July 7 Information and Communications Network Act
Overview
The 'July 7 Information and Communications Network Act' refers to the major amendments to the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. (abbreviated as the Information and Communications Network Act), which took effect on July 7, 2024. This revision was designed to strengthen personal information protection in response to changes in the digital environment, expand the responsibilities of information and communications service providers, and more effectively guarantee user rights. It particularly focuses on the safe processing of personal information, enhanced notification obligations in case of leaks, and improved transparency of user consent procedures.
Key Contents
1. Strengthened Personal Information Protection
- Improved Consent Methods: When collecting and using users' personal information, information and communications service providers must clearly distinguish and display mandatory consent and optional consent. Refusing optional consent should not restrict service use, and the consent withdrawal procedure has been simplified.
- Restrictions on Processing Sensitive Information: Sensitive information (e.g., health, political opinions, biometric data) is原则上 prohibited from collection, and can only be processed exceptionally based on legal grounds or with explicit user consent.
- Record Keeping of Consent for Personal Information Processing: The time, content, and method of obtaining consent must be retained for at least three years, and can be extended up to five years if necessary for dispute resolution.
2. Expanded Responsibilities of Information and Communications Service Providers
- Strengthened Notification Obligations for Leaks: In the event of a personal information leak, the provider must notify users of the leak details, items, and measures taken without delay (within 24 hours). They must also immediately report to the Korea Internet & Security Agency (KISA), and the penalty for violation has been raised to up to 300 million won.
- Technical and Administrative Protection Measures: Providers must strengthen technical measures such as encryption, access control, and log management, and are required to conduct regular vulnerability assessments and personal information impact assessments.
- Appointment of Personal Information Protection Officer: Businesses above a certain size must mandatorily appoint a personal information protection officer who meets qualification requirements (specific experience or certifications).
3. Strengthened User Rights
- Simplified Exercise of Data Subject Rights: Users can request access, correction, deletion, or suspension of processing of their personal information, and providers must take action within 10 days. The request process has been improved to allow online submissions.
- Right to Object to Automated Decisions: When automated systems (e.g., AI) process personal information to make decisions affecting users (e.g., credit evaluation, targeted advertising), users have the right to request an explanation and object to such decisions.
- Right to Data Portability: Users can request the transfer of their personal information to another service provider, and the provider must support this within technically feasible limits.
4. Increased Penalties and Sanctions
- Increased Penalty Surcharges: The maximum penalty surcharge for personal information leaks has been raised from 500 million won to 1 billion won, and fines for violations have also been strengthened.
- Punitive Damages: Providers that leak personal information intentionally or through gross negligence may be liable for damages up to three times the actual loss.
- Criminal Penalties: Those who illegally collect, use, or provide personal information to third parties may face imprisonment of up to five years or a fine of up to 50 million won.
5. Special Provisions and Exceptions
- Support for Small Businesses: Some obligations (e.g., appointment of a personal information protection officer) are eased for small businesses with annual revenue under 1 billion won, and support for technical measures is provided.
- Application to Public Institutions: Public institutions are also subject to this Act, but certain provisions may be exempted when necessary for national security or public safety.
Latest Trends
Since its enforcement on July 7, 2024, the revision of the Information and Communications Network Act has brought significant changes to the domestic digital ecosystem. Key trends include:
- Enhanced Corporate Response: Both large and small-to-medium enterprises are restructuring their personal information protection systems. In particular, AI-based service companies are introducing algorithmic transparency reports to comply with the obligation to explain automated decisions.
- Regulatory Agency Activities: The Personal Information Protection Commission has been conducting full-scale inspections since the second half of 2024, imposing penalty surcharges and corrective orders for violations. As of January 2025, approximately 30 companies have been sanctioned.
- International Harmonization: Provisions on the right to data portability and rights regarding automated decisions have been strengthened to align with the EU GDPR, positively impacting global data transfer negotiations.
- Changes in User Awareness: As user interest in personal information protection has increased, the transparency of consent procedures and convenience of exercising rights have improved. According to a survey in early 2025, over 70% of users responded that their control over personal information processing has been strengthened.
- Conflict with Technological Advances: Due to advances in AI and big data analytics, discussions on de-identification and re-identification risks of personal information are active. Additional amendments to clarify the standards for de-identified information are expected in 2025.
Related Topics
- [[Personal Information Protection Act]]
- [[EU GDPR]]
- [[Enforcement Decree of the Information and Communications Network Act]]
- [[Personal Information Protection Commission]]
- [[AI Regulation Act]]
---
AI-generated document · Improved by the community