SINSIWAY | Database Security Specialist - PR - Newsroom

본문바로가기

PR

Provides the latest information on Sinsiway
and a variety of IT/security information.

IT·SECURITY
Encryption and Encryption Algorithms

What is Encryption? Encryption is the process of converting the plain text into an alternative through specific algorithms or methods. This technology blocks unauthorized persons’ access to important information by converting such information into illegible values. Encryption is a generic technology that directly protects significant information in terms of security.Original data to be protected through encryption is called plain text and the encrypted text is called cipher text. This process is called encryption. The conversion of encrypted data into the plain text again is called decryption.One-Way and Two-Way EncryptionEncryption can be largely divided into one-way and two-way encryption algorithms. In a one-way algorithm, only the encryption is possible and decryption is not possible, whereas a two-way algorithm can decrypt cipher text. Two-way encryption can be divided into symmetric-key encryption and asymmetric-key encryption.Symmetric-Key EncryptionSymmetric-key encryption is also called secret key encryption, in which the same encryption key is used for both encryption and decryption. In symmetric-key encryption, data is encrypted and decrypted with the secret key. Although the symmetric-key encryption boasts fast computing speeds thanks to its simple internal structure, it is difficult to manage numerous keys when exchanging information between multiple people since the sender and receiver should share the identical key. Representative symmetric-key encryption algorithms include DES, 3DES, and AES.Types of Symmetric-Key Encryption AlgorithmsThe Data Encryption Standard (DES) is a symmetric-key algorithm that was developed at IBM in 1975 and designated as a national standard encryption algorithm by the NIST in 1979. It divides plain text into 64 bits and creates cipher text of 64 bits again by using a 56-bit key. 3DES algorithm is the Triple Data Encryption Algorithm, which applies the DES cipher algorithm three times. However, the DES is vulnerable to brute force since it uses 56-bit key size. To replace it, the AES appeared as its alternative algorithm.The Advanced Encryption Standard (AES) was adopted since it complies with the selection standards of the U.S. NIST: safety, costs, and implementation efficiency. The AES is being widely used all over the world because of its outstanding safety and speed.Asymmetric-Key EncryptionAsymmetric-key encryption is also called public-key encryption. Unlike symmetric-key encryption, different keys are used for encryption and decryption, respectively. In public-key encryption, complicated math operations are used for encryption and decryption. Therefore, its efficiency may be lower than symmetric-key encryption. However it is easier to manage the keys even when there is a large number of users, since multiple senders perform encryption with one public key. Representative algorithms include RSA, EIGamal, and ECC.One-Way EncryptionOne-way encryption literally means encrypting plain text in one direction. It is possible to encrypt plain text into cipher text, but not possible to decrypt the cipher text into plain text. Hash functions are generally used for one-way encryption.A hash is a function that produces fixed-sized hash values from an input text of any size. Even though the input sizes are different, the outputs are converted into a fixed size. Since encryption keys are not used, an identical output is guaranteed from an identical input. Representative hash functions include MD5, SHA-1, SHA-2, and SHA.MD5 (Message-Digest algorithm5) produces a 128-bit hash value with no limit in the length of input messages. MD5 can be used for data integrity verification which identifies whether a program or a file is original as it is.SHA (Secure Hash Algorithm) was designed to improve the vulnerabilities of MD5. A SHA was first designed by the National Security Agency (NSA) in 1993 and was designated as an American national standard. SHA-256, one of Secure Hash Algorithms 2, is a standard hash algorithm published by the National Institute of Standards and Technology (NIST). It is widely used for blockchains and evaluated to be safe.Why Should Personal Information Be Encrypted?The term “personal information controller” means a public institution, legal person, organization, individual, etc. that processes personal information directly or indirectly to operate the personal information files as part of its activities.Personal information controllers should take security action to prevent personal information from being divulged, exposed, or forged for safe storage when the information of other persons is utilized. The Personal Information Protection Act and the Credit Information Use and Protection Act stipulate personal information controllers’ obligations in relation to the necessity of personal information encryption as follows.Article 24 of the Personal Information Protection Act(3) Where a personal information controller processes personally identifiable information pursuant to paragraph (1), the personal information controller shall take measures necessary to ensure safety, including encryption, as prescribed by Presidential Decree, so that the personally identifiable information may not be lost, stolen, divulged, forged, altered, or damaged.Article 28-4 of the Personal Information Protection Act(1) When processing the pseudonymized information, a personal information controller shall take such technical, organizational and physical measures as separately storing and managing additional information needed for restoration to the original state, as may be necessary to ensure safety as prescribed by Presidential Decree so that the personal information may not be lost, stolen, divulged, forged, altered, or damaged.Article 7 of the Standards for Measures to Secure Safety of Personal Data(1) A personal data controller shall encrypt and save personally identifiable information, passwords, and biometrics information when transmitting and receiving via a telecommunications network or sending via external memory.Article 17 of the Credit Information Use and Protection Act(4) In providing any personal credit information to an agent in order to outsource the processing of credit information under paragraph (2), a credit information company, etc. shall take measures to protect information by which a particular owner of credit information can be identified, such as encryption, as prescribed by Presidential Decree.The Personal Information Protection Act and the Credit Information Use and Protection Act differently define personal information encryption targets. It is divided depending on the storage and transmission of personal information.Nowadays, personal information is being utilized as significant data in all industries as well as big data, IoT, and AI technologies. Individuals and enterprises should pay attention to security when utilizing the personal information of others. In particular, enterprises handling a huge amount of personal information need to encrypt such information.Source & ReferenceKISA Encryption Promotion WebsitePIPC and KISA, Personal Information Encryption Guide

23.08.24
IT·SECURITY
CBPR Certification, the Rules on Personal Information Transfer Between the APEC Member Economies

The Cross Border Privacy Rule, commonly abbreviated as the CBPR, is a certification system that evaluates enterprises’ personal information protection systems for smooth personal information transfer between the Asia-Pacific Economic Cooperation (APEC) member economies.In 2011, the APEC established the CBPR in order to protect personal information and guarantee free cross-border data transfers. The difference from the GDPR of the EU is that the CBPR establishes a personal information transfer system, instead of changing the personal information protection laws or systems of other states.Currently, nine economies participate in the system: the Republic of Korea, the U.S., Mexico, Japan, Canada, Australia, Singapore, Taiwan, and the Philippines. Korea’s joining in the CBPR was approved in 2017. In May 2022, the Personal Information Protection Commission (PIPC) and the Korea Internet & Security Agency (KISA) jointly introduced the CBPR system for Korean enterprises. As a result, Korean enterprises are now able to obtain the CBPR certification without an overseas institution.Utility of the CBPR SystemThe CBPR system (a) does not change the legal system of each country, but (b) can be adapted to their legal environment. In addition, the CBPR is (c) based on the voluntary participation of the states or enterprises and (4) the purpose of this system is to encourage the utilization of personal information.CBPR-certified enterprises can improve their corporate images in terms of personal information protection by promoting their outstanding personal information protection systems. When they select overseas affiliates or subcontractors or expand their business abroad, they can save time and costs required for complying with the personal information regulations of the target countries. Through this certification system, Korean companies will be able to ensure international trust and strengthen their global competitiveness. In particular, Japan and Singapore allows overseas data transfer for CBPR-certified enterprises without a separate contract. Therefore, Korean enterprises running business in the two countries can transfer the personal information of local customers to Korea more conveniently.Personal data subjects can decide whether an enterprise has a proper level of personal information protection through the CBPR certification. In addition, they can easily exercise their rights as data subjects and request damage remedies.Being certified for the CBPR system does not mean that the obligation to obtain consent to data collection, required by local laws, are reduced or exempted. Relevant details are stipulated in Article 28-8 (Cross-Border Transfer of Personal Information) of the Personal Information Protection Act.Article 28-8 (Cross-Border Transfer of Personal Information)(2) The personal information controller may transfer personal information abroad, if falling under any of the following subparagraphs:1. Where consent to overseas information transfer is obtained from a data subject;2. Where special provisions about overseas information transfer exist in other laws, treaties, or other international agreements signed by the Republic of Korea;5. Where personal information is transferred to a state or an international organization whose personal information protection system is considered by the Personal Information Protection Commission being on par with the personal information protection level stipulated in the Act.CBPR Application TargetsEnterprises applied with the Personal Information Protection Act of the Republic of KoreaEnterprises transferring personal information to other countries including the Asia-Pacific region or receiving personal information from abroad for processingEnterprises who need an enterprise-wide personal information protection system that can apply to their subsidiaries, affiliates, etc. located in the Asia-Pacific regionEnterprises who want to achieve recognition by establishing a personal information protection system complying with the global standards of the APEC privacy protection principleRequirements for CBPR CertificationThe APEC has developed the APEC Privacy Framework (APF) and established the personal information transfer principle and system for reliable trade between its member economies. The APF contains the nine principles including Notice and Collection Limitation.Requirements for CBPR CertificationThe APEC has developed the APEC Privacy Framework (APF) and established the personal information transfer principle and system for reliable trade between its member economies. The APF contains the nine principles including Notice and Collection Limitation.APEC Privacy FrameworkDescriptionRequirements for CBPR Certification (50 Clauses)NoticeNotice should be provided “either before or at the time” of collection of personal information or may be provided “as soon after as” is practicable.Personal information protection policy notice items, notice methods, etc.Collection LimitationPersonal information should be relevant to the purposes of collection and any such information should be obtained by lawful and fair means, and where appropriate, with notice to, or consent of, the individual concerned.Personal information collection methods, collection minimization, lawful collection, etc.Uses of Personal InformationPersonal information collected should be used only to fulfill the purposes of collection and other compatible or related purposes.Use of personal information only for the intended purposes, provision of information to third parties, etc.ChoiceWhere appropriate, data subjects should be provided with the right of choice in relation to the collection, use, and disclosure of their personal information.How to provide data subjects with the right of choice in relation to the collection, use, and disclosure of their personal informationIntegrity of Personal InformationPersonal information should be accurate, complete, and kept up-to-date.Correction to maintain the accuracy and completeness of records and keep them up to date, notification to outsourcees, etc.Security SafeguardsSafeguards taken should be proportional to the likelihood and severity of the harm threatened and the sensitivity of the information.*No specific safeguard standardsSafeguards proportional to the sensitivity of the personal information and the likelihood and severity of the harm threatened, safeguard assessment, etc.Access and CorrectionPersonal information can be accessed or corrected upon the request of data subjects. The request may be denied where the burden or expense of doing so would be unreasonable or the information should not be disclosed to protect confidential commercial information.Procedures, etc. for data subjects’ request for access, correction, and deletionAccountabilityWhen personal information is to be transferred, the personal information controller should obtain the consent of the individual or exercise due diligence and take reasonable steps to examine the information protection level of the organization (individual) receiving such information.Designation of responsible personnel, procedures for handling of complaints and damage remedies, the management and supervision over outsourcees and third parties, etc.Preventing HarmRemedial measures should be proportionate to the likelihood and severity of the harm threatened.(The content about “Preventing Harm” is contained in other principles including Accountability.)CBPR Application CasesAs of July 2022, of the APEC member economies subject to the CBPR, 39 American enterprises, six Singaporean enterprises, and three Japanese enterprises were certified for the CBPR system.The U.S. has the greatest number of enterprises certified for the CBPR system, including digital technology-based enterprises and global enterprises such as Apple, HP, and IBM. Korea’s joining in the CBPR was approved in 2017. In May 2022, the Personal Information Protection Commission (PIPC) and the Korea Internet & Security Agency (KISA) jointly introduced the CBPR system for Korean enterprises. As a result, Korean enterprises are now able to obtain the CBPR certification without an overseas institution.Source & ReferencePersonal Information Protection International Cooperation CenterPress Release of the PIPC, PIPC Launches the APEC CBPR SystemKIEP Preliminary Data 21-12, The Trend and Implications of APEC CBPR Operation

23.08.24
SOLUTION
Access Control, A Way to Protect Important Data

Continuous Personal Information Divulgence and Exposure IncidentsSeoul National University Hospital has more personal information divulgence cases (Asia Today, Jul. 13, 2022)The online shopping mall ‘Brandi’ responsible for 6,390,000 cases of personal information breach subject to an administrative fine of KRW 380 M (The Korea Economic Daily, Jul.13, 2022)Hana Tour responsible for personal data divulgence of 460,000 customers faces a fine of KRW 10 M (Seoul Economic Daily, Jul. 21, 2022)The titles above are news articles about personal information divulgence incidents that had occurred for the past one month. It seems that personal information divulgence and exposure incidents are reported on a regular basis. Can you give your information to an enterprise that has ever experienced data breaches?Minimum measures to be taken by personal information controllers are stipulated as shown below, in the Standards for Technical and Managerial Measures for Personal Information Protection and the Standards for Securing the Safety of Personal Information.Standards for Technical and Managerial Measures for Personal Information Protection Article 4(1) The information and communication service provider shall only grant access permission to personal data handling systems to the privacy officer or personal data controller for providing services.Standards for Securing the Safety of Personal Information Article 6(1) A personal data controller shall take measures including the following functions to prevent unlawful access and infringement through a telecommunication network:1. Restriction of unauthorized access by limiting access permission to personal data handling systems via internet protocol (IP) address; and2. Detection of and response against attempts for unlawful exposure of personal data by analyzing IP addresses accessing a personal data handling systemPersonal information and data security are of growing importance in line with the amendments to the three data acts in 2020, the adoption of the EU GDPR adequacy decision on the Republic of Korea in 2021, and the implementation of MyData 2022. Since the information technology general control (ITGC) audit of the internal accounting management system, which is a corporate IT audit, was expanded and the security and control activities of IT operation systems are subject to an audit, companies should formulate an IT security plan.What is Access Control?How can enterprises protect their data from a variety of threats such as hacking and security incidents? One of the most representative ways is data access control.Access control allows or refuses persons or processes’ access to systems or files for reading, writing, execution, etc. As the necessity for access control arises in corporate data, the corporate DB security market for database access control solutions is being expanded.According to “2021 Survey on Domestic Information Protection Industry” published by the Korea Internet & Security Agency (KISA), the sales of the domestic information protection industry in 2020 grew by 6.4% year on year due to the expanded non-face-to-face environment, telecommuting, etc. during the COVID-19 pandemic, and the demand for access control solutions increased accordingly.SINSIWAY's Access Control Solution, PETRASINSIWAY’s database access control solution PETRA allows authorized persons only such as personal information handlers to access data, in order to prevent data divulgence and damage. It supports Gateway, Sniffing, Agent, and Hybrid for the optimized configuration in a diversity of environments. Its self-developed DBMS facilitates swift rule processing. In addition to access control functions by segmented user type, including ID, IP, and access tool-based access control, role-based access control, and SQL-based control, it provides a variety of functions for data protection such as convenient UI, real-time monitoring, report publication, auditing, and SQL masking.PETRA is taking care of DB security of numerous enterprises and institutions including public organizations and financial institutions. Its performance and stability were proved through CC certification, GS certification, and nine patents. You can protect your company’s DB safely with our access control solution PETRA which is optimized for DB security and management. Visit our website (https://www.sinsiway.com) for further details or inquiries.

23.08.24
IT·SECURITY
What is the Difference Between Personal Information Divulgence and Exposure?

“Personal information divulgence” and “personal information exposure” are easily seen in newspaper headlines. The words divulgence and exposure seem similar, but they are two difference concepts.What is Personal Information Divulgence?Personal information divulgence refers to a situation in which a legal person, organization, individual, etc. operating personal information or relevant statutes loses its control over personal information or in which unauthorized parties’ access is allowed. Personal information divulgence, defined in the Personal Information Protection Act, is subject to criminal penalties.In accordance with the Personal Information Protection Act, it is considered personal information divulgence if falling under any of the following circumstances.1. Where any written documents, portable storage devices, portable computers, etc. containing personal information are lost or stolen;2. Where a person with no normal authority for access to personal information processing systems such as database accesses such a system;3. Where any files, paper documents, or other storage media containing personal information are wrongly delivered to an unauthorized person due to wrongful intent or negligence of a personal information controller;4. Where personal information is delivered to any unauthorized person.One of the recent personal information divulgence incidents is the BALAAN case that happened on March 16, 2022. An unauthorized person accessed the personal information of the members of the luxury brand online shopping mall BALAAN in an abnormal way and the personal information of customers such as e-mails, telephone numbers, and dates of birth were divulged. BALAAN said that they introduced an additional intrusion prevention system and conducted 24-hour monitoring to minimize secondary damage. However, additional hacking damage occurred in April, one month after the initial incident, which showed security vulnerabilities. In addition, there were other customer information divulgence incidents including the Jeju Air passengers’ payment information (Mar. 2021), personal information of Seoul National University Hospital’s patients and employees (Jul. 2021), and personal information of Millie’s members (Jun. 2022).What is Personal Information Exposure?Personal information exposure refers to a situation in which personal information leaks out and is disclosed by hackers, etc. Sometimes personal information is exposed due to a data subject’s mistake, instead of wrongful intent of a third party. Unlike personal information divulgence, personal information exposure is not legally defined and not subject to criminal penalties.As one of the personal information exposure cases, the personal information of around 310,000 Coupang members were exposed in October 2021. In Coupang App, other members’ names and addresses were exposed at the product order confirmation step for one hour. Coupang said that the incident occurred during the app improvement work and all necessary security measures were taken.Personal Information Divulgence and Exposure Increased During the COVID-19 PandemicAs online activities increased after 2022 when the COVID-19 pandemic began, data and personal information divulgence and exposure incidents have continuously occurred both at home and abroad. According to “2021 Survey on Personal Information Protection” jointly published by the Personal Information Protection Commission (PIPC) and the Korea Internet & Security Agency (KISA), it was found that 44.3% of the Korean people have experienced personal data breaches for one year. According to the Cost of a Data Breach Report 2021 published by IBM Security to analyze data breaches that occurred in 500 enterprises and organizations all over the world, the average loss of data breach incidents were found to be approximately KRW 4.9 billion. In particular, the damage from ransomware attacks was around KRW 5.3 billion, which is greater than other types of hacking damages. It was found that cyber incidents were not properly handled since the level of security for telecommuting and cloud migration increasing during the COVID-19 pandemic was not high enough yet. What is the Solution for Enterprises?Personal information divulgence and exposure incidents are occurring regardless of the sizes of enterprises, whether they are large enterprises or middle-standing enterprises. To protect significant data and information, enterprises need proper measures such as information encryption and access control that allows only authorized users’ access to data. SINSIWAY’s access control solution PETRA allows you to establish an effective corporate security system through its outstanding functions including integrated audit log management, central security policy management, audit logging, and authority separation by security manager. In addition, the encryption solution PETRA CIPHER protects important information safely by encrypting data and files based on its certified encryption module and duplication encryption prevention technology. Enterprises will be able to prevent data divulgence and exposure incidents and protect corporate data and customers’ personal information safely through the access control and encryption solutions. It is important to take prior action for protecting significant data, but follow-up action such as notification and proper remedies should be proactively conducted as well.Source & ReferencePersonal Information Protection ActPersonal Information Protection Commission

23.08.24
IT·SECURITY
Personal Information and Public Data Can Now Be Freely Transferred From the EU to a Non-EU Country

#Korean Company A having a branch office in Europe is running a Korean merchandise shopping agency targeting European consumers. Since they had difficulties in analyzing consumer information required for selecting desirable products, they requested an analysis from their head office in Korea. However, the Standard Contractual Clauses (SCC) need to be utilized to transfer European consumer information to Korea. As infringements of any local law is subject to administrative fines up to 4% of the total sales, they feel the burden in terms of time and costs.Five years after the EU GDPR adequacy decision was launched in January 2017, the Republic of Korea was certified for the system. As a result, enterprises like Company A can now easily obtain European consumer information.On December 17, 2021 at 6 PM (KST), adequacy decision for the Republic of Korea was adopted based on the General Data Protection Regulation (GDPR) of the European Union (EU). It means that the EU acknowledges that Korea’s personal information protection policy is on a par with the GDPR. As a result, Korean enterprises have a status equivalent to the EU member states. Companies are now exempted from preexisting complicated procedures such as the SCC. In addition, they can transfer EU citizens’ personal information to Korea without additional certification or procedures.The General Data Protection Regulation (GDPR), which is the personal information protection act of the EU that took effect on May 25, 2018, applies to all enterprises running business targeting the EU. By adding the content about the designation of a data protection officer (DPO), impact assessment, etc., it has strengthened companies’ responsibilities. In addition, the GDPR strengthened data subjects’ rights by adding or reinforcing the right to restriction of processing, the right to data portability, the right to erasure, and the right to object profiling. In all the member states, infringements of the personal data protection provisions are subject to administrative fines up to 4% of the total worldwide annual turnover. As such, they are protecting personal data through such strict penalty provisions.The GDPR adequacy decision is a program that certifies whether a non-EU member state’s personal information protection system is on par with that of the EU. Adequacy decision-certified states are designated after evaluating whether the country has a similar level of personal data protection system to the EU. Certified states can freely transfer EU citizens’ personal data as the EU member states do.Although the GDPR adequacy review on the Republic of Korea began in January 2017, the consultation was suspended twice due to noncompliance with the “independence of a supervisory authority on personal data” which is one of the requirements. As the Personal Information Protection Commission (PIPC) was expanded and launched as an independent supervisory authority with last year’s amendments to the three data acts, discussion has resumed and consultation has rapidly progressed. The Republic of Korea and the EU have had over 60 meetings including video conferences for the past five years for an in-depth review on the Korean government agencies’ duties and relevant acts such as the Personal Information Protection Act. As a result, it has been confirmed that the personal data protection system of the Republic of Korea is on par with the EU's GDPR. The European Data Protection Board (EDPB) mentioned the excellence of Korea’s legal systems, highly regarding the Korean government’s efforts for narrowing the differences between the Korea and EU’s legal systems through the Personal Information Protection Commission’ notification, establishment, and revision. Korea’s adequacy decision was unanimously approved at the comitology of the European Commission.EU Adequacy Decision ProcedureThe European Commission conducts three phases: initial decision, opinion collection, and final decision.Phase 1 (initial decision)European Commission (Administrative Body)Officialize the adoption of initial decision (Mar. 30)Publish a draft of written decision (Jun. 16)Phase 2 (opinion collection)Adopt the opinion of the European Data Protection Board (EDPB) (Sep. 24)Phase 3 (final decision)Approve by the EU member states (Nov. 30)Resolve at the general meeting of the European Commission (adequacy decision taking effect on Dec. 17)*A statement (opinion about modifications and improvements) can be published by the European Parliament (Committee on Civil Liberties, Justice and Home Affairs (LIBE)) as well.“The adequacy decision was made on the basis of the Republic of Korean and the EU’s common will to conduct high standards of information protection and Korea’s excellent personal information protection systems,” said Yoon Jong-in, chairperson of the PIPC, and Didier Reynders, European Commissioner for justice. An official from the PIPC said, “It shows that strengthened personal information protection can contribute to revitalizing international trade. We will reinforce cooperation between the Republic of Korea and the EU in the digital area by improving the Korea-EU Free Trade Agreement (FTA).”Korean enterprises running business in the EU member states had to examine the GDPR and local acts thoroughly and conclude a SCC through the inspection and administrative procedures in order to transfer EU citizens’ information to Korea. This process required at least three months and costs between KRW 30 million and KRW 100 million. Furthermore, administrative fines might be imposed on enterprises in case of infringements of the relevant regulations. In addition, small and medium enterprises had to give up expanding their businesses to the EU member states since it was difficult to conclude a SCC.By obtaining GDPR adequacy decision, the Republic of Korea now has a status equivalent to that of the EU member states in transferring personal data abroad and is exempted from preexisting complicated procedures. Accordingly, more Korean companies are expected to expand their business to the EU member states. In particular, it is predicted that Korean data analysis companies will make inroads into the European market. According to a press release of the PIPC, German Company A originally wanted to ask a Korean company to conduct an analysis on the personal data of their customers for establishing marketing strategies, but they had to request only a limited research due to the local authority’s complicated approval process for personal data transfer. After adequacy decision, however, Company A can establish their marketing strategies more smoothly since they are now able to transfer data to Korean companies without complicated procedures such as the SCC.It should be noted that it only reduces the burden of the duty related to overseas data transfer and there still are business operators’ obligations to comply with the GDPR including the collection and processing of EU citizens’ personal data. The PIPC predicts that the domestic data economy will be more revitalized with the strengthened data exchange and cooperation between Korean and EU enterprises. Unlike adequacy decision on Japan, which was limited to private data transfer, the adequacy decision on the Republic of Korea applies to public data as well, which is expected to strengthen the cooperation between the Korean and EU governments in the public sector. The PIPC will work on additional international negotiation for the transfer of personal information from non-EU member states, selecting the UK as its first target. Companies subject to the application of the GDPROperates a business premises in an EU member state and processes personal dataProvides goods and services for residents of the EU member statesMonitors the behaviors of residents of the EU members states*GDPR application depends on whether they “reside in the EU member states,” instead of their “nationality.”→ Therefore, if personal data of those with EU member state nationality is collected or processed in the Republic of Korea, the GDPR does not apply. On the other hand, if Korean nationals’ information is collected or processed in any EU member state, they are considered EU residents and the GDPR applies.*It applies when the EU market is “clearly” considered. Simple accessibility is not deemed grounds for the application of the GDPR.Source & ReferencePress release of the PIPC, Korea Passes the Final Adequacy Decision of EUKISA GDPR Response Support Center

23.08.24
IT·SECURITY
Personal Information Protection Act of Major Countries

1. EUThe General Data Protection Regulation (GDPR) is a personal information protection act that applies to the EU member states. It can be considered that the history of GDPR has begun with the Data Protection Directive (DPD 95/46 EC) adopted and enforced on October 24, 1995. Since the DPD requires legislation by each member state, there are differences in the level of regulations between the member states.The DPD consists of 72 recitals and 34 articles across 7 chapters. In 2012, the EU countries began to discuss legal amendments, taking the Internet technology environment into account. After four years’ discussion, they adopted the new General Data Protection Regulation (GDPR) on May 24, 2015 and the GDPR took effect on May 25, 2016.The GDPR is composed of 11 chapters, 173 recitals, and 99 articles, focusing on the rights of data subjects and the strengthening of corporate responsibilities. The GDPR applies to enterprises processing abroad the personal information of the residents of the EU member states through e-commerce, etc. as well as enterprises running business in EU. It stipulates that an administrative fine is imposed in case of an infringement. General infringements shall be subject to administrative fines up to EUR 10 million (approx. KRW 12.5 billion), or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Significant infringements shall be subject to administrative fines up to EUR 20 million (approx. KRW 25 billion), or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.2. The United States of AmericaThe Privacy Act of 1974, amended in 1974, is one of the first national legislations that regulate the federal governments’ personal information processing. However, the personal information protection system of the U.S. is based on self-regulation. They do not have any comprehensive act encompassing both the public and private sectors like the GDPR of the EU and the Personal Information Protection Act of the Republic of Korea. The federal law consists of the personal information protection laws of different fields such as the public, finance, communications, education, medical care, video surveillance, and employee information. In addition, each state has their own privacy protection laws.The federal law has an individual law-based legal system that specifies personal information protection, divided into the public sector and private sector. In the public sector, the Federal Privacy Act (1974), a personal information protection act owned by the federal agency, acts as a general law.In the private sector, individual laws are enacted whenever the need for each field such as finance and ICT arises. The Federal Trade Commission (FTC) investigates into incidents related to public interests, prevents monopoly, and protects consumers (including their personal information) based on the Federal Trade Commission Act (2006) just like the Korea Consumer Agency, the Korea Fair Trade Commission, and the Consumer Dispute Mediation Commission.The U.S. concentrates on private enforcement such as damage compensation suits filed by victims and class action, whereas the Republic of Korea focuses on public enforcement such as penalty surcharges and criminal penalties. If a large number of consumers are damaged due to a specific incident in the U.S., a class action is filed to compensate for their damage. In addition, the FTC enforces the laws, publishes researches and reports, hosts educational programs and workshops, gives testimony at the Congress, puts forward opinions in regard to law, and takes part in international cooperation (EU-US Privacy Shield and APEC CBPR).Just like the federal law, each state of the U.S. do not have general or comprehensive laws such as the GDPR of the EU and the Personal Information Protection Act of the Republic of Korea. Therefore, individual personal information acts have been enacted in each field. California has adopted the California Consumer Privacy Act of 2018 on June 28, 2018. This act, which stipulates consumers’ personal information protection rights and business operators’ duties to protect personal information, has taken effect in January 2020. It can be deemed America’s first general law in the private sector, which is differentiated from preexisting industrial regulatory systems. However, since the act does not apply to those who reside outside the territory of California, it is different from the Personal Information Protection Act of the Republic of Korea and the GDPR of the EU that applies outside the EU member states as well.3. GermanyGermany amends and enforces its data protection act on a German Confederation and state level based on the General Data Protection Regulation (GDPR). The newly amended Bundesdatenschutzgesetz (BDSG) specifies the opening clauses which can be modified and reflected by each EU member state depending on their situations in line with the enforcement of the GDPR. They have enforced their preexisting legal law on May 25, 2018 in accordance with the GDPR and amend the personal information protection act of each state based on the GDPR and the new BDSG.The BDSG is the central law of Germany’s personal information protection legal system. It consists of 4 parts, 19 chapters, 2 sub-chapters, and 85 sections. Part 1 is about common provisions and Part 2 stipulates implementing provisions for the GDPR. Part 3 is about implementing provisions of Directive (EU) 2016/680 in the EU criminal proceedings and Part 4 stipulates special provisions for processing personal information outside the scope where the GDPR and Directive (EU) 2016/680 in the EU criminal proceedings do not apply.The BDSG does not apply to the scope where the GDPR is directly applied. The BDSG preferentially applies to the individual delegation provisions provided for in the GDPR, including the reflection of the specificity of employment relationship, the designation of Data Protection Officer (DPO), the exception of the purpose limitation principle, Germany’s legal basis for processing sensitive personal information, and exceptional provisions related to personal information impact assessment.4. JapanAs privacy breach issues, such as the divulgence of personal information owned by enterprises and the illegal sale and distribution of personal information, are raised, public interest and anxiety about personal information processing are on the rise. To prevent the violation of the public rights and duties, the Act on the Protection of Personal Information has been enacted in May 2003 and has taken effect in April 2005.As the information society environment has changed, the allowable scope for the free utilization of personal information, the scope of personal information subject to protection, and the principles to be observed by business entities have become unclear. Consequently, there is a rising need for a system which can reassure consumers by clarifying protection subjects and principles. Japan has extensively amended and announced the Act on the Protection of Personal Information on September 9, 2015 in order to protect personal information and accelerate new industrial development. Individual provisions including the installation of the PIPC took effect in order in January 2016 and the amendments went fully into effect on May 30, 2017. On June 5, 2020, the National Diet of Japan made partial amendments to the Act on the Protection of Personal Information so as to substantialize the protection of data subjects’ rights, strengthen the committee’s right to supervise domestic and overseas business operators, and promote the use and utilization of data throughout Japan’s entire economy and society. The amendments will take effect in the first half of 2022.Major amendments include: the strengthening of data subjects’ rights to personal data handling; the strengthening of the right of control over and transparency in the provision of personal data to third parties; the strengthening of obligations of businesses handling personal data in regard to the divulgence, etc. of personal data; the promotion of autonomous activities of businesses handling personal data; the expansion and promotion of the safe use and utilization of personal data; the strengthening of penalty provisions related to violation of the Act on the Protection of Personal Information; and the application of the Act on the Protection of Personal Information out of Japan and the strengthening of overseas transfer regulations.On January 23, 2019, Japan was certified for adequacy decision for the first time in the world in which the European Commission acknowledged that the personal information protection system of Japan and the General Data Protection Regulation (GDPR) of the EU are equivalent to each other. On March 30, 2021, the Republic of Korea passed the first (initial) phase of adequacy decision of the European Commission.5. SingaporeIn Singapore, personal data protection is handled under the Personal Data Protection Act (PDPA) and the Info-communications Media Development Act. Details are stipulated by relevant provisions, exceptional orders, and subsidiary legislations.In Singapore, personal data means data, whether true or not, about an individual who can be identified from that data or from that data and other information to which the organization has or is likely to have access. In other words, all personal information is considered personal data, whether true or not, regardless of data types such as electronic information. Unlike the Personal Information Protection Act (PIPA) of the Republic of Korea, the PDPA defines an “individual” as a natural person, whether living or deceased. Although personal information of the deceased is included in personal data, the PDPA restrictively applies to such data.What is worth noting is that if an individual acts for his/her home or family, the PDPA does not apply to employees acting for any business purpose of an organization, public institutions, and institutions acting as a proxy for a public institution in regard to the collection, use, or disclosure of personal data.6. CanadaCanada does not have a framework act on personal information protection which applies to both the public and private sectors; instead, there are separate acts applying to the two different sectors.Whereas the Privacy Act applies to the public sector, in the private sector, the statues on the collection, use, and disclosure of personal information include the Personal Information Protection and Electronic Documents Act (PIPEDA), the Alberta’s Personal Information Protection Act (PIPA Alberta), the British Columbia’s Personal Information Protection Act (PIPA BC), and the Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (Quebec Privacy Act), which are collectively called the Canadian Privacy Statutes.The PIPEDA stipulates about the collection, use, disclosure, and management of provincial and international information. It applies to all organizations that collect, use, and disclose information for commercial activities in each province. If a province has its own act about this field, the act preferentially applies and the PIPEDA is ruled out. In other words, the status of special acts are acknowledged between the federal and provincial acts, which includes Ontario, New Brunswick, and Newfoundland.In Canada, personal information is defined as information about an identifiable individual. However, it does not include the names, position names or titles, work addresses, and work telephone numbers of employees of private institutions. The PIPEDA separately stipulates the concept of personal health information. Personal health information, with respect to an individual, whether living or decreased, means (a) information concerning the physical or mental health of the individual; (b) information concerning any health service provided to the individual; (c) information concerning the donation by the individual of any body part or any bodily substance of the individual or information derived from the testing or examination of a body part or bodily substance of the individual; (d) information that is collected in the course of providing health services to the individual; or (e) information that is collected incidentally to the provision of health services to the individual.* Source & Reference*KISA GDPR Response Support Center (https://gdpr.kisa.or.kr)Personal Information Protection International Cooperation Center under the Personal Information Protection Commission (https://www.privacy.go.kr/pic)KISA 2021 Key Issue Prospect Report, Major Content and Implications of the Amended Act on the Protection of Personal Information of Japan (Yi Chang-beom / Guest professor at Dongguk University Graduate School of International Affairs & Information Security)

23.08.24