SOUTH KOREA Law and Practice Contributed by: Brian Tae-Hyun Chung, Haewon Han, Ari Yoon and Jisoo Yoo, Kim & Chang
• As explained in 1.4 Data Protection Fines in Practice , in 2023, KCC imposed a corrective order on business entities that did not obtain consent from children under the age of 14 themselves when processing their personal location information, in addition to obtaining consent from their legal guardian. Currently, a lawsuit has been filed to revoke KCC’s dis - position and a lawsuit is underway to dispute the interpretation of the Location Information Act. • As explained in 1.4 Data Protection Fines in Practice , in May 2024, PIPC imposed an administrative penalty on a business entity in a case where the personal information of anonymous chat room users was leaked. The business entity filed a lawsuit seeking revo - cation of PIPC’s disposition and the case is currently pending. The issue in this case is expected to be whether information that does not contain any personal information in itself, such as “member serial number and tem - porary ID used in anonymous chat rooms,” constitutes personal information. 2.3 Collective Redress Mechanisms The PIPA includes a mechanism for collective redress through a dispute mediation system. This allows national and local governments, per - sonal information protection organisations, data subjects, and data controllers to request or apply for collective dispute mediation via the Dispute Mediation Committee. This process is applicable in situations where multiple data subjects expe - rience similar damage or rights infringements, provided the following criteria are met. • At least 50 data subjects must have suffered harm, excluding: (a) data subjects who have already reached an agreement with the data controller
regarding dispute resolution or compen - sation; (b) individuals who are currently involved in a dispute mediation process under different laws or regulations for the same issue; and (c) individuals who have filed a lawsuit re - garding the personal information infringe - ment in question. • The case’s key issues must share common factual or legal characteristics. Despite this framework, collective dispute medi - ation has been rarely utilised. 3. Data Regulation on IoT Providers, Data Holders and Data Processing Services 3.1 Objectives and Scope of Data Regulation Overview Currently, there are no specific laws or regula - tions dedicated solely to the data regulation of the IoT (Internet of Things). Depending on the type of issue, the following individual laws and regulations may be applicable. • Security and safety management: The Net - work Act may be relevant here. It mandates manufacturers and importers of IoT devices to implement protective measures to ensure the stability and reliability of information and communications networks. Additionally, the Network Act includes an information protec - tion certification system for IoT products. • Data sharing: There is no law similar to the EU Data Act that directly requires data holders to share data during the development, launch, or operation of IoT products. However, the Framework Act on Promotion of Data Industry
393 CHAMBERS.COM
Powered by FlippingBook