Jump to ContentJump to Main Navigation
Bulk CollectionSystematic Government Access to Private-Sector Data$

Fred H. Cate and James X. Dempsey

Print publication date: 2017

Print ISBN-13: 9780190685515

Published to Oxford Scholarship Online: October 2017

DOI: 10.1093/oso/9780190685515.001.0001

Show Summary Details
Page of

PRINTED FROM OXFORD SCHOLARSHIP ONLINE (www.oxfordscholarship.com). (c) Copyright Oxford University Press, 2019. All Rights Reserved. An individual user may print out a PDF of a single chapter of a monograph in OSO for personal use. date: 11 December 2019

Systematic Government Access to Private-Sector Data in the Republic of Korea

Systematic Government Access to Private-Sector Data in the Republic of Korea

Chapter:
(p.287) 14 Systematic Government Access to Private-Sector Data in the Republic of Korea
Source:
Bulk Collection
Author(s):

Sang Jo Jong

Publisher:
Oxford University Press
DOI:10.1093/oso/9780190685515.003.0014

Abstract and Keywords

This chapter examines the statutory grounds for governmental access to private-sector data in Korea. It focuses on issues such as the circumstances under which access is allowed without a warrant and how unjustified government access can take place in practice. Systematic government access to private-sector data can take place through warrants issued by a court. Notably, due to the unique truce situation, under which the Republic of Korea is technically still at war with North Korea, Korean authorities are sometimes allowed to obtain private-sector data without warrants, for national security purposes. This chapter examines the statutory grounds for governmental access to private-sector data in Korea, focusing specifically on issues such as the circumstances under which access is allowed without a warrant and how unjustified government access can take place in practice.

Keywords:   Korean Constitution, privacy, personal information, law enforcement agencies, wiretapping, voluntary disclosure

I. Abstract

This chapter examines the statutory grounds for governmental access to private-sector data in Korea. It focuses on issues such as the circumstances under which access is allowed without a warrant and how unjustified government access can take place in practice.

II. Introduction and Overview

In 2011, the Cultural Minister Yu In-chon was attending a welcoming ceremony held at Incheon International Airport to greet the 2010 Vancouver Winter Olympic champion skater Kim Yu-Na. During the ceremony, the minister stretched out his arms toward Kim’s shoulders as a gesture of welcome, but the scene was captured and slightly edited to look as if the minister tried to hug Kim as she reluctantly avoided him. This video clip was posted on a website for funny pictures/video clips, and the humiliated minister sued for libel the Internet users who uploaded it.1 Upon the filing of the complaint, the police requested the Internet users’ names, resident registration numbers, cell phone numbers, and date of subscription, which the ISP provided two days later. Then, one of the accused whose personal information was given to the police sued the ISP for disclosing his personal information in breach of the ISP’s terms of use. The case (p.288) generated a heated controversy over whether such governmental access without proper warrants was an infringement on privacy or the right of personal information. Six years later, the Supreme Court of Korea came to a conclusion2 that illustrates some of the realities and statutory limits of governmental access to private-sector data in the Republic of Korea.

Systematic government access to private-sector data can take place in a variety of ways. Under some circumstances, access requires warrants issued by a court, whereas in other situations it does not. Notably, due to the unique truce situation, under which the Republic of Korea is technically still at war with North Korea, Korean authorities are sometimes allowed to obtain private-sector data without warrants, for national security purposes.3

This chapter will examine the statutory grounds for governmental access to private-sector data in Korea, focusing specifically on issues such as the circumstances under which access is allowed without a warrant and how unjustified government access can take place in practice.

III. National Legal Context and Fundamental Principles

Article 17 of the Constitution of the Republic of Korea states, “The privacy of no citizen shall be infringed,” and Article 18 states, “The privacy of correspondence of no citizen shall be infringed.” The Constitution does not explicitly mention a fundamental right of personal information or data protection. However, based on Article 37, which reads, “freedoms and rights of citizens shall not be neglected on the ground that they are not enumerated in the Constitution,” and in light of Article 10 (which recognizes the human worth and dignity of all citizens) and Article 21 (which protects freedom of expression), plus Articles 17 and 18, it is reasonable to conclude that personal information privacy is a fundamental right. Indeed, Korean courts have held that the rights to privacy and the pursuit of happiness in these Articles provide the ideological basis for acknowledging a so-called “right to self-determination of personal information” as a separate constitutional right.4 This “right to self-determination of personal information” is in turn embodied and delineated in various statutes, including the “Personal Information Protection Act.”

Previously, the obligations of government bodies with regard to personal information protection were regulated by the “Act on Personal Information Protection of Public Agencies” (APIPPA). On September 30, 2011, the APIPPA was replaced by and incorporated into the “Personal Information Protection (p.289) Act,” which covers both the public and private sectors. Further regulations applicable to the private sector are also found in a variety of industry-specific statutes, including the Act on Promotion of Information and Communications Network Utilisation and Information Protection (Communications Network Act), the Act on Use and Protection of Credit Information (Credit Information Act), the Communication Privacy Act (Communication Privacy Act), the Act on Real Name Financial Transactions and Guarantee of Secrecy (Real Name Financial Transactions Act), the Act on Report and Use of Specific Financial Transaction Information (Financial Transaction Information Act), and the Act on Use and Protection of Location Information (Location Information Act).

Enacted in 2011, the Personal Information Protection Act (PIPA) is a comprehensive statute that imposes obligations on entities dealing with personal information (“processors”), both in the public sector and the private sector. PIPA establishes basic principles regarding the collection, use, and disclosure of personal information. It is notable that PIPA explicitly requires, as a general rule, that processors obtain consent from the data subject; in the case of a disclosure, the data subject must be informed as to the recipient of the personal information, what personal information will be transferred, the purpose for which the information will be used, and the period for which it will be retained. These requirements also apply when providing personal information to a third party overseas.5 Moreover, PIPA requires the government to “work out policy measures necessary to enhance the personal information protection standard in the international environment.”6

As for the obligations of the state, PIPA provides that the government “shall devise policy measures to prevent any harmful effect from collecting personal information for any purpose other than the intended purpose, misusing, abusing, or excessively monitoring and tracking, etc. personal information, thereby protecting human dignity and personal privacy.”7 Article 15 permits collection and use not only with consent but also “where special provisions exist in laws” and “where it is unavoidable so that the public institution may carry out such work under its jurisdiction as stated by laws and regulations.”8 Apart from these basic principles, PIPA does not say much about the scope and procedures regarding government access to third-party private-sector data. Instead, the standards for government access to personal information must be found elsewhere. Personal information is acquired by public authorities using the existing warrant system or under numerous administrative procedures. In addition, data that does not fit within the PIPA definition of personal information can always be submitted to the government voluntarily and informally.

(p.290) IV. Statutory Overview and Analysis

A. Laws regarding Governmental Access to Private-Sector Data

This section will examine PIPA and other statutes in greater detail.

As a preliminary point, it should be emphasized that private-sector data can be divided into two categories: personal information data and everything else. Statutes on privacy including PIPA define personal information as “the information pertaining to any living person that makes it possible to identify such individual by his/her name, resident registration number, image, etc. (including the information which, if not by itself, makes it possible to identify any specific individual if combined with other information).” However, Internet log records (the date, frequency, and length of connections) and telephone calling records (the originating and called numbers, with time and duration) do not normally fall within the scope of the definition of personal information unless they are put together with name or personal identification number. Internet logs and dialed number records, sometimes referred to as “transactional data,” are considered to be personal information if and only if the service provider collecting the logs or records has another database containing users’ names and/or personal ID numbers and if the company is technically capable of easily putting those databases together.

PIPA Article 15 states as a basic principle that personal information must be collected only with consent of the subject of such information.9 However, the government can obtain personal information without consent where it is necessary for a public institution to carry out its official duties under its jurisdiction as stated by other laws and regulations that supersede PIPA, or where it is deemed necessary explicitly to protect the data subject or any third party from impending danger to his/her life, body, or property. The phrase “official duties under its jurisdiction as stated by laws and regulation” refers to the obligations and authorities of public bodies prescribed in the Government Organisation Act, the Resident Registration Act, the National Taxation Act, the Medical Service Act, the Infectious Disease Control and Prevention Act, and the National Health Insurance Act, as well as relevant regulations enacted by local governments. For example, the Ministry of Public Administration and Security collects data on public officers for the purpose of personnel, ethics, services, and pension management.10 It also operates the “National Human Resource Database,” which accumulates large amounts of personal information. Medical records are collected and used by the National Health Insurance Corporation in the ordinary course of insurance benefits management.11

(p.291) In principle, the processors of personal information can disclose personal information only with the consent of the data subject, and only within the scope of the initial purpose of collection.12 There is an exception in the PIPA, however, that the government and public agencies can disclose personal information for the purpose of law enforcement “where it is necessary for the investigation of crimes, indictment and prosecution, or for the court to process the case or for punishment and enforcement of care and custody.”13

PIPA establishes specific rules for what is referred to as “sensitive information,” which includes information on ideology, belief, admission/exit to and from trade unions or political parties, political mindset, and health and sexual life.14 Yet there are some exceptions in the Act: The government is allowed to acquire genetic information or criminal records when necessary.15 PIPA also limits the collection and use of resident registration numbers unless it comes under exceptions specified by the Act. PIPA also requires the government to provide a means for Internet users to subscribe to its websites without submitting their resident registration numbers. In response to the ongoing digitalization of governmental functions, with the result that personal information is stored and managed in the interlinked systems of public agencies, placing at risk information privacy in the public sector, PIPA requires public institutions in specified circumstances to conduct privacy impact assessments.16

Whereas PIPA acts as a comprehensive and basic statute on personal information protection, the Telecommunication Business Act (TBA) specially regulates telecommunication service providers. Basically, the Act states that telecommunication service providers must obtain consent from the data subject before providing personal information to a third party, and the third party can use the information only in accordance with the purpose for which it was provided.17 However, when submitting information to law enforcement authorities who possess a warrant issued by a court pursuant to the Criminal Procedure Act, consent of the data subject is not necessary.18

Apart from PIPA and TBA, a number of other statutes, including the Credit Information Act, the Communication Privacy Act, the Real Name Finance Act, and the Act on Use and Protection of DNA Identification Information (DNA Identification Act), provide for data seizure by warrant or other means.

(p.292) In scholarly discourses in Korea, there is a controversy over whether electronic data is subject to seizure and search. According to the Criminal Procedure Act, “the court may seize any articles which it believes may be used as evidence or liable to confiscation.” In addition, “A person, effects, dwellings … may be searched only when there are circumstances which warrant the belief that there are articles liable to seize therein.”19 It is argued that, under the express language of these provisions, only tangible articles are eligible to be seized or searched and therefore the provisions of the Act are not applicable to the seizure and search of intangible data. Although the seizure and subsequent search of hard discs, laptops, and other physical media containing data is one action, demanding the disclosure of data stored on such devices is quite different. This distinction raises a question as to the legitimacy of the search and seizure provisions of the Criminal Procedure Act when applied to searches of stored data. Moreover, it is not clear under existing statutes whether the data subject must be notified of the execution of a warrant for data pertaining to that person. In the case of so-called transactional data, the Communication Privacy Act requires the law enforcement authorities to notify the data subjects in writing within 30 days after obtaining records for the purpose of investigation.20 However, the Criminal Procedure Act imposes no such obligation when seizing and searching articles from a third party, so under that Act enforcement authorities are not required to give any notice when seizing and searching personal information held by a telecommunication service provider.

A warrant issued by a court is not the only means by which the government can obtain personal information. As will be explained below, there are other explicit provisions scattered in various statutes allowing the government to request personal information from the private sector without any warrant.

(p.293) B. Law Enforcement Access, Regulatory Access, and/or National Security Access

1. Law Enforcement Access without Court Permission

Regarding public sector data, the government and public agencies may disclose personal information for the purpose of law enforcement without any court permission under the PIPA.21 Regarding private-sector data, however, government access is only made possible by consent of the data subject, statutory provision, or court permission. There are some exceptions: first, the TBA provides a telecommunication service provider may comply with a request for provision of communications data from a court, a prosecutor, the head of an investigative authority, or the head of an intelligence agency, when necessary for a trial, a crime investigation, the execution of a sentence, or national security. The TBA specifically provides that telecommunication service providers “may” provide to law enforcement agencies communications data such as names of their users, resident registration numbers of users, addresses of users, phone numbers of users, identification codes used to identify the rightful users of communications networks, and dates on which users commence or terminate their subscriptions.22

However, such governmental access without a judicial warrant was challenged in the lawsuit described at the beginning of this chapter, which questioned the legitimacy of an ISP’s providing the police with users’ personal information. The Seoul Central District Court held that the ISP was not responsible for any mental stress experienced by the data subject, because the TBA allows ISPs to provide personal information for trials, crime investigation, or national security reasons.23 On appeal, however, the Seoul High Court found that the ISP has no obligation to disclose information upon the mere request of law enforcement authorities. Rather, the Seoul High Court held, an ISP is responsible for deciding whether it should provide the requested personal data based upon a careful examination of specific factors such as the seriousness and urgency of the crime, the importance of the public interest, and the degree of infringement on the personal information rights of the data subjects. Accordingly, the High Court held the ISP in this case breached its responsibility and infringed the users’ rights of self-determination and to anonymous speech, and ordered the ISP to compensate the users.24

2. The Supreme Court Decision on Law Enforcement Access

The case was appealed to the Supreme Court, raising issues as to the availability and scope of the government’s authority to access private-sector data and any responsibility of ISPs when presented with government requests. At the end of (p.294) the court hearing, which took several years, the Supreme Court reversed and remanded the decision of the Seoul High Court.25 Regarding the availability and scope of government access, the Supreme Court distinguished between mere “contact information” such as name, address, phone number, resident registration number, and user identification codes on the one hand and “telecommunication confirmation data” such as when and how long users communicated, with whom they communicated, and their location information on the other. The Supreme Court found that the Communication Privacy Act clearly provides that the police and other investigative authorities need court permission to get access to telecommunications confirmation data held by the private sector and also to intercept “telecommunication contents.”26 It was held by the Supreme Court, however, that the TBA allowed ISPs to voluntarily provide “contact information” without court permission for the purpose of facilitating law enforcement. The constitutional issue relating to such government access to private-sector data without a court’s permission had already been addressed in 2012, when the Constitutional Court of Korea decided that the statutory provision of the TBA does not violate the fundamental right of privacy under the Constitution of Korea as long as it does not impose a mandatory obligation on ISPs to provide contact information to law enforcement authorities.27

As the voluntary mechanism of governmental access to private-sector data was interpreted as being constitutional, the Supreme Court of Korea moved forward to deny the responsibility of ISPs: ISPs are themselves not the police nor judicial institutes and, accordingly, ISPs are not expected to bear any responsibility for making case-by-case decisions about how to respond to requests for personal information by investigative authorities.28 Although ISPs are not under a mandatory obligation under the TBA to provide contact information unless there is court permission, in reality they do not have any alternative but to provide the data in accordance with formal requests of law enforcement authorities. In the case of abusive requests by law enforcement authorities, there may be infringement of personal information rights, but liability for that, the Supreme Court held, must not be borne by ISPs but by the abusive authorities themselves.

As our national security is threatened not only by military attacks from North Korea but also by terrorist attacks from the Islamic State, the Act on Anti-Terrorism for the Protection of Citizens and Public Security (Anti-Terrorism Act)29 was recently enacted. To have access to communication contents, entry/departure information, and financial information, the National Intelligence Agency (p.295) (NIA) of Korea will have to follow the procedure under the Communication Privacy Act, the Immigration Control Act, and the Act on Reporting and Using Specified Financial Transaction Information. According to the Anti-Terrorism Act, however, the NIA will be able without a court warrant to ask ISPs to provide contact information, location information, and other relevant personal information regarding terrorist suspects.30 Following the Supreme Court decision, ISPs are not responsible to data subjects for disclosure of their personal information unless the requested data clearly do not relate to terrorist suspects.

3. Wire-Tapping and Other Communication-Restricting Measures

The Communication Privacy Act allows “communication-restricting measures” for the investigation of crimes prescribed in the Criminal Act, the National Security Act, or the Military Secret Protection Act, or for other national security purposes, subject to court permission.31 The term “communication-restricting measures” means “censoring any mail, wire-tapping any telecommunications, providing the communication confirmation data and recording or listening to conversations between others that are not made public.” These measures are permitted only when there is a substantial reason to suspect that a crime is being planned or committed or has been committed and it is otherwise difficult to prevent the commission of the crime, to arrest the criminal, or to collect the evidence. The heads of certain intelligence and investigative authorities may also take these measures, when they expect the national security is at risk and the collection of intelligence is required to prevent such danger.32 When the communication-restricting measures are to be taken against a Korean national, permission must be obtained from a senior chief judge of the high court. With respect to communications of countries hostile to the Republic of Korea, foreign agents, or groups or persons suspected of engaging in antinational activities or in intelligence collection activities for a foreign power, approval must be obtained in (p.296) writing from the president of the Republic of Korea. Communication-restricting measures undertaken for the investigation of crime shall not last more than two months and, for national security purposes, four months.

In the event of urgent situations involving an act of conspiracy that threatens the national security, or the planning or committing of any serious or organized crime that may cause death or serious injuries, the public prosecutor, police officer, or any of the heads of the intelligence and investigative agencies may take a communication-restricting measure without permission from the court,33 provided an application for permission is filed with the court immediately thereafter. If the court does not issue permission within 36 hours from the commencement of the measure, the prosecutor, police officer, or agency head must halt the execution of the measure.

As wiretapping and other communication-restricting measures involve disclosure of communication contents, the threat to privacy becomes serious and could have an enormous chilling effect on freedom of expression if abused by the government. When the Korea National Intelligence Agency had access to certain data packets by wiretapping the Internet under the permission of the Seoul Central District Court, the alleged suspect brought a constitutional suit arguing that the statutory provision allowing for data packet wiretapping was in violation of the fundamental right of privacy under the Constitution. Although the constitutional suit was dismissed because the alleged suspect died,34 the case highlighted the serious tension between privacy and national security and the possibility of abuse by the government.

4. Regulatory Access

The government may also obtain access to privately held information for regulatory or administrative purposes. When the government collects personal information from the private sector, it is not always clear whether the purpose is for law enforcement or administrative management. One example is the personal information concerning copyright infringers submitted to the Minister of Culture, Sports and Tourism. In the name of enhancing copyright protection, the Copyright Act of Korea gave the minister the authority to demand that Internet Service Providers (ISPs) delete or stop transmitting illegal reproductions or to suspend the infringer’s account for online service for a limited period.35 Furthermore, upon the request of a copyright holder seeking data for lawsuits, the minister may order an ISP to provide the list of people who are suspected of having copies of or transmitting illegal reproductions.36 Although such governmental seizure of personal information without any control by the court (p.297) may promote copyright protection, it has been criticized for unduly infringing the privacy of Internet users.37

5. Transparency Report

Given the difficulty of achieving a good balance between the public interest and privacy, and also given the growing concern among Internet users about their personal information, ISPs in Korea such as Naver and Kakao have begun publishing transparency reports.38 These transparency reports have been made voluntarily. There is no statutory provision requiring government agencies or companies to issue transparency reports. Unlike ISPs, telecommunication companies such as KT, SK Telecom, and LG U+ have not published transparency reports yet. It was reported in the New York Times that those three companies had provided law enforcement agencies with subscriber information such as names, addresses, resident registration numbers and other customer information pertaining to more than 6 million phone numbers in the first half of 2014 alone.39 They provided the information whenever a request was made, without demanding a warrant or informing affected customers.

After the decision of the Seoul High Court in 2012 described above, ISPs such as Naver and Kakao had stopped providing any contact information of their users to government authorities without court warrants or court orders. In 2014, however, there was a news report that government authorities were scrutinizing the data of users of Kakao’s messaging app, Kakao Talk. Because court warrants or orders should be strictly limited to criminal investigations or national security, overbroad court warrants or orders might have raised serious privacy concerns among Kakao users. Due to the news report, an estimated 610,000 South Korean smartphone users visited a German competitor Telegram on the same day, a fortyfold increase over the previous day.40 South Korean users posted reviews on Telegram saying they left Kakao to seek “a Cyber-asylum.” As in the FBI-Apple encryption dispute,41 the government and ISPs in Korea are facing the (p.298) most difficult task of balancing the conflicting interests of national security and personal information.

C. Reporting Financial Data and/or Passenger Records

Generally, there are a number of circumstances in which that the government can obtain private-sector data without a warrant. For example, the Korea Communications Commission can demand data from ISPs when a breach of the Communications Network Act occurs or becomes known to the Commission, or when necessary to protect Internet users.42 The Board of Audit and Inspection, which is empowered to audit the conduct of officials of the national and local governments, can order third parties including ISPs to submit information pertaining to an inspection.43

Governmental access to private-sector financial data occurs in two ways: one is when the government requests financial data from credit information companies, and the other is when the government collects the financial data itself in the course of administering a government program.

The first method of government access has a statutory basis. According to the Credit Information Act, when the head of a public institution requests in writing credit information for a purpose allowed by related Acts and subordinate statutes, the credit information company shall provide such information.44 Although in principle financial information on loans and guarantees may be disclosed only with the prior consent of the data subject, the Act lists a number of exceptions: when the information is sought in accordance with a court order or a warrant, or in an emergency where a person’s life is endangered. Also, a credit information company must submit information to the government without obtaining any prior consent when the information is sought under the statutes relating to taxation.45 The government also might obtain some financial information from credit information companies in connection with the supervision of such companies by the Financial Services Commission. The Commission is authorized to inspect the business and financial standing of credit information companies and demand related information or summon related personnel.46

(p.299) The government also has access to information from financial institutions in connection with its anti-money laundering program.47 More specifically, financial institutions are required to report to the Commissioner of the Korea Financial Intelligence Unit any transaction exceeding US $5,000 (or the equivalent in foreign currency) or 10 million Korean won when the financial institution has reasonable grounds to suspect that the transaction is in relation to money laundering, terrorist activities, or other crime. Financial institutions also must report payments or receipts of cash exceeding 20 million Korean won, subject to some exceptions, within 30 days.

Some financial information is gathered by the government in the course of the government’s own credit activities. For instance, the Korea Credit Guarantee Fund (KCGF) and Korea Technology Finance Corporation (KTFC) are established by the government and collect financial information from customers as they carry out their activities. They can request resident registration numbers from the Minister of Administration and Security or personally identifiable information from financial institutions with the consent of the data subject.48

When collecting and investigating credit information, credit information companies need to specify the purpose of such collection and investigation and they may use only reasonable and fair measures to the extent required to serve the specified purpose.49 KCGF and KTFC bear the same liability and are subject to the same limits as ordinary credit information companies with regard to collection and investigation of credit information. Also, credit information companies are not allowed to collect or investigate information that is related to certain sensitive matters, including national security, trade secrets, R&D results, and political beliefs.50

Passenger records are also submitted to the government for administrative use. For example, the Director of Customs may request shipping or airline companies to allow inspection of passenger reservation data on the network of the company or to submit such data to the government for the purpose of detecting counterfeit goods, narcotics, firearms and explosives, and other illegal goods.51 Upon request, the companies must provide nationality, name, date of birth, passport number, reservation number, address, telephone number, itinerary, and travel agency.

Immigration officers also have access to passenger records in certain circumstances. For example, immigration officers may request passenger records from transportation and shipping companies for the purpose of identifying any passenger with an invalid passport or false identity guarantee or invitation, or who is (p.300) carrying firearms or explosives or is otherwise harmful to the general public (e.g., drug addicts).52 The specific items of information that immigration officers may obtain include are nationality, name, date of birth, passport number, reservation number, address, telephone number, itinerary of journey, and travel agency.

The government may also order individuals, entities, and private-sector organizations, as well as other public agencies, to submit data that the government determines are necessary for statistical purposes.53

D. Voluntary Broad Access to Data

As far as personal information is concerned, PIPA and a number of other relevant statutes regulate government access. These statutes prescribe quite clearly the scope of government access and thus provide statutory protection for personal information. On the other hand, in the case of information that is not “personal information” as defined in these statutes or any information that is beyond the scope of these statutes, informal and voluntary disclosure by an entity in the private sector to the government can readily occur without any legal process. As explained above, personal information includes information that when combined with other information makes it possible to identify an individual. It is extremely difficult, however, to make clear distinctions between information that could, in combination with other information, be used to identify an individual and information that could never be used in that way, for it would depend on how the data are structured or treated technically.54 For example, non-content communication data, such as searched keywords, online behavior records, purchase records, or terminal location records that do not reveal identifiable information by themselves are likely to be regarded as non-personal information, which could be disclosed to the government without any legal responsibility. Therefore, when investigatory authorities request such non-personal information, the third-party entity would lack any statutory grounds for rejecting the request.55

To evade possible legal liability, private-sector telecommunication providers and Internet service providers tend to obtain comprehensive prior consent from their subscribers. For example, Apple’s privacy policy, which is made a part of the Terms of Use for Apple’s website, states as follows:

It may be necessary—by law, legal process, litigation, and/or requests from public and governmental authorities within or outside your country of (p.301) residence—for Apple to disclose your personal information. We may also disclose information about you if we determine that for purposes of national security, law enforcement, or other issues of public importance, disclosure is necessary or appropriate.56

Whether a court would nullify such unlimited and unfair prior consent in favor of the users is not yet clear. There are opinions that such broad prior consent should be accepted at least in practice to protect the service providers, considering the fact that the government exercises substantive power over private-sector entities.57

E. The Role of the Courts

In summary, PIPA, the Communications Network Act, the Communication Privacy Act, the Credit Information Act, the DNA Identification Act, and other statutes addressing personal information require the consent of the data subjects for disclosure of personal information held by a third party. As a general rule, the provision of data without consent is allowed only when a court grants a warrant in connection with a criminal investigation or for similar reasons. Therefore, the court is in the position to judge whether the data in question is really necessary and to determine if the investigation is beyond the legitimate scope of the relevant authorities.

In many cases, however, the statues allow the government to access data without a court warrant in the name of law enforcement or administrative functions. For example, the Credit Information Act, the Customs Act, the Immigration Control Act, and the Copyright Act authorize government access to private-sector information for efficient execution of those statutes. In some cases, for example with regards to credit information and traveler records, disclosure without a warrant is permitted in emergency situations. In the case of information related to copyright infringement, which ISPs must submit to the government without judicial review or a court warrant, commentators have criticized the relevant statute as imbalanced because it offers too much protection to copyright holder while neglecting to protect the privacy of those suspected of infringement.

Where there are statutory grounds for government access without a warrant, the courts do have a role in that they must determine ex post whether the governmental access was within the scope of the statute and satisfied all the relevant substantive and procedural requirements. A good example is the court’s review of the case involving the poster of a video clip who sued the ISP for deleting his posting based solely on the copyright holder’s infringement claim.58 However, as explained above, in the recent Supreme Court case involving the government (p.302) minister and the Olympic skater, where the ISP, without a court order, handed over personal information of a suspect accused of libel, it was found extremely difficult to hold an ISP liable for disclosing information to the government in the absence of a clear responsibility on the ISP to examine and balance the conflicting interests of the data subject and law enforcement.59

In general, PIPA and other statutes related to personal information specify the conditions and procedures for governmental access to data held by the private sector. Private information that does not fall into the exact definition of personal information has little chance of being protected by laws or judicial oversight. Thus, it is important that the private sector itself endeavors to protect such personally non-identifiable information through a privacy policy or other voluntary mechanisms. Equally, the government needs to seek to expand the protection of the laws by legislating more specific and transparent procedures for government access.60

F. Standards for Use, Access, Retention, and/or Destruction

PIPA, the principle statute for personal information protection, explicitly limits the use of information by data processors (including public agencies) to the initial purpose of collection.61 In addition, the Act requires the immediate deletion of information after the specified retention period prescribed or if the information is no longer needed.62 Such removal or deletion of data must be accomplished in a way that does not allow it to be recovered or restored.

Most legislation related to personal information contains provisions on usage and retention similar to those in PIPA. For example, the Communications Network Act,63 the Credit Information Act,64 the Communication Privacy Act,65 the DNA Identification Act,66 the Customs Act,67 and the Immigration Control Act68 all have articles addressing purpose specification, use limitation, and data retention.

(p.303) G. Cross-Border and Multi-jurisdictional Issues

PIPA states that when information processors (including public agencies) provide personal information to a third party overseas, they shall inform the data subjects of the purpose for which the information will be disclosed and obtain their consent.69 However, consent is not required with respect to personal information handled by the government according to the Statistics Act or received for analysis in relation to national security.

A recently proposed statute on Internet cloud services, entitled the “Act on Promotion of Cloud Computing and User Protection (draft),” includes a provision stating that when a user’s data will be stored overseas, the cloud computing service provider shall disclose the name, privacy policy, and legal procedures of that country where the data will be located.70 Also, the provider shall take necessary measures to safeguard the data stored overseas.

V. Current Legislative Issues and Conclusion

To summarize, there are quite a number of statutes regarding personal information protection in Korea, and some of them provide relatively detailed regulatory measures. Some commentators criticize these laws as too burdensome for data controllers while offering too little protection of personal information.71 On the other hand, existing legislation fails to address many issues regarding personal information protection.72 These omissions include information related to browsing history, online behavior, online purchase records, and location information generated by devices such as cell phones, all of which are easily combined with other types of information to produce identifiable information on specific individuals. Accordingly, there are calls for regulations or guidelines defining the limit of governmental access to such information.73 (p.304)

Notes:

(*) The author expresses his gratitude to Ms. Hanhee Yang for her help in translating this chapter.

(1.) Kwon Mee-yoo, “Culture Minister Yu Upset at Yu-na Video,” The Korea Times (Seoul, March 17, 2010), http://www.koreatimes.co.kr/www/news/nation/2010/03/117_62548.html.

(2.) Supreme Court of Korea Decision 2012 da 105482 (S Korea, March 10, 2016).

(3.) Government Organization Act, art 29; Personal Information Protection Act [hereinafter PIPA], art 18; Communication Privacy Act [hereinafter CPA], art 8.

(4.) Supreme Court of Korea Decision 96 da 42789 (S Korea, July 24. 1998); Constitutional Court of Korea Decision 99 hun-ma 513, 2004 hun-ma 190 (S Korea, May 26, 2005).

(5.) PIPA, above note 3, art 17(3).

(6.) PIPA, above note 3, art 14.

(7.) PIPA, above note 3, art 5.

(8.) PIPA, above note 4, arts 15(1)2 and 15(1)3.

(9.) PIPA, above note 3, art 15.

(10.) Government Organization Act, art 29.

(11.) National Health Insurance Act, art 13.

(12.) PIPA, above note 3, art 17.

(13.) Ibid., art 18.

(14.) Ibid., art 23.

(15.) Ibid., art 23.

(16.) Ibid., art 33.

(17.) Act on Communications Network Promotion and Personal Information Protection, art 24-2 [hereinafter Comm Network Act].

(18.) Huh Soon-Chol, “Internet Search and the Right to Informational Self-Determination,” 10:2 Korean Public LJ 157 (Korean Comparative Public Law Association, 2009).

(19.) Criminal Procedure Act, art 106, 109.

(20.) CPA, above note 3, art 13-3, 9-2. The phrase used in the English version of the Communication Privacy Act is not “transactional data” but rather “communication confirmation data,” which the Act defines as follow:

“The term “communication confirmation data” means the data on the records of telecommunications falling under any one of the following items:

  1. ((a)) The date of telecommunications by subscribers;

  2. ((b)) The time that the telecommunications commence and end;

  3. ((c)) The communications number of outgoing and incoming call, etc. and the subscriber’s number of the other party;

  4. ((d)) The frequency of use;

  5. ((e)) The computer communications or internet log-records relating to facts of using the telecommunications services by the users of computer communications or internet;

  6. ((f)) The data on tracing a location of information communications apparatus connecting to the information communications networks; and

  7. ((g)) The data on tracing a location of connectors capable of confirming the location of information communications apparatus to be used by the users of computer communications or internet for connecting with the information communications networks.

(21.) PIPA, above note 3, art 18.

(22.) Telecommunication Business Act, art 83.

(23.) Seoul Central District Court Decision 2010 gahap 72873 (S Korea Jan. 13, 2011).

(24.) Seoul High Court Decision 2011 na 19012 (S Korea, Oct. 18, 2012).

(25.) Supreme Court of Korea Decision 2012 da 105482 (S Korea, Mar. 10, 2016).

(26.) CPA, above note 3, art 13.

(27.) Constitutional Court of Korea Decision 2010 hun-ma 439 (S Korea, March 23, 2012).

(28.) Supreme Court of Korea Decision 2012 da 105482 (S Korea, March 10, 2016).

(29.) Act on Anti-Terrorism for the Protection of Citizens and Public Security (law no 14071, enacted on March 3, 2016).

(30.) Ibid., art 9.

(31.) CPA, above note 3, arts 5–7.

(32.) CPA, above note 3, art 7. This Act further provides that heads of Intelligence can use such measures without court permission, when the following conditions are met:

  1. ((1)) It must be an urgent situation in which an act of conspiracy exists that threatens the national security or an imminent planning/carrying out of any serious or organized crimes that may cause death or serious injury.

  2. ((2)) There must be a substantial reason to suspect that such conspiracy or crime is being planned or committed or has been committed.

  3. ((3)) There must be emergency grounds that make it impossible to go through normal procedures to obtain court permission.

However, the heads must apply to the court for ex post facto approval as soon as possible, and if they fail to obtain the approval within 36 hours from the commencement of the measure, the measure must be terminated immediately.

(33.) CPA, above note 3, art 8.

(34.) Constitutional Court of Korea Decision 2011 hun-ma 165 (S Korea, February 25, 2016).

(35.) Copyright Act of 1957, art 133-2.

(36.) Ibid., art 103-3.

(37.) Sang Jo Jong, “Development and Regulation of Internet Industry,” Justice (Issue 115, September 2011) 766–87; Sang Jo Jong, “Telecommunication and Intellectual Property: Interaction of Technology, Market and Law,” 10:2 Journal of Korean Law (Seoul National University Law Research Institute, October 2011) 277–301.

(38.) Transparency Reporting Index, Access Now http://www.accessnow.org/pages/transparency-reporting-index.

(39.) Se-Woong Koo, “South Korea’s Invasion of Privacy,” The New York Times (April 2, 2015), http://www.nytimes.com/2015/04/03/opinion/south-koreas-invasion-of-privacy.html?_r=0.

(40.) “Kakaotalk, Telegram, and the South Korean Government,” Omona They Didn’t! (October 10, 2014), http://omonatheydidnt.livejournal.com/14318239.html.

(41.) “Apple vs the FBI: A Complete Timeline of the War over Tech Encryption,” Digital Trends (April 3, 2016), http://www.digitaltrends.com/mobile/apple-encryption-court-order-news/.

(42.) Comm Network Act, above note 17, art 64. Although the Korea Communications Commission can demand personal information under this authority, there is a certain limit to the Commission’s discretion. Moreover, ISPs have a responsibility to protect personal information by not providing data in excess of such limit. In this sense, although PIPA is not directly applied to the Commission’s authority, the basic concepts of PIPA provide criteria that are useful in defining the limits of the Commission’s discretion and the responsibility of ISPs, respectively.

(43.) Board of Audit and Inspection Act, art 27.

(44.) Use and Protection of Credit Information Act, art 23(7) (Credit Info Act).

(45.) Ibid., art 32.

(46.) Ibid., art 45.

(47.) Act on Report and Use of Specific Financial Transaction Information, art 4, 4-2.

(48.) Credit Info Act, above note 44, arts 24, 34.

(49.) Ibid., art 15.

(50.) Ibid., art 16.

(51.) Customs Act, art 137-2.

(52.) Immigration Control Act, art 73-2.

(53.) Statistics Act, art 25.

(54.) Korea Communications Commission, Personal Information Protection Guideline for ISP (December 2009) 8–10.

(55.) Na Jon Youn for Korea Internet & Security Agency (KISA), Use and Protection of Personal Information in Ubiquitous Computing Environment (2009) 44–45 [hereinafter Youn, ‘Use’].

(56.) Privacy Policy, Apple Korea http://www.apple.com/kr/privacy/.

(57.) Kim Ki Chang for National Assembly Research Service (NARS), Cloud Service and Personal Information Protection (Policy Research Report, December 2011).

(58.) Lenz v. Universal Music Corp, 572 F. Supp. 2d 1150, 88 USPQ 2d 1629 (N.D. Cal. 2008); Seoul High Court 2010 na 35260 (S Korea, October 13, 2010).

(59.) Supreme Court of Korea Decision 2012 da 105482 (S Korea, March 10, 2016).

(60.) Sang Jo Jong for Korea Communications Commission, Legal Review on Protection and Use of Personally Non-identifiable Information (2010) 106–15.

(61.) PIPA, above note 3, art 15.

(62.) Ibid., art 21.

(63.) Comm Network Act, above note 17, arts 24, 29, 64, 64-2.

(64.) Credit Info Act, above note 44, arts 15, 19.

(65.) CPA, above note 3, arts 12, 13.

(66.) Act on Use and Protection of DNA Identification Information, arts 12, 13, 15.

(67.) Customs Act, art 137-2; Customs Act, presidential decree, art 158-2.

(68.) Immigration Control Act, arts 12-2, 38, 73-2.

(69.) PIPA, above note 3, art 17.

(70.) Act on Promotion of Clouding Computing and User Protection (draft) art 27 (Korea Communication Commission Public Notice 2012-79).

(71.) Sang-Jo Jong, “Developments in Advertising Technologies and Their Challenge to Information Privacy,” Justice (Issue 106, September 2008) 601–23; Sang-Jo Jong and Young-Joon Kwon, “The Protection of Personal Information and Its Civil Remedies,” BupJo (Vol 58:3, March 2009) 5–73.

(72.) Korea Communications Commission, Personal Information Protection Guideline for ISP (December 2009) 8–10.

(73.) Youn, ‘Use’, above note 55, 44–45.