Transfer of Personal Information in a Corporate Structural Change

Abstract

The legal framework of Korean data privacy law is built upon a system of strict application and enforcement of the notice and consent requirement. The emphasis on the data subjects right to self-determine the collection and processing of their personal information has its legal basis on the explicit right provided under the Koran Constitution and is thus an element which is distinguishable from the data privacy schemes of other countries. As such, unlike in the EU or the U.S., where the collection and processing of personal information are generally permitted upon either the finding of the data controllers legitimate interest or the notice of sufficient information to data subjects, the Korean data privacy scheme requires, in principle, the explicit consent of the data subjects with respect to the collection and processing of personal information (including the transfer to or sharing of such information with third parties), except where the consent requirement is specifically exempted under the relevant laws. As illustrated in this paper, such statutory exceptions are the results of the legislative efforts to strike a balance between the data subjects constitutional right to self-determine processing their personal information against the need to facilitate commercial transactions in the rapidly changing business circumstances. One area where such exception is of particular relevance is in relation to the transfer of personal information in connection with corporate structural changes such as corporate mergers, business transfers and other similar corporate transactions, as stipulated under the relevant data privacy laws, namely Article 27 of the PIPA, Article 26 of the IT Network Act, and Article 32 of the Credit Information Act. From a practical standpoint, however, given the inherent limitations of such statutory provisions to provide for each and every instance where the exception may apply, determining the precise scope of the applicability of these exceptions poses certain practical challenges. Specifically, this paper focuses on the data privacy implications associated with corporate mergers, business transfers, asset sales and purchases, and corporate divestitures to arrive at the appropriate scope of applying Article 27 of the PIPA. The analyses contained in this paper reflect an attempt to find a reasonable ground for determining the scope of the applicability of these statutory exceptions to the consent requirement, taking into consideration the legal concepts relating to each of the foregoing types of corporate actions under the Korean Commercial Code and the legislative intent behind the enactment of such statutory exceptions, as well as the interpretations and views held by the relevant regulatory authorities on this subject matter. In recognition of the practical ramifications of applying these statutory exceptions to the consent requirement in the Korean data privacy context, this paper calls for the need for a more flexible application of such statutory exceptions in certain corporate structural changes.