Structure and Enforcement of Data Privacy Law in South Korea

Abstract

South Korea’s data privacy law has evolved rapidly despite a short history of relevant legislation and enforcement. South Korea’s data privacy law has exceedingly stringent consent requirements. In addition to consent, there are many other statutory provisions with onerous requirements, arguably making the overall data privacy law regime one of the strictest in the world. South Korea’s data privacy law, in particular the Personal Information Protection Act, has a similar structure to the EU’s data privacy law. However, the overall legal regime and enforcement mechanisms for data privacy reveal South Korea’s unique characteristics and the weaknesses of its data privacy law. Both the governance regime and the enforcement powers are too fragmented to achieve consistent policy outcomes. Data privacy has gained greater public attention in recent years in South Korea and, perhaps reflecting this phenomenon, relevant laws and regulations have been amended frequently. A notable trend is to strengthen penalty provisions such as the maximum amount of administrative fine, now set at 3% of relevant sales revenue. It remains to be seen if heightened penalty provisions will meaningfully help to address data privacy concerns.