South Korea's innovations in data privacy principles: Asian comparisons

Abstract

Over the last two decades, at least a dozen Asian jurisdictions have adopted significant data privacy (or ‘data protection’) laws. South Korea started to implement such laws in relation to its public sector in the 1990s, then its private sector from 2001, culminating in the comprehensive Personal Information Privacy Act of 2011. Internationally, there have been two stages in the development of data privacy principles (the common core of such laws), the first typified by the OECD's data protection Guidelines of 1981, and the second typified by the European Union data protection Directive of 1995, with a third stage currently under development.This article analyses the privacy principles in this Korean law, focussing on those aspects that are innovative or offer a high level of protection in international terms, and demonstrates the extent of innovation and strength of the Korean law by comparison with data privacy principles in laws of other Asian jurisdictions. The principles in the Korean law are clearly the strongest in Asia, although this is not yet fully complemented on the enforcement side. A brief comparison is also made with proposed European Union and Council of Europe reforms. In some respects the Korean principles go beyond those currently found in European laws, and indicate that innovation in data privacy legislation no longer originates solely in Europe.