South Korea’s Personal Information Protection Act (“PIPA”), promulgated in 2011 and subsequently amended, has been described as the “most innovative” and “toughest” data privacy law in Asia. PIPA is designed to ensure individual agency over personal information, bring transparency to data collection practices, and empower regulators and the courts to hold collectors and users of personal information accountable for any violations of PIPA’s detailed requirements. PIPA’s perceived strength emanates from its central focus on informed consent, including general consent requirements for information collection and use, special requirements for sensitive or identifying personal information, and additional consents for any changes to the ways in which information is used. Commentators have praised the comprehensive application of PIPA, as well as the array of enforcement mechanisms available under the law. These enforcement tools include administrative enforcement actions, civil lawsuits, and even criminal prosecutions.
This article critically examines PIPA’s effectiveness in accomplishing its primary goals: honoring the privacy preferences of each individual and creating a culture of transparency and accountability. I focus on three points. First, there is reason to be skeptical that user consent has had the effect of limiting the information gathered and used in business affairs. Second, Korean courts have an important role to play in determining the scope of PIPA and the extent of liability for violations. In particular, the uncertainty surrounding such fundamental issues as the scope of “personal information” and the magnitude of damages that can be recovered for privacy violations suggests that the present enforcement regime has not provided consistent signals. Finally, it is not clear that a “tougher” data privacy law is necessarily a better one. Indeed, the strategy embedded in PIPA parallels another of the major issues in Korean privacy, name verification for Internet users. The desire to cultivate a more civilized online space may be borne of noble public interest objectives, but the results provide a cautionary tale for policymakers.
The Efficacy of Consent
One pending case vividly illustrates the problem of express consent as the lynchpin of data privacy protections. Homeplus, formerly a division of the UK retailer Tesco, is a major retail chain in Korea that sells products ranging from groceries to housewares. Homeplus collected personal information of its customers through contest registration forms and membership registration materials. In addition to making internal use of the information, Homeplus bundled customer data and sold it to third party insurance companies. Participating customers received written disclosure that their information could be sold to insurance companies, though the relevant disclosure was printed in one-millimeter characters. All three enforcement tools were applied against Homeplus: the Korean Fair Trade Commission instigated an administrative proceeding, customers filed suit seeking civil remedies, and six Homeplus executives (including the CEO) were prosecuted for violations of privacy law. All six executives were acquitted, while the FTC assessed a fine against the company in the sum of 435 million Korean won (approximately 400,000 U.S. dollars). The civil suit is currently pending and created enough economic uncertainty to complicate Tesco’s sale of Homeplus to a Korean private equity firm.
It is not clear that civil suits such as the Homeplus case will help to clarify the application of PIPA going forward. The trial court in the related criminal case concluded that Homeplus complied with informed consent requirements by providing written disclosure of its use of personal information to the more than seven million individuals who apparently consented to the sale of their personal information. The legal question then becomes whether those consents were legally valid for the purposes of civil liability. If Homeplus ultimately bears a significant cost for its sharing of personal information, wary executives and in-house counsel will likely prepare written disclosures in larger and plainer text. Even in that case, however, individuals may continue to hastily consent to the terms and conditions placed before them in order to obtain the benefits of doing business with the enterprise seeking the consent. The tiny font size in the Homeplus case has postponed a reckoning with the more fundamental question of whether individual consent is an independently sufficient privacy protection, at least so long as a culture of careful attention to data privacy consents remains absent.
Courts as the Fulcrum of Privacy Disputes
The burden of construing PIPA so as to realise the robust protective vision of lawmakers has fallen to the courts in several key areas. Judges must confront the ongoing tension between the perceived “toughness” of Korean privacy law and the inadequacy of consent-based protections, not to mention public dissatisfaction over the profound data breach crises that have roiled Korean society. I give particular attention here to the determination of cumulative damages for privacy violations as a tool for judicial gap-filling.
As a general matter, reliance on Korean courts to scale damages predates PIPA. In a remarkable article, the former judge who decided a critical pre-PIPA data privacy case, the lineage II case, detailed the legal pragmatism that animated his decision. The defendant, an online gaming company, caused the ID and password of users to be written onto their local hard drives through a programming error. With no clear statute, regulatory guideline, or judicial precedent to follow, the trial court sought to incentivize improved privacy safeguards by imposing substantial liability on the defendant. The court’s “regulation by lawsuit” approach was modified by the appellate courts, which reduced the damages awarded to each plaintiff. Nonetheless, the case vividly demonstrated the need for courts to fill the void in Korean privacy law.
PIPA has not obviated the need for judges to creatively impose civil remedies. Administrative sanctions do not appear to have created a significant deterrent effect, as the sums imposed to date have been relatively small. Related legislation allows for administrative penalties of up to three percent of sales revenue related to a privacy violation, but thus far this standard has generated uncertainty about how much revenue is related to privacy violations and has had little actual deterrent effect. As the trial court concluded in its acquittal of the Homeplus defendants, criminal prosecution will often be a blunt and inappropriate instrument. It remains to be seen whether the civil suit against Homeplus can set a new template for balancing privacy interests with the need to impose damages that are neither trivial nor ruinous. While PIPA allows for damages of up to 3 million Korean won (2,650 U.S. dollars) per plaintiff, a decision to impose damages approaching such a figure may well cause financial disaster for a defendant where the potential plaintiffs number in the millions. More than a decade after the lineage II case, and with PIPA in effect for five years, the position of the courts as arbiter of Korea’s privacy conflicts remains virtually unchanged.
Identity Verification and Information Culture
PIPA’s limited ability to expeditiously address problems in online privacy practices resembles another recent attempt at engineering a more attractive Internet culture. In 2007, Korea became the first nation in the world to mandate identity verification as a prerequisite to online participation through popular ISPs. After considerable public debate, the identity verification system was ruled unconstitutional by the Korean Constitutional Court in 2012. While a tentative victory for privacy rights activists, the decision left open the possibility that a modified (and perhaps more draconian) version of the system could pass constitutional muster. Notwithstanding the demise of the general name verification system, Korea requires identity verification as a precondition to posting election-related Internet content, and the applicable law survived a constitutional challenge last year. Moreover, the rise of privately mandated social media identity verification has resulted in verified identities for many users of Korean Internet portals, even in the absence of a systematic, nationwide verification system.
Name verification shares an important underlying rationale with PIPA: both regulatory approaches resulted from a legislative desire to reshape Internet and information culture. Identity verification sprang from a public campaign to combat defamation and “cyber-contempt,” while PIPA was intended as a comprehensive and proactive response to inadequate data security. However, both laws failed to account for actual Internet user practices or to allow for organic evolution of online culture. As it stands, Koreans are left in the puzzling position of being required (de jure until 2012, and de facto now) to reveal identifying information about themselves in order to engage in participatory online activities while also being told that they are responsible for defining the parameters of collection and use of their personal information.
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
As a test case for consent-centric privacy regulation, PIPA has not yet yielded consistent improvements in data security and personal privacy. The legislature and the executive would be well-advised to clarify requirements and to provide guidance on the socially and economically optimal remedies for violations. The Korean populace should also assume an active role in shaping their own Internet culture, and that role must extend beyond withholding clicks from consent boxes.
This feature was written exclusively for Digital Asia Hub. For permission to republish or for interviews with the author please contact Dev Lewis.