[IT Litigation] Permissible Scope of Personal Information Collection Without Consent, Analysis of the Revised Personal Information Protection Act

Article posted in 2025-04-03 16:23:19 | VEAT

Collecting, using, and storing personal information is a familiar process for all IT companies and online service providers.

For decades, domestic IT companies and online service providers have most fundamentally taken receiving 'consent from the information subject' when collecting personal information. Following the revision of the Information and Communications Network Act in 1999, most companies providing services entirely or partially online have had to obtain consent from the information subject regarding 'personal information collection, use, etc., for personal information processing' in order to provide services to users, and users have been unable to use the services if they refused.

This practice continued even after the enactment of the Personal Information Protection Act in 2011, and it became frequent that service use was impossible without consent for personal information processing even in the public sphere, not just in the private sector. As a result, service providers had to obtain formal consent from information subjects even for information that was essential for providing services. This led to a mistaken perception that 'because I expressly consented to personal information processing, I am at least partially responsible for any problems arising from it.'

1. Essential Consent Practice, Changed in the 2023 Amendment to the Personal Information Protection Act

Due to the Personal Information Protection Act previously requiring consent from the information subject as the most common and essential requirement when collecting personal information, most companies had to obtain explicit consent from users regarding personal information processing for items necessary for service use.

Accordingly, in 2023, the Personal Information Protection Act was amended to provide a legal basis that allows personal information processors to collect and use personal information without obtaining separate consent from the information subject for personal information that is inevitably necessary for fulfilling contracts between parties. This improves the ‘formal essential consent’ practice that has been pointed out as a problem for many years, and marks the beginning of a shift towards a structure where consent is only required in areas where it is truly necessary.

2. Personal Information for Contract Fulfillment Purposes Can Be Processed Without Consent

The current Article 15(1) of the Personal Information Protection Act stipulates six reasons as grounds for personal information processors to collect personal information from information subjects.

According to Article 15(1)(4) of the amended Personal Information Protection Act, consent is exempt for collecting and using personal information when it is necessary for the conclusion and fulfillment of a contract with an information subject. For example, information such as name, email address, and payment information provided by users during the membership registration process when using a service can be considered 'essential' for contract fulfillment, so service providers can collect and use the information without the user's consent.

From September 15, 2024, the implementation of Article 17(1) of the Enforcement Decree of the Personal Information Protection Act will be implemented, introducing more specific and clear practical standards for obtaining consent from information subjects when collecting personal information, so personal information processors must be careful to observe these guidelines.

Items that can be collected without the information subject's consent regarding contracts are limited to the minimum information strictly necessary for contract fulfillment. Also, when collecting personal information without consent, the personal information processor must clearly disclose this in the personal information processing policy, and the disclosure must specify the items collected, purpose, applicable laws, and retention period.

The burden of proof that the collected minimum personal information demonstrates that the collected personal information was truly essential for fulfilling the contract lies with the personal information processor, and IT companies, etc., collecting personal information must be able to prove this themselves, or the personal information processing may be considered illegal due to excessive collection.

3. Principles for Processing Personal Information Not Directly Related to Service Contracts

Personal information that is not essential for providing a service still requires explicit collection and use consent from the information subject.

Notify in easy-to-understand language

Explanations should be provided in a form that information subjects can actually understand, avoiding complex terminology.

Prohibition of using pre-selected consent checkboxes

Whether to consent should be an autonomous choice made by the information subject and should not be coerced or induced.

Separate notification for contract-related information and other information

If a single consent form mixes contract-related items and other items, the information can be processed without consent regarding the contract-related information, and separate consent must be obtained for other items through separate consent.

In addition, sensitive or unique identifying information (e.g., health information, biometric information) requires separate consent unless it is absolutely necessary for providing services, and even in such cases, sufficient explanation must be provided along with consent based on free will.

Also, it is desirable to clearly separate and disclose information collected without consent and information subject to consent in the personal information processing policy so that information subjects can accurately understand how their information is collected and used.

Law Firm Veet, specializing in personal information protection, has provided practical advice tailored to the technical environment and service structure of IT and AI-based digital service companies to effectively respond to changing laws and regulations. In particular, by presenting realistic solutions that consider the balance between personal information protection and business operations, we are helping companies build a reliable personal information processing system and operate services stably.

Law Firm Veet has provided advice on numerous matters, including the design of personal information collection and use structures, drafting and reviewing personal information processing policies that comply with amended laws, distinguishing between essential and optional information related to service contracts, and providing specific guidance on drafting information subject consent forms.

Based on this, we provide solutions to specific issues that companies face in actual service operation stages, and we continuously support customers in various industries such as platform companies, AI startups, and SaaS companies, enabling their services to grow stably under a reliable personal information processing system.

In a situation where personal information protection regulations are becoming increasingly strict, if you want to systematically check and prepare for things that companies may overlook, please contact Law Firm Veet, your personal information protection legal partner.

Thank you.

Law Firm Veet