SOUTH KOREA Law and Practice Contributed by: Brian Tae-Hyun Chung, Haewon Han, Ari Yoon and Jisoo Yoo, Kim & Chang
lines. For instance, guidelines on AI technol - ogy, as explained in 1.5 AI Regulation , have been established. Guidelines on personalised advertising are also expected to be released in early 2025, as addressed in 4.2 Personal- ised Advertising and Other Online Marketing Practices . • Legal framework expansion: The PIPC has worked to broaden the legal bases for pro - cessing personal information. The 2023 amendment to the PIPA expanded the scenarios under which personal information can be lawfully processed without the data subject’s consent. For example, personal information may now be processed without consent “if necessary for the execution and performance of an agreement”, or “if it is clearly necessary for the urgent benefit of the life, body, or property of a data subject”. 3.3 Rights and Obligations Under Applicable Data Regulation As outlined in 3.1 Objectives and Scope of Data Regulation , the MSIT in Korea mandates manufacturers and importers of IoT equipment to implement protective measures that ensure the stability of information and communications networks and the reliability of information. The MSIT’s information protection guidelines, which generally serve as recommendations, detail these protective measures. However, the MSIT can sometimes request other regulatory bodies to integrate these guidelines into their stand - ards for testing, inspection and certification of IoT products. The key protective measures specified in the guidelines include the following. • Managerial protective measures: These involve organising an information security team, appointing a chief information security
officer, implementing information security policies, devising and executing a breach response plan, and conducting self-assess - ments of information security practices. • Technical protective measures: These cover securing networks with intrusion prevention systems, securing IT infrastructure such as servers, implementing access controls, and maintaining log records for a specified period. • Physical protective measures: These involve controlling access to telecommunication facilities and installing and operating backup facilities. Additionally, service providers can opt to obtain Certification of IoT Cybersecurity for their IoT products and associated mobile apps. This cer - tification spans seven areas: identification and authentication, data protection, encryption, soft - ware security, updates and technical support, operating system and network security, and hardware security. Products that achieve certifi - cation can display a certification mark. 3.4 Regulators and Enforcement Under the Network Act, the MSIT oversees measures to ensure network safety, while the PIPC is responsible for matters related to per - sonal information. If a relevant authority identi - fies a violation of either law, whether due to an infringement or through a report or complaint, it can investigate the case and impose sanctions. These sanctions may include corrective orders, administrative fines, or other penalties. For more information, please refer to 1.2 Regulators .
4. Sectoral Issues 4.1 Use of Cookies
The PIPA does not require data controllers to obtain users’ consent for the installation of cook -
395 CHAMBERS.COM
Powered by FlippingBook