On March 3, 2022, a new “Easy-to-Understand Manual on Consent for Personal Data Processing” (the “Manual”) and “Guideline for Writing Privacy Policies” (the “Guideline”) were published by the Personal Information Protection Committee of Korea (the “PIPC”). The PIPC is Korea’s central data privacy regulator for oversight and enforcement of personal data protection under the Personal Information Protection Act (the “PIPA”), Korea’s primary privacy statute governing the collection, use, disclosure, and other processing of personal information. The Manual and the Guideline warrant special attention from domestic and foreign corporations doing business in Korea, because they present a new set of criteria by which the PIPC may determine compliance with applicable privacy laws and regulations.

1. Overview

With digital transformation pervading all industries and the concomitant proliferation of personal data processing, the notion of “consent” has become complex, dynamic, and ambiguous. The PIPC’s 2021 Personal Data Protection Survey revealed that 34.9% of data subjects do not care to read or even glance at a service provider’s privacy policy, because they believe they have no choice but to agree to the privacy policy to access and use the services. Data subjects believe their consent as taken for granted, and thus feel vulnerable, powerless, and incapable of challenging any or all of a service provider’s privacy policies.

The Manual and the Guideline have thus been introduced to provide domestic and foreign businesses (“data controllers”) with a step-by-step guidance for drafting their personal information management policies in accordance with Article 30 of the PIPA and Article 31 of the Enforcement Decree of the PIPA and ensure that such privacy policies are not overly formal but written to adhere to the personal data protection principles under Article 3 of the PIPA by proposing specific case scenarios. By specifying how a privacy policy should be written and made available to the public, the Manual and the Guideline intend to increase transparency of personal data processing with the ultimate goal of safeguarding the fundamental rights of consumers (“data subjects”) to control how their personal information is used and processed.

2. Key Components of the Manual: Four principles for data controllers to follow when obtaining consent

The PIPA requires a specific and legitimate basis for the processing of personal information, the most representative being a data subject’s consent. In principle, a data subject’s express consent is required to process any of their personal information. Accordingly, to obtain such consent, a data controller is required under the PIPA to notify the data subject of: (i) the person (or entity) to whom the personal information will be furnished; (ii) the purpose of use of the personal information by the receiving person (or entity); (iii) the types of personal information to be furnished; (iv) the time period during which the person (or entity) will possess and use the personal information; and (v) their right to refuse to consent and the consequences of refusal.

(1) Minimization of Data Collected

A data controller bears both a legal and moral responsibility to a data subject to: clarify the purpose for managing their personal information, lawfully collect the personal information, and limit the information collection to the minimum extent necessary to achieve such purpose. In other words, a data controller must manage the data subject’s personal information so as to minimize the infringement of the data subject’s privacy as much as possible.

While one consent form may be used, separate consents must be obtained for each type of processing activity (e.g., collection, use, third-party provision) and each type of personal information (e.g., unique identification information, geolocation information, biometrics information). For instance, a data subject’s contact information may consist of several individual pieces of information, and the data subject must be notified of the purpose of collection of each such piece of information, and only the minimum necessary extent of such information may be collected and processed for such purpose. The burden of proof is on data controllers to demonstrate that the extent of personal information collected, processed, and/or provided to a third party is proportionate to the purpose for which it is required.

Data controllers must also delineate and fix the list of third-party recipients that will share the personal information, and the scope of such list cannot be left open to subsequent expansion by using terms like “etc.”.

(2) Transparency

A data controller shall provide a clear, unequivocal notice to data subjects of the details of how their personal information is being used and/or will be used, and obtain their consent to the following matters before their personal information is collected and used: (i) the purpose of the collection and use; (ii) the items of personal information that will be collected; (iii) the duration of the possession and use of the personal information; and (iv) the fact that the data subject has a right to refuse to give consent and the negative consequences or disadvantages that may result due to any such refusal.

When obtaining consent in writing, such matters (i.e., (i)-(iv) above) must be clearly indicated to make them easier to recognize. In particular, the font size of any important parts of a written consent form must be at least 20% larger than the rest of the font used in the consent form, and the minimum font size used to mark the important parts should be in at least a 9-point font. When obtaining consent in electronic documents, such as on websites and mobile apps, the original version must be in at least a 9-point font.

Click here to read more.