Header graphic for print
Inside Privacy Updates on Developments in Global Privacy & Data Security from Covington & Burling LLP

Korea Strengthens Protection for ‘Resident Registration Numbers’ (RRNs): Leaks May Face a Fine of up to 0.5 Billion Korean Won

Posted in International, Korea, Privacy Policies

On July 30, 2013, the Korean Ministry of Security and Public Administration (MOSPA) announced several amendments to the Personal Information Protection Act (PIPA) concerning collection and use of ‘Resident Registration Numbers’ (RRNs) – Korea’s national identification numbers. The PIPA is a general legal framework for personal information protection and is complemented by several sector-specific laws.

According to the MOSPA’s press statement, the following amendments will come into force in August 2014:

***

No consent-based collection and use of RRNs

“Personal information processors”* are prevented from collecting and using RRNs based solely on the consent of a data subject. A violation may result in a fine of up to 30 million Korean won (approximately 27,000 US dollars). However, collection and use of RRNs is permissible if:

  • such collection and use is authorized in the applicable law;
  • it is inevitably necessary to protect the interest of a data subject or a third party concerning his/her physical safety or property; or
  • the MOSPA’s Ordinance allows such collection and use.

Existing collections of RRNs, if not authorized in the applicable law, should be destroyed by August 2016.

A maximum of 0.5 billion Korean won as a fine for security breach of RRNs

A maximum fine of 0.5 billion Korean won (approximately 450,000 US dollars) can be imposed on a personal information processor who fails to protect RRNs. This fine can be waived if the personal information processor proves that all measures necessary for securing the safety of personal data, as defined in Article 29 of the PIPA, have been implemented.

Sanctions on senior executives

Under the current language of Article 65 of the PIPA, the MOSPA can recommend that the liable personal information processor take disciplinary action against the person “responsible” for a security breach. The amended PIPA provision will clarify that the “responsible” person under Article 65 includes the head or senior executives of the liable personal information processor.

***

In Korea, RRNs are extensively used for online identification purposes when registering an account with most Korean websites. Using RRNs for online identification has been under criticism after several massive security breaches leaked millions of Internet service users’ personal information including their RRNs (for example,herehere, and here) in 2011 and 2012. Since then, RRNs have gradually been replaced by alternative online identification methods such as ‘i-Pin’ and a digital certificate.

In February 2012, the Act on Promotion of Information and Communications Network Utilisation and Information Protection (the “ICN Act”) was amended to restrict unauthorized collection and use of personal information including RRNs by “information and communications service providers (ICSPs)” such as Internet and social media companies. With the present amendments to the PIPA, personal information processors, not just ICSPs, will be prevented from unauthorized collection and use of RRNs.

 

*Note: A “personal information processor” as defined in the PIPA means a public institution, corporate body, organization or individual that processes personal information directly or via another person to manage personal information files for purposes of his/her duties (Article 2 of the PIPA).