|OVERVIEW||On March 29, 2011, South Korea adopted a new comprehensive privacy law (Act on the Protection of Personal Data, Law No. 10465) applies to businesses and government agencies. Indeed, the Government estimates that the new law will apply data protection requirements to some 3.5 million public and private sector businesses and organizations. The law will take effect September 30, 2011.|
|ENACTED||March 29, 2011|
|GENERAL PRIVACY LAWS||Article 16 of the Korean Constitution.|
|PERSONAL DATA PROTECTION LAWS AND REGULATIONS||Act on Promotion of Information and Communications Network Utilization and Information Protection|
|TYPE OF DATA PROTECTED||Personal Information which means the information concerning anyone living that contains the code, letter, voice, sound, and/or image, which allows for the possibility for that individual to be identified by name and resident registration number (including information which, if not by itself, allow for the possibility of identification when combined with other information).|
|WORKPLACE PRIVACY LAWS||
The Act on Promotion of Information and Communications Network Utilization and Information Protection (APICNU) and the Protection of Communications Secret Law of 1993 both govern the monitoring of work emails.
Under the APICNU, Article 48, any person is prohibited from infiltrating information and communications networks without any justifiable access right or beyond the permitted access right.
Unless notice and express consent are obtained from the employees, monitoring of employee emails is likely to be viewed as a violation of Article 48 of APICNU. Even if the computers are owned by the employer, without notice and consent the employer is likely to be deemed to have gone beyond the permitted access right and to be in violation of Article 48.
Article 3 prohibits any person from censoring any mail, wiretapping any telecommunications, providing communication confirmation data, or recording or listening to conversations between others that are not made public. Emails are considered to be “telecommunications” under the Secrecy Act. Monitoring of emails under the Secrecy Act is permitted only if (1) the sender and receiver consent; (2) monitoring is protected under the Secrecy Act; or (3) monitoring is done pursuant to the Criminal Procedure Act or Military Court Act.
NOTE: The consent of the sender of the email received by the employee or the receiver of the email sent by the employee will not likely be required as the consent will likely be presumed in case of work emails as these emails are usually viewed as emails exchanged on behalf of the employer.
Employers should disclose how the monitoring will be done, the scope of the monitoring, etc.
|TRANSBORDER TRANSFERS||No legislation specifically requiring the registration of transborder transfers of personal data.|
|FINES AND SANCTIONS||
The Act contains some severe sanctions for privacy breaches:
Article 62 (Penal Provisions)
|OTHER PRIVACY LAWS AND REGULATIONS||
Acts governing the collection, use and disclosure of personal information in the private sector include: