DNA information.[2479] As such, there is the potential for abuse and extending the database's function.
The Act on Disclosure of Information by Public Agenciesis a freedom of information act that allows Koreans to demand access to government records. It was enacted in 1996 and went into effect in 1998. The Supreme Court ruled in 1989 that there is a constitutional right to information "as an aspect of the right of freedom of expression, and specific implementing legislation to define the contours of the right was not a prerequisite to its enforcement."[2480]
On November 25, 2001, South Korea created the National Human Rights Commission (NHRC) to independently investigate human rights violations, including privacy violations, and offer remedies when applicable.[2481] The NHRC is comprised of eleven Commissioners and 167 staff, and in 2002 they received 3,593 complaints.[2482]
In March 2003, the Korean Ministry of Education and Human Resources launched the operation of the National Education Information System (NEIS), a nationwide database that links the information of over 10,000 school and education agencies.[2483] The purpose of the NEIS is to enable schools to share education information with each other.[2484] Various organizations opposed the implementation of the NEIS due to the threat that the system poses on the privacy of students and teachers, including the National Teacher's Union, who organized a strike.[2485] Furthermore, the National Human Rights Commission recommended that the Ministry of Education abandon maintaining three categories of information (school management information, student academic records, and health and enrollment records) within the NEIS, determining that both the Ministry lacked the legal foundation to implement NEIS in this manner, and the threat that the system posed to privacy was significant.[2486] As a result of the opposition, the government decided that they would rethink the NEIS after gathering more information.[2487]
South Korea is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.