South Korea's innovations in data privacy principles: Asian comparisons

Computer Law and Security Review

Volumn 30, Issue 5, 2014, Pages 492-505

  Greenleaf, Graham ^a   Park, Whon Il ^b  

^a UNIVERSITY OF NEW SOUTH WALES   (Australia)

^b Kyung Hee University   (South Korea)

Author keywords

South Korea data privacy law Privacy principles Personal Information Protection Act 2011 Data breach International data flows Digital identity

Indexed keywords

ELECTRONIC DOCUMENT IDENTIFICATION SYSTEMS; INFORMATION DISSEMINATION; LAWS AND LEGISLATION;

COUNCIL OF EUROPE; DATA PRIVACY LEGISLATIONS; DATA PROTECTION; DATA PROTECTION DIRECTIVE; EUROPEAN UNION; PERSONAL INFORMATION; PRIVACY PRINCIPLE; PRIVATE SECTORS;

DATA PRIVACY;

EID: 85027925815     PISSN: 02673649     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.clsr.2014.07.011     Document Type: Article

References (60)

1. For those aspects, see Greenleaf Asian Data Privacy Laws, Ch 5.
2. These criteria are defined in Graham Greenleaf, " Scheherazade and the 101 Data Privacy Laws: Origins, Significance and Global Trajectories" (2014 forthcoming) J of L & Info Sc, at . http://ssrn.com/abstract¼2280877. The 103 laws are the 101 to which that article refers, plus new laws in the Dominican Republic (2013) and Brazil (2014).
3. Graham Greenleaf, " Scheherazade and the 101 Data Privacy Laws: Origins, Significance and Global Trajectories" (2014 forthcoming) J of L & Info Sc.
4. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (European Data Protection Directive) (1995) available at . http://eur-lex.europa.eu/LexUriServ/LexUriServ.do? uri¼CELEX:31995L0046:EN:HTML
5. Council of Europe Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Person al Data regarding supervisory authorities and transborder data flows, Strasbourg, 8.XI.2001, available at http://conventions.coe. int/Treaty/en/Treaties/Html/181.htm.
6. Graham Greenleaf, "The Influence of Euro pean Data Privacy Standards Outside Europe: Implications for Globalisation of Convention 108" (2012) 2(2) Intl Data Privacy L 68.
7. Personal Data Protection Act 2010 (Taiwan); Greenleaf Asian Data Privacy Laws, Ch 6;
8. Graham Greenleaf " Taiwan Revises its Data Protection Act" Privacy Laws & Business International Report, Nos. 108 & 109, 2010e11 http://ssrn.com/abstract¼ 1975631 (accessed 17 July 2013);
9. Graham Greenleaf and Hui-ling Ch en "Data Privacy Enforcement in Taiwan, Macau, and China" Privacy Laws & Business International Report, Issue 117, 11e13, June 2012, http://ssrn.com/abstract¼2118332 (accessed 17 July 2013).
10. Personal Data (Privacy) Or dinance CAP 486 (Hong Kong) http://www.hklii.hk/eng/hk/legis/ord/486/ (accessed 17 July 2013);
11. Greenleaf Asian Data Privacy Laws, Ch 4.;
12. Robin McLeish and Graham Greenleaf "Reform of Hong Kong's Privacy Ordinance After 15 Years " Priva cy Laws & Business International Report, Vol. 1, Issue 113, pp. 15e17, October 2011, http://ssrn.com/abstract¼ 1972669 (accessed 17 July 2013);
13. Graham Greenleaf and Robin McLeish "Hong Kong's Privacy Enforcement: Issues Exposed, Power s Lacking" Privacy Laws & Business International Report, Issue 116: 25e28, April 2012, http://ssrn.com/abstract¼ 2057294 (accessed 17 July 2013);
14. Graham Greenleaf "Country Studies: B.3 e Hong Kong" Comparative Study On Different Approaches To New Priv acy Challenges, In Particular In The Light Of Technological Developments, D. Korff, ed., European Commission, May 2010, http://ssrn.com/abstract¼2025550 (accessed 17 July 2013).
15. Personal Information Protection Act 2011 (South K orea); unofficial English translation by Whon-il Park ; http://koreanlii.or. kr/w/images/9/98/KoreanDPAct2011.pdf Greenleaf Asian Data Privacy Laws, Ch 5.;
16. Graham Greenleaf and Whon-il Park "Korea's New Act: Asia's Toughest Data Privacy Law " Privacy Laws & Business International Report, Issue 117, 1e6, June 2012, http://ssrn. com/abstract¼2120983 (accessed 17 July 2013).
17. Personal Data Protection Act 2005 (Act 8/2005) (Macau SAR) http://www.gpdp.gov.mo/cht/forms/lei-8-2005en.pdf (accessed 17 July 2013);
18. Greenleaf Asian Data Privacy Laws, Ch 9.;
19. Graham Greenleaf "Macao's EU-Influenced Personal Data Protection Act " Privacy Laws & Business International Newsletter, Vol. 96, pp. 21e22, Dec 2008http://ssrn.com/abstract¼ 2027852 (accessed 17 July 2013);
20. Graham Greenleaf and Hui-ling Chen "Data Privacy Enforcement in Taiwan, Macau, and China" Privacy Laws & Business International Report, Issue 117, 1 1e13, June 2012, http://ssrn.com/abstract¼2118332 (accessed 17 July 2013).
21. Act on the Protection of Personal Information 2003 (Act No. 57 of May 30, 2003) (Japan), ; Greenleaf Asian Data Privacy Laws, Ch 8.;
22. Graham Greenleaf " Country Studies e B5 Japan http://www.japaneselawtranslation.go. jp/law/detail/?id¼130&vm¼04&re¼02
23. (Information Privacy Protection in Japan)" Comparative Study on Different Approaches to New Privacy Challenges, in Particular in the Light of Technological Developments, D. Korff, ed., European Commission, May 2010, http://ssrn.com/abstract¼2025557
24. Personal Data Protection Act 2010 (No 710 of 2010) (Malaysia);
25. Greenleaf Asian Data Privacy Laws, Ch 11.;
26. Graham Greenleaf 'Malaysia: ASEAN's First Data Privacy Act in Force ' (2013) 126 Privacy Laws & Business International Report, 11e14, http://ssrn.com/abstract¼ 2404893 (accessed 12 May 2014).
27. Law on infor mation technology (No. 67/2006/QH11) (Vietnam), http://www.asianlii.org/vn/legis/laws/oit264/oit264.html (accessed 17 July 2013);
28. Law on Protection of Consumer's Rights (Law 59/2010/QH12 17/11/2010) http://ww w.asianlii.org/vn/legis/laws/pocrl5920101217112010393/; (accessed 17 July 2013) (Vietnam), ;
29. Greenleaf Asian Data Privacy Laws, Ch 13.;
30. Graham Greenleaf 'Vietnam's 2013 E-Commerce Decree Consolidates Data Privacy Protections ' (2013) 125 Privacy Laws & Business International Report, 22e24, (accessed 12 May 2014).
31. Information Technology (Reasonable Security Practices and procedures and sensitive personal data or information) Rules, 2011 (GSR 313(E) Dated 11 April 2011) (India) (accessed 17 July 2 013);
32. Greenleaf Asian Data Privacy Laws, Ch 15.;
33. Graham Greenleaf " Promises and Illusions of Data Protection in Indian Law" International Data Privacy Law, 2011: 47e69, Vol. 1, No 1.
34. Data Privacy Act of 2012 (Republic Act NO. 10173) http://www.gov.ph/2012/08/15/republic-act-no-10173/ (accessed 15 August 2013) (Philippines);
35. Greenleaf Asian Data Privacy Laws, Ch 12.;
36. Graham Greenleaf "ASEAN's 'New' D ata Privacy Laws: Malaysia, the Philippines and Singapore" Privacy Laws & Business International Report, Issue 116: 22e24, April 2012http://ssrn.com/abstract¼2049234 (accessed 17 July 2013).
37. PIPA Enforcement Decree (KoreanLII, transl. Whon-il Park) http://koreanlii.or.kr/w/images/d/d7/DPActenforceDecree.pdf accessed 23 February 2014. The Decree was issued 29 September 2011, is in force from 30 March 2012, and is the on ly one issued to December 2013.
38. Kuner, European Data Protection Law, p. 93.
39. Kuner, E uropean Data Protection Law, pgs. 73-74.
40. Personal Information Protection Commission (South Korea) Decision, ' Comments on Improvements of Privacy Policy of Google Inc.' , 11 June 2012, at http://www.pipc.go.kr/pds/news/120612.html
41. For a more detailed analysis, see Graham Greenleaf and Whon-il Park, ' Korean DPA Faults Google's TOS Changes: Global Privacy Implications?' , (2012) 119 Privacy Laws & Business International Report, pgs. 22e25 http://ssrn.com/abstract¼2186874 .
42. Whon-il Park, 'Data breach incidents ' (KoreanLII, in English, undated) http://koreanlii.o r.kr/w/index.php/Data-breach-incidents accessed 14 December 2013.
43. Kyung-Sin Park 'Paradox of trust: Korean Resident Registration Numbers ' (OpenNet blog, 28 May 2014) http://opennetkorea. org/en/wp/920 .
44. Kyung-Sin Park 'Paradox of trust '.
45. Kyung-Sin Park, ' It is Illegal for Telcos to Provide Identification Services' (in Korean) (Kyunghyuang Sinmun, 14 March 2013), http://m.blog.daum.net/ruru63/15972810 .
46. Kyung-Sin Park, 'Must Ban Collection of RRN s by Financial Institutions in Wake of 100 Million-people Data Breach' (in Korean) (Kyung-hyuang Sinmun, 12 February 2014) http://news. khan.co.kr/kh-news/khan-art-view.html? artid¼201402112046175&code¼990303
47. English summaries of all of these cases are in the Korean Personal Information Dispute Mediation Committee Cases at the AsianLII websitehttp://www.asianlii.org/kr/cases/KRPIDMC .
48. These examples are all from ' PIDMC cases: Noteworthy cases' (KoreanLII, transl. Whon-il Park, 2007- 11) http://koreanlii.or.kr/w/index.php/PIDMC-cases#Noteworthy-Cases .
49. These examples are all from 'PIDMC cases: Noteworthy cases ' (KoreanLII, trans. Whon-il Park, 2007 -11) http://koreanlii.or.kr/w/index.php/PIDMC-cases#Noteworthy-Cases .
50. Sung-Hey Park, 'South Korea's New Data Protection Act: Cross-Border T ransfer Issues Examined In Relation To The Outsourcing Clause And The Relevant Regulatory Framework' (2011) 11 WDPR 6.
51. K B Park ' New South Korean Amendments Include New Data Breach Notification Requirements, Expanded Data Protections' , (2012) BNA World Data Protection Report, referring to 2012 changes to the ICN Act (arts. 27-3, 48-3).
52. See the Korean Supreme Court decision discussed in Whon-il Park ' GS Caltex case' (KoreanLII, 2014) http://koreanlii.or.kr/w/index.php/GS-Caltex-case
53. and Whon-il Park 'Compensation for data breach' (KoreanLII, 2014) ].http://koreanlii.or.kr/w/index. php/Compensation-for-data-breach
54. To facilitate the recovery of damages incurred by the victims of phishing scams the Special Act on the Recovery of Financial Scam Damages via Electric Communications (Act No. 10477, effective 30 September 2011) provides for mandatory extinction of scam-related deposit claims and accelerated recovery of damages. Victims have only to report to the competent police station such ph one phishing to stop the payment of scam-related bank deposits: See Whon-il Park ' Phishing' (KoreanLII, 2014) http://koreanlii.or.kr/w/index.php/Phishing
55. PIDMC, 'Online servic e provider's failure of deletion of user's personal data on the Internet' (KoreanLII, trans. Whon-il Park) http://koreanlii.or.kr/w/index.php/PIDMC-cases-in-2010 accessed 22 February 2014.
56. Greenleaf, ' The Influence of European Data Privacy Standards Outside Europe: Implications for Globalisation of Convention 108' .
57. This summary is derived substantial ly from an early analysis in February 2012, by Christopher Kuner ' The European Commission's Proposed Data Protection Regulation: A Copernican Revolution in European Data Protection Law ', (2012) Bloomberg BNA Privacy and Security Law Report, Febru ary 6 2012, pgs. 1e15, http://ssrn.com/abstract¼2162781 accessed 14 January 2014.
58. For a full discussion see Graham Greenleaf, ' A world data privacy treaty?: 'Globalisation' and 'Modernisation' of Council of Europe Convention 108' (Witzleb, Lindsay, Paterson and Rodrick (Eds) Emerging Challenges in Privacy Law: Comparative Perspectives Cambridge University Press, forthcoming 2014). Alternatively
59. see Graham Greenleaf, G ''Modernising' Data Protec tion Convention 108: A Safe Basis for a Global Privacy Treaty?' (2013) 29(4) Computer Law & Security Review.
60. For details on all of this section, see Whon-il Park ' South Korea's major financial institutions suffer data breach' , (2014) 127 Privacy Laws & Business International Report, pgs. 6e7.