WorldLII [Home] [Databases] [Search] [Feedback] [Help]

Privacy Law Resources

You are here:  WorldLII >> WorldLII Databases >> PrivLRes >> 2005 >> [2005] PrivLRes 2

[Global Search] [PrivLRes Search] [Help]

Act on Promotion of Information and Communications Network Utilization and Data Protection, etc. (Republic of Korea) - [2005] PrivLRes 2

ACT ON PROMOTION OF INFORMATION AND COMMUNICATIONS NETWORK UTILIZATION AND DATA PROTECTION, ETC.

Amended by Act No. 7812, December 30, 2005

Excerpts for the data protection only

Note: This is an unofficial translation by Prof Whon-Il Park, Asst. Prof. of Law at Kyung Hee University, South Korea

* The provisions in red indicate the recent revision of the Act for the period from January 2004 to December 2005.

CHAPTER I  GENERAL PROVISIONS

Article 1 (Purpose)

The purpose of this Act is to promote the utilization of information and communications networks, to protect the personal information of users utilizing information and communications services, and to build a safe and sound environment for the information and communications networks in order to improve the citizen's lives and enhance the public welfare.

Article 2 (Definitions)

(1) The terms used herein shall be defined as follows:

1. "Information and communications networks" shall mean the information and communications system under which telecommunications facilities and equipment as prescribed in Subparagraph 2 of Article 2 of the Framework Act on Telecommunications are utilized, or the telecommunications facilities and equipment, computers and the technology of using computers are utilized together to collect, process, store, search, transmit and receive information;

2. "Information and communications services" shall mean the telecommunications services as prescribed in Subparagraph 7 of Article 2 of the Framework Act on Telecommunications, and the provision of information or the intermediation of information services utilizing the telecommunications services;

3. "Information and communications service providers" shall mean the operators of telecommunications as prescribed in Article 2 (1) 1 of the Telecommunications Business Act and other persons who provide information or intermediate information services for profit utilizing the services rendered by the telecommunications service providers;

4. "Users" shall mean the persons who utilize the information and communications services rendered by the information and communications service providers;

5. "Electronic message" shall mean the standardized data in the form of document in which information is electronically compiled, sent or received, or stored by equipment, including computers, etc., that are capable of doing information processing;

6. "Personal information" shall mean the information pertaining to any living person, which contains the code, letter, voice, sound and image, etc. that make it possible to identify such individual by his/her name and resident registration number, etc. (including the information which, if not by itself, makes it possible to identify any specific individual if combined with other information);

7. "Incidents" shall mean accidents caused by such attack on information and communications networks or related information systems as hacking, computer viruses, logical bomb, mail bomb, denial of service, high-powered electromagnetic wave, etc.; and

8. "Information security industry" shall mean the industry related with development, production and circulation of information security products, or consulting for data protection, etc.

(2) The definitions provided for herein, except otherwise prescribed in Paragraph (1), shall be subject to the Framework Act on Informatization Promotion.

Article 3 (Duties of Information and Communications Service Providers and Users)

(1) Any information and communications service provider shall protect the personal information of users, and contribute to the protection of the rights and interests of such users and to the enhancement of its information utilization capability by rendering the information and communications services in a safe and sound manner.

(2) Every user shall endeavor to help a sound information society take hold.

(3) The Government may assist the organizations of information and communications service providers and the organizations of users in carrying out their activities designed to protect the personal information and the youth in the information and communications networks.

Article 4 (Policy for Promotion of Information and Communications Networks Utilization and Data Protection, etc.)

(1) The Minister of Information and Communication shall formulate a policy to lay the foundation for building an information society through the promotion of utilization and the secure management and operation of information and communications networks, and the protection of personal information of users (hereinafter referred to as the "promotion of the utilization of information and communications networks and data protection, etc.").

(2) The policy referred to in Paragraph (1) shall contain the matters provided for in the following Subparagraphs:

1. Development and distribution of technologies related to the information and communications networks;

2. Standardization of the information and communications networks;

3. Activation of utilization of the information and communications networks such as the development of information contents and utilization services of the information and communications networks under Article 11;

4. Facilitation of joint utilization of information via information and communications networks;

5. Activation of utilization of the Internet;

6. Protection of personal information collected, processed, stored and utilized via information and communications networks, and development and distribution of related technologies;

7. Protection of the youth in the information and communications networks;

8. Enhancement of safety and reliability of the information and communications networks; and

9. Other matters necessary to promote the utilization of the information and communications networks and data protection, etc.

(3) In formulating the policy referred to in Paragraph (1), the Minister of Information and Communication shall endeavor to coordinate such policy with the basic plan for promoting informatization as prescribed in Article 5 of the Framework Act on Informatization Promotion.

Article 5 (Relation with Other Acts)

The promotion of utilization of information and communications networks and data protection, etc. shall be governed by this Act except as specially provided for in other acts.

CHAPTER II  PROMOTION OF INFORMATION AND COMMUNICATIONS NETWORK UTILIZATION 

Articles 6-17 Omitted.

CHAPTER III  UTILIZATION OF ELECTRONIC MESSAGES VIA RELAYER

Articles 18-21 Omitted.

CHAPTER IV  PROTECTION OF PERSONAL INFORMATION

Section 1  Collection of Personal Information

Article 22 (Collection of Personal Information)

(1) Any information and communications service provider shall, when it intends to gather user's personal information, obtain his/her consent thereof; provided, however, that the same shall not apply to the case provided for in the following Subparagraphs:

1. Where it is necessary to perform the contract for the utilization of information and communications services;

2. Where it is necessary to calculate the fees for the provision of information and communications services; and

3. Where special provisions exist in this Act or other acts.

(2) Any information and communications service provider, when it intends to obtain the consent referred to in Paragraph (1), shall in advance notify the user of the matters provided for in the following Subparagraphs or specify such matters in general terms for the utilization of the information and communications services:

1. The name, department, position, telephone number, and other contact points of a person in charge of data protection;

2. The objective of collecting and utilizing the personal information;

3. Identification of a third party, the objective of providing the personal information and contents of thereof in case of onward transfer thereof to the third party;

4. The right of the user and his/her legal representative under Articles 30 (1) and (2), and 31 (2), and the exercising method of such right;

5. Matters related with the installation, operation and its denial of automatic devices collecting personal information including the Internet access files;

6. Items of personal information which information and communications service providers intend to collect; and

7. The possession and utilization period of personal information collected.

Article 23 (Restrictions on Collecting Personal Information)

(1) No information and communications service provider shall collect the personal information, including ideology, belief and medical record, etc., which is likely to excessively infringe upon the right, interest and privacy of the relevant user; provided, however, that the same shall not apply where the consent of the user is obtained or the subject of collecting personal information is specified in other acts.

(2) Any information and communications service provider shall, when it collects the personal information of users, collect the minimum information necessary to render the information and communications services. It shall not refuse the relevant services on the grounds that the user does not provide any other personal information than the necessary minimum information.

Section 2  Utilization and Provision of Personal Information

Article 24 (Utilization and Provision of Personal Information)

(1) No information and communications service provider, with the exception of the consent of the user or the case provided for in the following Subparagraphs, shall utilize the personal information or provide it to any third party beyond the scope of the notification as prescribed in Article 22 (2) or the scope specified in general terms for the utilization of the information and communications services:

1. Where it is necessary to calculate the fees for the provision of the information and communications services;

2. Where the personal information is provided subject to processing so that any specific individual may be unidentifiable if such information is necessary to compile statistics, make academic research or conduct a market survey; and

3. Where special provisions exist in other acts.

(2) Any person who receives the personal information of users from the information and communications service providers, with the exception of the consent of such users or the existence of special provisions of other acts, shall not use the personal information for other purpose than the purpose for which such information is provided, or provide such information to a third party.

(3) The information and communications service providers, etc. (referring to the information and communications service provider and other person who received the personal information therefrom; hereinafter the same shall apply) shall minimize the number of persons in charge of personal information of users.

(4) Any person who handles or handled the personal information of users shall not damage, infringe upon or leak such information of users that he/she has learned while conducting his/her job.

Article 25 (Entrusting of Personal Information Collection, etc.)

(1) The information and communications service providers, etc. shall, if they entrust the work of collecting, handling, managing the personal information of users to other person, inform the fact in advance of the users.

(2) The information and communications service providers, etc. shall manage and supervise the person who has been entrusted the work of collecting, handling, managing the personal information (hereinafter referred to as the "trustee") under Paragraph (1) to observe the provisions in this Chapter.

(3) The trustee, who caused damage to the users regarding the work entrusted under Paragraph (1) in violation of the provisions in this Chapter, shall be deemed an employee of the information and communications service providers, etc. only with respect to compensation for such damage.

Article 26 (Notice on Business Transfer, etc.)

(1) In the event that an information and communications service providers, etc. transfer their business in whole or in part, or their rights and duties due to a merger or inheritance, etc., they shall notify the users of the matters provided for in the following Subparagraphs under the conditions as prescribed by the Presidential Decree:

1. The facts of the transfer of business in whole or in part and the merger or inheritance, etc.; and

2. The name (referring to the company name in case of a corporation; hereafter the same shall apply in this Article), address, telephone number and other contact points of a person who succeeds to the rights and duties of the information and communications service providers, etc.

(2) Any person who acquires by transfer the whole or part of business of the information and communications service providers, etc. or succeeds to the rights and duties of the information and communications service providers, etc. subject to a merger or inheritance, etc. (hereinafter referred to as the "business transferee") shall notify the users of the matters provided for in the following Subparagraphs under the conditions as prescribed by the Presidential Decree:

1. The fact of succeeding to the rights and duties of the information and communications service providers, etc. and the name of the relevant information and communications service providers, etc.;

2. The name, department, position, telephone number, and other contact points of a person in charge of data protection;

3. The objective of utilizing the personal information;

4. The right of users as prescribed in Article 30 (1) and (2), and the exercising method of such right; and

5. Other matters, prescribed by the Presidential Decree, which are necessary for data protection.

Article 27 (Designation of Person in Charge of Data Protection)

(1) The information and communications service providers, etc. shall designate the person in charge data protection to protect the personal information of users and deal with complaints of users related with the personal information.

(2) Qualification requirements for the person in charge of data protection and other matters necessary to designate the person shall be prescribed by the Ordinance of the Ministry of Information and Communication.

Article 28 (Data Protection Measures)

In dealing with the personal information of users, the information and communications service providers, etc. shall take technical and managerial measures necessary to secure the safety of the personal information lest the information should be lost, stolen, leaked out, changed or damaged.

Article 29 (Destruction of Personal Information)

When the information and communication service providers, etc. attain the objective of collecting or receiving the personal information, they shall promptly destroy the relevant information; provided, however, that the same shall not apply where other acts and regulations require the preservation of such information.

Section 3  User's Right

Article 30 (User's Right, etc.)

(1) Every user may at any time withdraw his/her consent given to the information and communications service providers, etc. under the main sentence of Article 22 (1), the proviso of Article 23 (1), and the main sentence of Article 24 (1).

(2) Every user may ask the access to his/her personal information or the specification of use or onward transfer thereof of the information and communications service providers, etc. and if his/her personal information is found to be erroneous, he/she may request the correction thereof.

(3) In the event that any user withdraws his/her consent under Paragraph (1), the information and communications service providers, etc. shall promptly take necessary measures, i.e., destroying his/her personal information collected.

(4) The information and communications service providers, etc. shall, upon receiving a request for the access to, specification or correction of, personal information under Paragraph (2), take necessary measures without delay.

(5) The information and communications service providers, etc. shall not, upon receiving a request for the correction of erroneous personal information under Paragraph (2), provide or utilize the relevant personal information until the correction thereof.

(6) The information and communications service providers, etc. shall, upon being notified of the withdrawal of the consent or receiving a request for the access to, or correction of, personal information under Paragraphs (1) and (2), take necessary measures to deal with the withdrawal of consent and the request in an easier way than that of collecting the personal information under Articles 22 and 23.

(7) The provisions of Paragraphs (1) through (6) shall apply mutatis mutandis to the business transferee, etc. In this case, the information and communications service providers, etc. shall be deemed the business transferee, etc.

Article 31 (Legal Representative's Right)

(1) Any information and communications service provider shall, when it intends to collect the personal information from any child of age below 14 under Article 22, or to utilize the personal information or transfer such information to any third party under Article 24 (1), obtain a consent thereof from his/her legal representative. In this case, the information and communications service provider may demand from the child the necessary minimum information, including the name, etc. of the legal representative, so as to obtain his/her consent.

(2) The legal representative may withdraw his/her consent given under the first sentence of Paragraph (1), and request the access to, or correction of, the personal information provided by the child.

(3) The provisions of Article 30 (3) through (5) shall apply mutatis mutandis to the withdrawal of consent, and the request for the access to, or the correction of, the personal information by the legal representative under Paragraph (2).

Article 32 (Damages)

If a user suffers any damage caused by the violation of the provisions in this Chapter on part of the information and communications service providers, etc., such user may claim for the damages against the information and communications service providers, etc. In this case, the information and communications service providers, etc. may not be released from the damages if they fail to prove non-existence of their intention or negligence.

Section 4  Personal Information Dispute Mediation Committee

Article 33 (Establishment and Composition of Personal Information Dispute Mediation Committee)

(1) The Personal Information Dispute Mediation Committee (hereinafter referred to as the "Dispute Mediation Committee") shall be established to mediate any dispute over personal information.

(2) The Dispute Mediation Committee shall consist of not more than 15 members, including one chairman, and one of the members shall be standing.

(3) The members shall be appointed or commissioned by the Minister of Information and Communication from among the persons provided for in the following Subparagraphs under the provisions as prescribed by the Presidential Decree. In this case, not less than one person provided for in the following Subparagraphs shall be included in the members:

1. Persons who presently serve or have served in universities as associate professors or higher positions, or in publicly recognized research institutes as senior researchers, and have specialties in a field related with data protection;

2. Public officials of Grade IV or higher positions, or persons who presently work or have worked in public institutions as executives, and have experiences in dealing with the affairs on data protection;

3. Persons who holds the qualification of judges, prosecutors, or attorneys-at-law;

4. Persons who presently work or have worked as senior officers for the organizations of the users of information and communications services;

5. The persons who presently work or have worked as senior officers for the information and communications service providers or the organizations of the information and communications service providers; and

6. Persons recommended by non-profit non-governmental organizations established pursuant to Article 2 of the Act for Assistance of Non-profit Non-governmental Organizations.

(4) The term of office for the members shall be three years and they may be reappointed or recommissioned.

(5) The chairman shall be appointed by the Minister of Information and Communication from among the members. ‘

(6) A secretariat shall be established in the Korea Information Security Agency ("KISA" under Articles 46-2, 47, 47-2, 48-2, 48-3 and 49-2) established pursuant to Article 52 to support the Dispute Mediation Committee's affairs.

Article 33-2 (Petit Panel)

(1) In order to conduct efficiently the dispute settlement, the Dispute Mediation Committee shall establish a petit panel which is composed of five or less Committee members, and one of the members shall be an attorney-at-law.

(2) The Dispute Mediation Committee may, when it deems necessary, delegate a part of dispute mediation to the petit panel under Paragraph (1).

(3) The necessary matters with regard to the composition and operation of the petit panel under Paragraph (1) shall be prescribed by the Ordinance of the Ministry of Information and Communication.

Article 34 (Guarantee of Members' Status)

None of the members shall be dismissed or discharged against his/her will except when he/she is sentenced to the suspension of qualification or a heavier punishment, or unable to perform his/her duties due to mental or physical incompetence.

Article 35 (Exclusion, Challenge and Refrainment of Member)

(1) Any member provided for in the following Subparagraphs shall be excluded from participating in the deliberation and resolution of a case requested for dispute mediation (hereafter in this Article referred to as the "case"):

1. Where a member, his/her spouse, or his/her former spouse is a party to the case, or a joint right holder or a joint obligator with respect to the case;

2. Where a member is or was in a kinship with the party of the case;

3. Where a member gives any testimony or expert opinion with respect to the case; or

4. Where a member is or was involved in the case as an agent, officer or employee of the party.

(2) Any party may, when he/she finds it difficult to expect a fair deliberation and resolution from the members, file a challenge application with the Dispute Mediation Committee. In this case, the Dispute Mediation Committee shall, when it deems such challenge application appropriate, determine the challenge.

(3) Any member may, when he falls under the case of Paragraph (1) or (2), refrain from the deliberation and resolution of the case.

Article 36 (Mediation of Dispute)

(1) Any person who wants any dispute over the personal information mediated may apply for mediation of such dispute to the Dispute Mediation Committee.

(2) The Dispute Mediation Committee shall, upon receiving an application for mediation of a dispute under Paragraph (1), examine the case and prepare a draft mediation within 60 days from the date of receiving such application; provided, however, that if there are unavoidable circumstances, the Dispute Mediation Committee may resolve to extend such period.

(3) In the event that the period is extended under the proviso of Paragraph (2), the applicant shall be notified of reasons for extending the period and other matters concerning the extension of such period.

Article 37 (Request for Materials)

(1) The Dispute Mediation Committee may ask parties involved in a dispute to provide materials necessary to mediate the dispute. In this case, the relevant parties shall comply with the request unless the justifiable grounds exist that make it impossible for them to do so.

(2) The Dispute Mediation Committee may, when it is deemed necessary, get parties involved in a dispute or relevant witnesses to appear before the Dispute Mediation Committee to hear their opinions.

Article 38 (Effect of Mediation)

(1) The Dispute Mediation Committee shall, when it prepares a draft mediation in accordance with Article 36 (2), present without any delay such draft mediation to each of the parties.

(2) Each of the parties presented with the draft mediation under paragraph (1) shall serve a notice on the Dispute Mediation Committee as to whether or not he/she accepts the draft mediation within 15 days from the day of receipt of such draft mediation.

(3) If the parties accept the draft mediation, the Dispute Mediation Committee shall promptly prepare a written mediation, and the chairman and the parties shall subscribe their names thereto and affix their seals thereon.

(4) When the parties accept the draft mediation under Paragraph (3) and the chairman and the parties subscribe their names thereto and affix their seals thereon, an agreement identical to the written mediation between the parties shall be deemed reached.

Article 39 (Rejection and Suspension of Mediation)

(1) The Dispute Mediation Committee may, when it deems that it is inappropriate for it to mediate any dispute in the light of its nature, or that an application for mediation of any dispute is filed for an unfair purpose, reject the relevant mediation. In this case, a notice on the reasons why it rejected the mediation shall be served on the applicant.

(2) In the event that any of the parties files a lawsuit during the course of examining a medication case applied, the Dispute Mediation Committee shall suspend the dispute and serve a notice thereon on the parties.

Article 40 (Procedures for Mediation, etc.)

With the exception of what is prescribed in Articles 36 through 39, necessary matters concerning the method of and procedures for mediating any dispute, and dealing with such dispute mediation, etc. shall be prescribed by the Presidential Decree.

CHAPTER V  PROTECTION OF THE YOUTH IN INFORMATION AND COMMUNICATIONS NETWORK, ETC.

Article 41 (Establishing Protective Measures, etc. for the Youth)

(1) The Minister of Information and Communication shall take measures provided for in the following Subparagraphs to protect the youth from harmful information, including lascivious sex and violence information (hereinafter referred to "harmful information to the youth"), distributed via information and communications networks:

1. Developing and distributing content screening softwares;

2. Developing and distributing technologies to protect the youth;

3. Educating and publicizing to protect the youth; and

4. Other matters prescribed by the Presidential Decree to protect the youth.

(2) In implementing the measures referred to in Paragraph (1), the Minister of Information and Communication may support activities carried out by the Information and Communications Ethics Committee established pursuant to Article 53-2 of the Telecommunications Business Act, the organization of the information and communications service providers, the organization of the users of information and communications services and other specialized institutions to protect the youth.

Article 42 (Labeling of Media Materials Harmful to the Youth)

Any person who intends to provide media materials described in Subparagragraph 4 of Article 7 of the Youth Protection Act, which are prescribed as harmful to the youth in accordance with Subparagraph 3 of Article 2 of the same Act, from among the providers of information accessible to the public utilizing the telecommunications services rendered by a telecommunications business operator (hereinafter referred to as the "information providers") shall get the relevant information labeled as harmful to the youth in the labeling method prescribed by the Presidential Decree.

Article 42-2 (Prohibition of Advertizing Media Materials Harmful to the Youth)

Nobody shall transmit to the youth as prescribed in Subparagraph 1 of Article 2 of the Youth Protection Act, or exhibit publicly without any measure off-limits to the youth the information to advertize the media materials described in Subparagragraph 4 of Article 7 of the same Act, which are prescribed as harmful to the youth in accordance with Subparagraph 3 of Article 2 of the same Act, in the form of code, letter, voice, sound and image, etc. via information and communications networks.

Article 42-3 (Designation of Officer in Charge of Protection of the Youth)

(1) Any information and communications service provider, whose daily page viewers, average sales, etc. exceed the criteria as prescribed by the Presidential Decree, shall designate the officer in charge of protection of the youth to protect the youth from the harmful information to the youth in the information and communications networks.

(2) The officer in charge of protection of the youth shall be designated from among the executives of relevant businesses or the heads of departments dealing with operations related with protection of the youth.

(3) The officer in charge of protection of the youth shall carry out the duties to protect the youth including the blockade and management of the harmful information to the youth in the information and communications networks, the formulation of plans to protect the youth from the harmful information to the youth and so forth.

(4) Necessary matters concerning the designation of the officer in charge of protection of the youth in accordance with Paragraph (1) shall be prescribed by the Presidential Decree.

Article 43 (Obligation of Provider of Visual or Sound Information to Keep in Custody)

(1) A provider prescribed by the Presidential Decree from among the information providers who run the business of providing the media materials as described in Subparagraph 4 of Article 7 of the Youth Protection Act, which are prescribed as harmful to the youth under Subparagragraph 3 of Article 2 of the same Act, in a manner of not storing or recording them in the computers of users, shall keep the relevant information in custody.

(2) The period for which the information providers referred to in Paragraph (1) keep the relevant information in custody shall be fixed by the Presidential Decree.

Article 44 (Request for Deleting Information)

(1) Any person whose legal interest is infringed on by the information which is provided for the public via information and communications networks may request the information and communications service provider handling the relevant information to delete such information or run his/her refutation in such information.

(2) The information and communications service provider shall, upon receiving the request for deleting the relevant information, etc., take necessary measures without delay and promptly serve a notice thereon on the requester.

CHAPTER VI  SECURING SAFETY, ETC. OF INFORMATION AND COMMUNICATIONS NETWORKS

Articles 45 - 48-4 Omitted.

Article 49 (Protection of Secrets, etc.)

Any person shall be prohibited from damaging the information of other persons or from infringing, stealing or leaking the secrets of other persons, which are processed, stored or transmitted via information and communications networks.

Article 49-2 (Prohibition of Collection of Personal Information by Means of Deceitful Activities)

(1) Nobody shall collect, or entice other person to provide with, the personal information of other person by means of deceitful activities in the information and communications networks.

(2) Any information and communications service provider shall report to the Minister of Information and Communication or the Korea Information Security Agency immediately upon finding out the violation of Paragraph (1).

(3) The Minister of Information and Communication or the Korea Information Security Agency shall, upon receiving the report pursuant to Paragraph (2) or finding out the violation of Paragraph (1), take necessary measures provided for in the following Subparagraphs:

1. Collecting and disseminating the violation of Paragraph (1);

2. Forecasting or warning of similar violations; and

3. Emergency measures to prevent further violations including requests for blocking the access paths to the information and communications service providers.

Article 50 (Restrictions on Transmitting Advertisement Information Made for Profit)

(1) Nobody shall transmit advertisement information made for profit against the addressee's explicit refusal of such information by means of e-mail or other media as prescribed by the Presidential Decree.

(2) Anybody, who intends to transmit via e-mail or facsimile any advertisement information made for profit, shall obtain the prior consent of the relevant addressee; provided, however, that the same shall not apply to the case provided for in the following Subparagraphs:

1. Where somebody, who collects directly from the addressees the contact points through transactions of goods and services, intends to transmit the advertisement information made for profit to publicize such goods and services provided by himself; and

2. Where the advertisement under Paragraph (1) of Article 13 of the Act for the Consumer Protection in Electronic Commerce, Etc., and the telephone solicitation under Paragraph (3) of Article 6 of the Act Regarding Visiting Sales, Etc. take place.

(3) Anybody, that intends to transmit any advertisement information made for profit to the telephone or facsimile of the addressee during the hours from 9:00 p.m. to 8:00 a.m. the next day, shall obtain the separate prior consent of the relevant addressee in spite of Paragraph (2).

(4) Anybody, that transmits advertisement information made for profit by means of e-mail or other media as prescribed by the Presidential Decree shall indicate the matters provided for in the following Subparagraphs in such a manner as prescribed by the Presidential Decree:

1. The types and contents of transmitted information;

2. The name and contact points of the sender;

3. The sources where the sender collected the e-mail addresses only in case of transmitting e-mails; and

4. Other matters regarding the process and means to easily indicate the refusal of unsolicited messages.

(5) Anybody, that transmits advertisement information made for profit to the telephone or facsimile of the addressee shall indicate explicitly the matters provided for in the following Subparagraphs in such advertisement information in such a manner as prescribed by the Presidential Decree:

1. The name and contact points of the sender; and

2. Other matters regarding the process and means to easily indicate the withdrawal of previous consent to such messages.

(6) Anybody, that transmits advertisement for profit, shall not take any technological measure provided for in the following Subparagraphs:

1. Measures to avoid and hinder the refusal or withdrawal of consent of the addressee of advertisement information;

2. Measures to automatically generate the contact points of addressee i.e., by combining numbers, codes or letters into new telephone numbers or e-mail addresses;

3. Measures to automatically register e-mail addresses in order to transmit advertisement information made for profit; or

4. Measures to conceal the identity of the sender of advertisement information or the source of advertisement transmission.

(7) Anybody, that transmits advertisement information for profit, shall take necessary measures in such a manner as prescribed by the Presidential Decree lest the addressee should be charged the financial cost incurred when telephoning a message to refuse, or withdraw the consent of, such information.

Article 50-2 (Prohibition of Unauthorized Collection of e-Mail Addresses)

(1) Nobody shall collect e-mail addresses by using automatic programs extracting e-mail addresses from Internet homepages and other technological devices without prior consent of their system operators or administrators.

(2) Nobody shall sell or circulate the e-mail addresses collected in violation of Paragraph (1).

(3) Nobody shall use e-mail addresses if he/she knows such addresses are prohibited from collecting, selling and circulating under Paragraphs (1) and (2).

Article 50-3 (Delegation of Transmission of Advertisement Information Made for Profit)

(1) Anybody, that entrusts other person with a task to transmit advertisement information made for profit, shall control and supervise him/her lest the trustee should violate the provisions of Articles 50 and 50-2.

(2) Anybody, that is entrusted by a person with a task to transmit advertisement information made for profit in accordance to Paragraph (1), shall be deemed an employee of the person in compensating the damage caused by violating the relevant acts related with such task.

Article 50-4 (Restrictions on Information Transmission Services)

(1) The information and communications service providers may take measures to refuse to provide the relevant services in each case of the following Subparagraphs:

1. Where obstacles occur or are expected to occur in providing services owing to transmitting or receiving advertisement information;

2. Where users would not want to receive advertisement information; and

3. Where the services provided by the information and communications service providers pursuant to an end-user agreement are utilized for transmitting illegal advertisement information.

(2) The information and communications service providers, which intend to take measures to refuse pursuant to Paragraph (1), shall include such provisions as how to refuse the relevant services in an end-user agreement with the user of such services.

(3) The information and communications service providers, which intend to take measures to refuse pursuant to Paragraph (1), shall notify such measure to interested parties including the user of such services; provided, however, that the prompt notification is required without delay after taking such measure in case of impossibility of prior notice.

Article 50-5 (Installation of Advertisement Programs for Profit, etc.)

The information and communications service providers, which intend to show up advertisement information made for profit or install the programs to collect personal information in the users' computer or other data processing devices as prescribed by the Presidential Decree, shall obtain the consent of users. In this case, they shall notify the usage of such programs and the method how to delete.

Article 50-6 (Distribution of Softwares to Block the Transmission of Advertisement Programs for Profit)

(1) The Minister of Information and Communication may develop and distribute softwares and computer programs by which the addressee can conveniently block or report the advertisement information made for profit transmitted in violation of Article 50.

(2) The Minister of Information and Communication may provide necessary support to the relevant public institutions, corporations, associations, etc. in order to facilitate the development and distribution of softwares and computer programs to block and report pursuant to Paragraph (1).

(3) Necessary matters for the development and distribution under Paragraph (1) and the support under Paragraph (2) shall be prescribed by the Ordinance of the Ministry of Information and Communication.

Article 50-7 (Restrictions on Posting Advertisement Information Made for Profit)

(1) Nobody shall post any advertisement information made for profit on the Internet homepage contrary to the explicit refusal of its system operator or administrator.

(2) A system operator or administrator of the Internet homepage may take such measures as deleting the advertisement information made for profit which is posted in violation of Paragraph (1).

Article 50-8 (Prohibition of Transmission of Advertisement Information for Illegal Act)

Nobody shall transmit advertisement information regarding goods or services prohibited by this Act or other acts via information and communications networks.

Article 51 (Restrictions on Outflow of Material Information into Foreign Countries)

(1) The Minister of Information and Communication may have every information and communications service provider or every user of information and communications services take measures necessary to prevent material information regarding the domestic industry, economy, science and technology, etc. from being flowed out of Korea into foreign countries via information and communications network.

(2) Necessary matters concerning the scope of the material information referred to in Paragraph (1) and contents of the measures to protect such material information, etc. shall be prescribed by the Presidential Decree.

Article 52 (Korea Information Security Agency)

(1) The Government shall establish the Korea Information Security Agency (hereinafter referred to as "KISA") to implement efficiently the measures necessary for the safe data flow and data protection.

(2) KISA shall be a juristic person.

(3) KISA shall conduct the business provided for in the following Subparagraphs:

1. Survey of and research into policies and systems for data protection;

2. Analysis of negative effects of informatization and research of countermeasures;

3. Publicizing, education and training regarding data protection;

4. Research, development, test and assessment of the data protection system;

5. Support for establishing standards for the function and reliability of the data protection system and standardization thereof;

5-2. Support for safety diagnosis of data protection toward the information and communications service providers, etc.;

6. Development of encryption technologies for data protection;

7. Research into measures necessary to protect personal information, and support of development and distribution of data protection technologies;

8. Support for the operation of the Dispute Mediation Committee and the Reporting Center for Personal Information Infringement;

8-2. Counseling and handling of claims regarding illegally transmitted advertisement;

9. Dealing with the incidents infringing upon information systems and operation of its response system;

9-2. Support of analyzing causes of information system incidents;

10. Management of certificate authority on electronic signatures under Article 25 (1) of the Electronic Signature Act;

11. Other activities incidental to the business of Subparagraphs 1 through 10; and

12. Other tasks prescribed by this Act and other acts and regulations to be conducted by KISA, or entrusted by the Minister of Information and Communication.

(4) The Government may make contributions to cover expenses necessary for the operation of KISA.

(5) The provisions regulating the incorporated foundation in the Civil Act shall apply mutatis mutandis to the matters not prescribed by this Act with respect to KISA.

(6) Other person than KISA shall not use the name of the Korea Information Security Agency.

(7) Necessary matters concerning the operation and business of KISA shall be prescribed by the Presidential Decree.

CHAPTER VII  INTERNATIONAL COOPERATION

Article 53 (International Cooperation)

In carrying out the business provided for in the following Subparagragraphs, the Government shall cooperate with other nations or international organizations:

1.  Deleted.

2. Cross-border transfer of personal information and data protection;

3. Protection of the youth in the information and communications networks;

4. Prevention of the incidents threatening the safety of information and communications networks; and

5. Other activities to ensure safe and sound utilization of information and communications services.

Article 54 (Restrictions on International Contracts on Personal Information)

(1) The information and communications service providers, etc. shall not enter into any international contract of which contents violate the provisions of this Act with respect to the personal information of users.

(2) The information and communications service providers, etc. shall obtain the consent of users when they intend to transfer the personal information of such users to abroad.

(3) The information and communications service providers, etc. shall notify in advance the items including the purpose of transfer of personal information as prescribed in the Ordinance of the Ministry of Information and Communication when they intent to obtain the consent pursuant to Paragraph (2)

(4) The information and communications service providers, etc. shall take the protective measures as prescribed by the Ordinance of the Ministry of Information and Communication when they transfer the personal information to abroad subject to the consent pursuant to Paragraph (2).

CHAPTER VIII  SUPPLEMENTARY PROVISIONS

Article 55 (Submission of Materials, etc.)

(1) The Minister of Information and Communication may request the information and communications service providers, etc. (in this Article, including any person falling under a case where the provisions of Article 58 apply mutatis mutandis) to submit related goods and documents, etc., if it is necessary to enforce this Act.

(2) The Minister of Information and Communication may request the information and communications service providers, etc. to have access to, or submit, data with respect to the name, address, residence registration number, duration of use, etc. in order to take the measures provided for in the following Subparagraphs:

1. Corrective measures in accordance with Paragraph (4);

2. Imposition of fine for negligence in accordance with Article 67; and

3. Other measures amounting to the above-mentioned Subparagraphs.

(3) When the information and communications service providers, etc. fail to submit materials under Paragraphs (1) and (2), or they are deemed to have violated the provisions of this Act, the Minister of Information and Communication may have the officials of the Ministry enter the business place of the information and communications service providers, etc. to inspect their current business operations and check books or documents, etc.

(4) The Minister of Information and Communication may order that the information and communications service providers, etc. in violation of this Act should take necessary corrective measures.

(5) When the Ministry officials conduct the inspection pursuant to Paragraph (3), the Minister of Information and Communication shall notify the relevant information and communications service providers, etc. of the inspection plan including the inspection date, reasons, particulars to be inspected at least seven days before the scheduled inspection date; provided, however, that the same does not apply in case of emergency or when it deems such prior notification inappropriate to attain the inspection purpose because of probable destruction of evidences.

(6) The officials, who conduct the inspection pursuant to Paragraph (3), shall carry certificates showing their authority, produce them to persons concerned, and deliver the document containing officials' names, inspection hours, purposes, etc.

(7) The Minister of Information and Communication may ask the head of KISA for technical advices and other necessary support for the purpose of request of materials and inspection under Paragraphs (1) through (4).

Article 56 (Delegation and Entrustment of Authority)

(1) The Minister of Information and Communication may delegate its authority under this Act, in whole or in part, to the heads of agencies under its supervision as prescribed by the Presidential Decree.

(2) Omitted.

(3) The Minister of Information and Communication may entrust the request and inspection pursuant to Paragraphs (1) and (2) of Article 55 to KISA as prescribed by the Presidential Decree.

(4) The provisions of Paragraph (6) of Article 55 shall apply mutatis mutandis to the employees of KISA in accordance with Paragraph (3).

Article 57 (Confidentiality, etc.)

Any person who is or was engaged in the business provided for in the following Subparagraphs shall not leak secrets he/she has learned while performing his/her duties to any other person or use such secrets for other purpose than the purpose of duties; provided, however, that the same shall not apply where other acts specifically otherwise provide for:

1. Mediating any dispute conducted by the Dispute Mediation Committee under Article (33);

2. Awarding certification on the data protection and management system under Article 47;

3. Assessing the data protection system under Article 52 (3) 4; and

4. Diagnosis of the data protection safety under Article 46-3.

Article 58 (Application to Other Persons than Information and Communications Service Providers)

(1) The provisions of Articles 22 through 32 shall apply mutatis mutandis where any person prescribed by the Presidential Decree, from among other persons than the information and communications service provider, who provides goods or services, collects, utilizes or provides the personal information of customers of his/her goods or services. In this case, the "information and communications service provider" and the "information and communications service providers, etc." shall be deemed the "providers of goods or services," and the "user" shall be deemed the "customer of goods or services," respectively.

(2) The provisions of Articles 22 through 24 and Articles 26 through 31 shall apply mutatis mutandis to the trustee in accordance with Article 25 (2).

Article 59 Omitted.

Article 59-2 (Establishment of Korea Data Protection Industrial Association)

(1) Any person, who is doing business related with data protection, may establish the Korea Association of Data Protection Industries subject to the authorization of the Minister of Information and Communication to promote the development of data protection industry and to enhance the level of data protection of overall industries.

utilization of information and communications networks and protect information,

(2) The Korea Association of Data Protection Industries shall be a juristic person.

(3) Necessary matters regarding authorization process, operations, supervision, etc. shall be prescribed by the Presidential Decree.

(4) Except as otherwise provided in this Act with respect to the Korea Association of Data Protection Industries, the provisions regulating the incorporated association in the Civil Code shall apply mutatis mutandis to the Association.

Article 60 (Legal Fiction of Officials in Applying Penal Provisions)

Officers and employees of the National Computerization Agency and KISA, who are conducting the job entrusted by the Minister of Information and Communication under Article 56 (2) and (3), shall be deemed officials in the application of Articles 129 through 132 of the Criminal Act.

CHAPTER IX  PENAL PROVISIONS

Article 61 (Penal Provisions)

(1) Any person who has defamed any other person by alleging openly facts through information and communications networks with the purpose of slandering him shall be subject to imprisonment with or without prison labor for not more than 3 years or by a fine not exceeding 20 million won.

(2) Any person who has defamed any other person by alleging openly false facts via information and communications networks with the purpose of slandering him/her shall be subject to imprisonment with prison labor for not more than 7 years or the suspension of disqualification for not more than 10 years, or by a fine not exceeding 50 million won.

(3) The offense described in Paragraphs (1) and (2) shall not be indicted against the will expressed by the victim.

Article 62 (Penal Provisions)

Any person provided for in the following Subparagraphs shall be subject to imprisonment with prison labor for not more than 5 years or by a fine not exceeding 50 million won:

1. A person who has utilized the personal information or provided it to a third party beyond the scope of the notification or the limit specified in general terms of a service contract under Article 22 (2) in violation of Article 24 (1) (including the one to whom the provisons are applied mutatis mutandis in Article 58);

2. A person who has utilized the personal information of users for other purpose than the purpose for which such personal information has been provided, or provided such personal information to any other person in violation of Article 24 (2) (including the one to whom the provisons are applied mutatis mutandis in Article 58);

3. A person who has damaged, infringed or leaked the personal information of users in violation of Article 24 (4) (including the one to whom the provisions are applied mutatis mutandis in Article 58);

4. A person who has transmitted or distributed malicious programs in violation of Article 48 (2);

5. A person who has caused troubles in information and communications networks in violation of Article 48 (3); and

6. A person who has damaged the information of any other person, or infringed, stolen or leaked the secrets of any other person in violation of Article 49.

Article 63 (Penal Provisions)

(1) Any person provided for in the following Subparagraphs shall be subject to imprisonment with prison labor for not more than 3 years or by a fine not exceeding 30 million won:

1. A person who has infiltrated information and communications networks in violation of Article 48 (1); and

2. A person who has leaked the secrets to any other person, which he has learned while performing his/her duties, or utilized such secrets for other purpose than the purpose of his/her duties in violation of Article 57.

3. A person who has collected the personal information of any other person in violation of Article 49-2 (1).

(2) A person provided for in Paragraph (1) 1 who attempted to commit the crime shall be punished.

Article 64 (Penal Provisions)

Any person provided for in the following Subparagraphs shall be subject to imprisonment with prison labor for not more than 2 years or by a fine not exceeding 10 million won:

1. A person who has provided media materials harmful to the youth for profit without indicating the harmful nature in violation of Article 42;

2. A person who has transmitted to the youth, or exhibit publicly without any measure off-limits to the youth the information to advertise the media materials harmful to the youth in violation of Article 42-2; and

4. A person who has enticed other person to provide with personal information in violation of Article 49-2 (1).

Article 65 (Penal Provisions)

(1) Any person provided for in the following Subparagraphs shall be subject to imprisonment with prison labor for not more than 1 year or by a fine not exceeding 10 million won:

1. A person who has put any label on goods, or sold such goods bearing such label or displayed such goods for the purpose of selling them in violation of Article 8 (4);

2. A person who has distributed, sold, rented, or openly displayed lascivious codes, letters, sounds, visuals or films via information and communications networks;

3. A person who has repeatedly sent words, sounds, letters, visuals or films inciting fears and uneasiness to any other person via information and communication networks;

4. A person who has taken technological measures in violation of Article 50 (6);

5. A person who has collected, sold and circulated the e-mail addresses or use them for transmission in violation of Article 50-2; and

6. A person who has transmitted advertisement information in violation of Article 50-8.

(2) The offense described in Paragraph (1) 3 shall not be indicted against the will expressed by the victim.

Article 65-2 Deleted.

Article 66 (Joint Penal Provisions)

If the representative of a corporation, or the agent, manager or other employee of a corporation or an individual violated the provisions of Articles 62 through 64 or 65 (1) or 65-2 with respect to the business of such corporation or individual, not only the actor but also the corporation or individual shall be subject to a fine prescribed in the relevant Article.

Article 67 (Fine for Negligence)

(1) A person who is provided for in the following Subparagraphs and abets other person in the same result shall be subject to a fine for negligence not exceeding 3 million won:

1. A person who has transmitted advertisement information made for profit in violation of Article 50 (1) through (3);

2. A person who has failed to indicate advertisement information or indicated fraudulently in violation of Article 50 (4) or (5);

3. Deleted.

4. A person who has got the addressee charged the financial cost in violation of Article 50 (7);

5. A person who has installed the programs without obtaining the consent of users in violation of Article 50-5;

6. A person who has posted advertisement information made for profit on the Internet homepage in violation of Article 50-7 (1).

(2) A person provided for in the following Subparagraphs shall be subject to a fine for negligence not exceeding 1 million won:

1. A person who has failed to keep electronic messages in custody in violation of Article 20 (2);

2. A person who has made public electronic messages in violation of Article 21;

3. A person who has collected the personal information in violation of Article 22 (1) (including the one to whom the provisions are applied mutatis mutandis in Article 58);

4. A person who has failed to notify users or specify required matters in general terms of a service contract in violation of Article 22 (2) (including the one to whom the provisions are applied mutatis mutandis in Article 58);

5. A person who has collected the personal information or refused to provide the services in violation of Article 23 (2) (including the one to whom the provisions are applied mutatis mutandis in Article 58);

6. A person who has failed to inform the users of the fact of entrustment in violation of Article 25 (1) (including the one to whom the provisions are applied mutatis mutandis in Article 58);

7. A person who has failed to notify in violation of Article 26 (including the one to whom the provisions are applied mutatis mutandis in Article 58);

8. A person who has failed to designate a person in charge of data protection in violation of Article 27 (1) (including the one to whom the provisions are applied mutatis mutandis in Article 58);

8-2. A person who has failed to take technological and managerial measures in violation of Article 28;

9. A person who has failed to destroy the personal information in violation of the main sentence of Article 29 (including the one to whom the provisions are applied mutatis mutandis in Article 58);

10. A person who has failed to take necessary measures or utilized the personal information without correcting an error thereof in violation of Article 30 (3) through (6) (including the one to whom the provisions are applied mutatis mutandis in Articles 30 (7), 31 (3), and 58);

11. A person who has collected the personal information of children in violation of Article 31 (1) (including the one to whom the provisions are applied mutatis mutandis in Article 58);

11-2. A person who has failed to designated the officer in charge of protection of the youth in violation of Article 42-3 (1);

12. A person who has failed to keep information in custody in violation of Article 43;

13. A person who has failed to insure the information and communications facilities in violation of Article 46 (2);

13-2 through 13-8. Omitted.

14 through 15-5. Deleted.

16. A person who has violated the provisions of Article 52 (6);

17. A person who has failed to submit related goods and documents, etc. under Article 55 (1) or submitted false goods and documents, etc.;

18. A person who has denied the access to data and request of data production under Article 55 (2);

19. A person who has rejected, obstructed or dodged the entry and inspection under Article 55 (3); and

20. A person who has failed to execute the order given to take corrective measures under Article 55 (4).

(3) The fine for negligence described in Paragraph (1) or (2) shall be imposed and collected by the Minister of Information and Communication as prescribed by the Presidential Decree.

(4) Any person who is dissatisfied with a fine for negligence imposed in accordance with Paragraph (3) may file an objection with the Minister of Information and Communication within 30 days from the day of notification of such disposition.

(5) If any person who has been subject to a fine for negligence under Paragraph (3) filed an objection under Paragraph (4), the Minister of Information and Communication shall promptly notify the competent court of the fact, and the competent court shall, upon receiving the notification thereof, put the case on trial in accordance with the Non-Contentious Litigation Procedure Act.

(6) If any person fails to file an objection within the period under Paragraph (4) and would not pay the fine for negligence, the fine for negligence in question shall be collected in a manner to dispose the obligor's property on default of the national taxes.

ADDENDA

Article 1 (Enforcement Date)

This Act shall enter into force on July 1, 2001.

Articles 2 - 3 Omitted.

Article 4 (Transitional Measures Regarding Application of Penal Provisions)

The application of the penal provisions to any act committed prior to the enforcement of this Act shall be governed by the previous provisions.

Article 5 Omitted.

Article 6 (Relations to Other Acts and Regulations)

If other acts and regulations cite the former Act on the Promotion, etc. of Utilization of Information System or the provisions thereof at the time of enforcement of this Act and if there exist corresponding provisions thereto in this Act, this Act or the corresponding provisions in this Act shall be regarded as being cited.

ADDENDA

Omitted for the period from December 2001 to December 2003.

ADDENDA

(1) (Enforcement Date)

This Act shall enter into force on the day of promulgation (dated of January 29, 2004); provided, however, that the revised provisions of Articles 28, 45 (4), 46-3, 47-2 (4), 48-4 (6) shall enter into force on the day when 6 months elapse after the promulgation.

(2) (Transitional Measures Regarding Application of Fine for Negligence)

The application of the fine for negligence to any act committed prior to the enforcement of this Act shall be governed by the previous provisions.

ADDENDUM

This Act shall enter into force on the day when 3 months elapse after its promulgation (dated of December 30, 2004).

ADDENDUM

This Act shall enter into force on the day when 3 months elapse after its promulgation (dated of December 30, 2005).


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.worldlii.org/int/other/PrivLRes/2005/2.html