I. Legal framework
Constitutional privacy framework
The Constitution of the Republic of Korea provides for the protection of secrecy and liberty of private life.1 Article 16 states, "All citizens are free from intrusion into their place of residence. In case of search or seizure in a residence, a warrant issued by a judge upon request of a prosecutor has to be presented."2 Article 17 states, "the privacy of no citizen shall be infringed."3 Article 18 states, "The privacy of correspondence of no citizen shall be infringed."4 In general, the government respects the integrity of the home and family.5
The protection of human rights in South Korea, including the right to a fair trial before an independent and impartial tribunal, is still in its infancy. It was only in November 2001 that the National Human Rights Commission of Korea was created to police the actions of the state in this context.6 The Commission has been beset with problems in fulfilling its role due to a lack of autonomy and political independence, as well as other structural problems.7
Data protection framework
South Korea has adopted a data protection regime similar to the United States and Japan, with one act covering the public sector and sectoral legislation for the private sector.8 The statute in the former category is the 1994 Act on the Protection of Personal Information Maintained by Public Agencies,9 which is generally applicable to the automated processing of personal data in the public sector, but not to manual records.10 This statute has a provision recommending that private entities respect the data protection principles in the statute, but it has no appropriate administrative or enforcement mechanism to that effect.11
The Act on the Protection of Personal Information Maintained by Public Agencies imposes an obligation on public agencies to maintain records of personal information databases and to report these databases to the Ministry of Government Administration and Home Affairs (MOGAHA), the ministry responsible for the Act.12 The MOGAHA publishes lists of these databases in an official journal, which is publicly available.13 In addition, the MOGAHA can request relevant information from the data holding entities and issue opinions on their data processing practices.14 A data subject has a right of access to, and correction of, personal information held by public agencies.15 The Act establishes a Data Protection Review Commission, under the Premier's Office, headed by the Vice-Minister of the MOGAHA, to recommend and review proposals on improving data protection policy.16
The Act has been criticized for its ineffectiveness.17 The MOGAHA has placed little emphasis on rigorous application of the legislation and reportedly has little will to uphold privacy versus administrative efficiency. In January 1999, the Act was amended to give even more power to the MOGAHA, streamline the procedure for access to personal information by data subjects, and limit exemptions to disclosure. However, there remains no independent oversight of government application of the Act.
Acts governing the collection, use and disclosure of personal information in the private sector include the Protection of Communications Secrets Act (1993) (a.k.a., "Anti-Wiretap Law");18 the Telecommunications Business Act (1991);19 the Medical Service Act (1973);20 the Real Name Financial Transactions and Secrecy Act (1997);21 the Use and Protection of Credit Information Act (1995);22 the Framework Act on Electronic Commerce (1999);23 and the Digital Signatures Act (1999).24
The Act on Promotion of Information and Communications Network Utilization and Data Protection (the Act),25 modeled after the German Online Service Data Protection Act of 1997,26 came into effect in 2000. The Act adopts common "fair information principles"27 and rules for the collection, use, and disclosure of personal data by "providers of information and communications services," such as common carriers, Internet service providers and other intermediaries, particularly content providers. The Act also covers specific off-line service providers such as travel agencies, airlines, hotels, and educational institutes.
The Act requires that "data users" seek consent from "data subjects" for the collection, use, and disclosure of data to a third party "beyond the notification as prescribed in the Act or the limit specified in a standardized contract for the utilization of the information and communication services."28 Data users should collect as little personal data as is necessary29 and are prohibited from collecting sensitive personal information, including ideology, faith and medical data without explicit consent of the data subject.30 However, consent is not required when it is necessary to give effect to a contract, adjust fees, or when the personal information is provided after having been rendered unidentifiable to the individual, such as for the compilation of statistics, academic research or market surveys.31 The Act allows the data subject to withdraw consent for the collection, use and disclosure of data at any time and requires the data user to comply, unless the preservation of such personal information is required by another Act. Further, every data subject has a right to access and correct his or her personal information.32
A data user must obtain consent from an appropriate legal guardian when collecting, using or disclosing personal information from children under 14, and may request appropriate minimum information of the guardian in order to effect that consent. A legal guardian has a right to access and correct the child's personal information. Upon receiving a guardian's request for correction, the data user must cease to use or disclose erroneous information until they have made the correction.33
The Act prohibits one from sending unsolicited commercial e-mail contrary to an addressee's explicit refusal of such e-mail.34 All unsolicited commercial e-mail must contain the word "Advertisement" in the subject line of every message and must contain opt-out instructions and contact information for the sender.35 Additionally, several direct marketers established the Association for the Improvement of the E-Mail Environment in early 2002 to help cope with the increasing number of unsolicited commercial e-mails problem in Korea.36
The government imposes criminal and administrative penalties for breaches of data protection principles. The processing of personal information without consent or beyond the scope of the purpose for which the collection was made, attracts either penalties of up to one year in prison or a fine of KRW 10 million (USD 9,856).37 Data subjects may file damage claims for breaches of the Act with the Personal Information Mediation Committee or with a court. The onus is on the data user to prove either good faith intentions to comply, or non-negligence.38
There is significant overlap between the aforementioned act, the Framework Act on Electronic Commerce (FAEC) and the Digital Signatures Act (DSA). For this reason and others, some legal commentators have called for comprehensive reform.39 The FAEC requires data users to give data subjects sufficient information regarding the purpose of collection.40 Under the FAEC, the data user must obtain explicit consent from the data subject before collecting personal information, and is prohibited from using the personal information collected for inconsistent purposes.41 Additional requirements of the FAEC include appropriate security,42 and a right of access, correction or deletion.43 The DSA prohibits an individual from fraudulently using another person's private key or issuing a key.44 It also has data protection provisions45 similar to the Electronic Commerce Act and penalties equal to the Act on Promotion of Information and Communications Network Utilization and Data Protection.
The protection of personal information has become a critical issue in Korea, which now has the largest population of broadband Internet users in the world.46 In May 2005, the People's Solidarity for Participatory Democracy reported, based on a survey of 15 Internet portals, that most Korean Internet portals still require customers to provide a large amount of personal information, even their resident registration numbers (a 13-digit system whereby an individual's age, gender, place of birth and other private data, are stored and tracked by the government), without clarifying how the personal data will be used and without obtaining their individual consent.47
The MIC introduced ‘i-PIN’ (Internet Personal Identification Number) to replace the use of the RRN (the Resident Registration Number) online. Unlike the RRN, the ‘i-PIN’ does not include personal information: the date of birth, birthplace, or sex. It is easily replaceable if individuals want to acquire a new number. However, few Internet websites and companies have accepted this alternative to date because of the added cost and burden of changing their systems' databases.48
In 2007, MOGAHA launched a month-long online that Internet users to find and delete their resident registration numbers, Korea's version of social security numbers, if they are found circulating on the Web. Search programs operated by the Korea Information Service, the National Information and Credit Evaluation, and the Seoul Credit Rating and Information compiled lists of Web sites using an individual's identification number.49 Last year, law enforcement authorities found the resident registration numbers of more than 1.2 million people intercepted by hackers who sought to create fake accounts for online games.50
In December 2001, the MIC established the Personal Information Dispute Mediation Committee, as an alternative to civil litigation, to facilitate a prompt, convenient and appropriate settlement of data protection disputes.51 Members of the Committee, which includes lawyers, IT engineers, professors, consumer advocates and industry representatives, are appointed for three-year terms. Both data subjects or data users can initiate mediation, free of charge. The Committee first engages in informal fact-finding and makes non-binding recommendations for settlement. If parties cannot reach a settlement, they can begin formal mediation. If parties fail to reach a mediated settlement, they can pursue matters in a competent civil court. They can also bypass the Committee process altogether and go directly to court.52
The Korea Association of Information and Telecommunication (KAIT) has instituted a privacy trust mark for websites and other online businesses that satisfy appropriate data processing standards. Regarding personal information, qualified trust mark applicants provide notice and purpose of collection, use and disclosure. In addition, the applicants provide special treatment for children under 14, and offer remedies for data subjects.
In June 2004, the Korea Information Security Agency (KISA) found that many Korean Internet websites pose a threat to personal information privacy. The agency reported that thousands of websites that collect personal information about subscribers, including resident registration numbers, remain vulnerable to security breaches.53 To address this problem, KISA planned to conduct more investigations, levy administrative penalties on offending websites, and solicit feedback on privacy problems from users.
Beginning June 2007, Internet users are required to provide their real names and their Resident Registration Numbers before posting comments or uploading video or audio clips on bulletin boards.54 The proposed law is a response to the increasing number of libelous and fraudulent accusations made by Koreans about public figures, as well as cyber-bullying between schoolchildren. Researchers have suggested a link between the online comments and suicide levels, as well as increased physical confrontations. The Department for Education and Skills would issue guidelines to help parents and children understand the proper steps to take if they find themselves victims of cyber-bullying. At least 34 sites with more than 300,000 users are affected by the law.55
In November 2006, members of the Futures Forum for Korea in the Korean National Assembly attempted to arrive at an agreement on a proposal for a comprehensive privacy law. Since that time, none of the five proposed bills on privacy have been passed.56
- 1. Constitution of The Republic of Korea, Chapter II (Rights and Duties of Citizens), ¬ß 16; Section 9 further stating that "it shall be the duty of the State to confirm and guarantee the fundamental and inviolable human rights of individuals."
- 2. http://news.naver.com/news/read.php?mode=LSD&office_id=018&article_id=00...§ion_id=102&menu_id=102
- 3. Korean Constitution, supra at ¬ß 17.
- 4. Id. at ¬ß 18.
- 5. http://www.state.gov/g/drl/rls/hrrpt/2006/78778.htm
- 6. http://www.humanrights.go.kr/eng/index.jsp
- 7. Asia Pacific Human Rights Network, "National Human Rights Commission of Korea: Miles To Go," September 2004.
- 8. C. Chung and I. Shin, "On-Line Data Protection and Cyberlaws in Korea" 27 Korean J. of Int'l and Comp. L. 21, 24 (1999).
- 9. Act No. 4734, last amended by Act No. 5715, January 29, 1999.
- 10. Id. at ¬ß¬ß 1, 2(3).
- 11. Chung and I. Shin, supra at 31.
- 12. Act No. 4734 ¬ß 6.
- 13. Id. at ¬ß¬ß 7-8.
- 14. Id. at ¬ß¬ß 18-19.
- 15. Id. at ¬ß¬ß 12, 16.
- 16. Act No. 4734 ¬ß 20.
- 17. Chung and I. Shin, supra at. 21, 33.
- 18. Act No. 4650, last amended by Act No. 7138, January 29, 2004. Article 3 (Protection of Secrets of Communication and Conversation), paragraph 1 of this Act provides that "No person shall censor any mail, wiretap any telecommunications, provide the communication confirmation data, record or listen to conversations between others that are not made public, without recourse to this Act, the Criminal Procedure Act or the Military Court Act."
- 19. Act No. 4394, last amended by Act No. 7165, February 9, 2004.
- 20. Act No. 2533, last amended by Act No. 7148, January 29, 2004.
- 21. Act No. 5493, last amended by Act No. 7189, March 12, 2004.
- 22. Act No. 4866, last amended by Act No.7110, January 29, 2004.
- 23. Act No. 5834, last amended by Act No. 6614, January 19, 2002.
- 24. Act No. 5792, last amended by Act No. 6585, December 31, 2001.
- 25. Act No. 5835, last amended by Act No. 7142, January 29, 2004.
- 26. Gesetz zur Regelung der Rahmenbedingungen f√ºr Informations und Kommunikationsdienste: IuKDG, Ch. 2.
- 27. http://www.oecd.org/document/20/0,2340,en_2649_34255_15589524_1_1_1_1,00...
- 28. Act No. 5835, ¬ß 16 (2).
- 29. Id. at ¬ß 16(1).
- 30. Id. at ¬ß 4.
- 31. Id. at 3. But see L. Sweeney, The Identifiability of Data, (forthcoming), discussing the ease of re-identifying ostensibly de-identified data.
- 32. Act No. 5835, ¬ß 18(2).
- 33. Id. at ¬ß 18(4).
- 34. Id. at ¬ß 19(3).
- 35. Id at 5. Due to the volume of unsolicited commercial e-mails, the government is contemplating an amendment that would curtail distribution and punish senders. Further, the amendment proposes the addition of "Adult" or "Consent" in the subject line of each and every unsolicited commercial e-mail and punitive measures for their senders who use false contact information or hinder technologically their tracing or deletion.
- 36. http://www.cyberprivacy.or.kr/inter.htm
- 37. Act No. 5835 at ¬ß 30. Additionally, ¬ß 32 imposes lesser administrative penalties of KRW 5 million for violations of other data protection principles.
- 38. Personal Information Dispute Mediation Committee of the Korea Information Security Agency, "Personal Data Protection in Korea," August 2002 at 4.
- 39. See C. Chung and I. Shin, supra at 42-43, citing the lack of an appropriate oversight authority as the major weakness of the Korean data protection regime; I. Kim, "A Study on the Data Protection Act" 26 Public Law 2 (June 1998) (in Korean); I. Lee, "Trends in the Korean Data Protection Legislation" Road to the Information Society (November 1999) (in Korean).
- 40. Act No. 5834, ¬ß¬ß 30-31.
- 41. Id. at ¬ß 13(2).
- 42. Id. at ¬ß 13(3).
- 43. Id. at ¬ß 13(4).
- 44. Act No. 5792, ¬ß¬ß 19-23.
- 45. Id. at ¬ß 24.
- 46. http://www.timesonline.co.uk/tol/news/world/asia/article2005592.ece
- 47. http://www.koreaherald.co.kr/archives/result_contents.asp?id=20050531004...
- 48. Email from Jongin Chang, University of Seoul, Korea, to Allison Knight, Research Director, Electronic Privacy Information Center, August 1, 2007 (on file with EPIC).
- 49. http://www.asiamedia.ucla.edu/article.asp?parentid=65654
- 50. Id.
- 51. Personal Information Dispute Mediation Committee of the Korea Information Security Agency, "Personal Data Protection in Korea," August 2002, at 8-9.
- 52. Id.
- 53. "Agency Says the Web is Quite a Leaky Place," JoongAng Daily, June 15, 2004
- 54. Leo Lewis, supra.
- 55. Id.
- 56. Email from Jongin Chang, supra.