Investigation in Korea over whether Starbucks Korea violated their Chief Privacy Officer's right to carry out duties or imposed undue influence

-

Sep 21 Blog

What was the issue? 

An investigation is being launched in Korea over whether a Chief Privacy Officer's lawful right to autonomy and freedom to carry out their duties in s31 of Korea's PIPA was violated. This is the first potential violation of s31 of PIPA, and could serve as a landmark for improved authority and legal protection given to CPOs. 

What happened? 

        Korea’s Personal Information Protection Commission (PIPC) is launching an investigation into whether Starbucks Korea’s internal disciplinary action towards their Chief Privacy Officer (CPO) violated s31 of the Personal Information Protection Act (PIPA). The source of the issue came from an internal harassment claim filed against the CPO after the CPO had submitted an official report recommending improvements to the company’s privacy protection measures, upon which Starbucks Korea temporarily suspended the CPO. The CPO objected to the company, saying this was impeding him from carrying out his duties as CPO.  

         s31 of PIPA states that when carrying out their duties relating to privacy protection, the CPO must not be impeded or unfairly disadvantaged in any way. This is the first investigation in Korea dealing with a violation of s31 of PIPA relating to the protection of a CPO in carrying out their duties. The decision will likely have significant impact in assuring the CPO’s independence and authority, which is critical due to the conflict of interest that a CPO may have with other departments within a company. 


Are Privacy Officers protected in other countries? 

        In Europe, the GDPR specifically gives authority to the 'Data Protection Officer'(DPO) in article 38. The DPO must be involved in all relevant matters, be provided necessary resources and access, and be guaranteed autonomy of action, only reporting to the highest management level of the controller of the data. In particular, the DPO cannot be instructed to reach a particular conclusion regarding a privacy complaint, and they must be given job security - they cannot be dismissed or penalized by the controller or processor for carrying out their duties as a DPO. 

        Moreover, the GPDR has a history of fining companies for violating the autonomy and independence of a DPO. In 2020, Belgium's Data Protection Authority fined a company $54k because the person appointed as a DPO did not have sufficient independence from the data controlling process. Luxembourg's CNDP similarly fined an unnamed company 15.4k Euros for failing to ensure their DPOs were guaranteed autonomy, associated with all data protection matters, and able to inform and advise the controller on data protection obligations. The DPOs did not have direct access to management, and there was no formal reporting on their DPOs’ activity (official decision in french here

What about Canada? 

        In Canada, although there are no national laws specifically delineating a Privacy Officer’s rights and authorities, the PIPEDA’s Accountability Principle 4.1 in Schedule 1 states that organizations must appoint a Privacy Officer in whom accountability for compliance with privacy laws or principles will reside in. Similar laws exist in BC and Alberta’s privacy laws. Additionally, a Chief Privacy Officer is now mandatory for private companies in Quebec via Bill 64. For the effectiveness of the Privacy Officer, Bill 64 further requires support from top management, clear governance structure defining the scope of the CPO’s role, independence (from policies within the company), and support with resources (financial and human). The OPC (Office of Privacy Commissioner) has also stated in an old 2012 Report (Getting Accountability Right with a Privacy Management Program) that there is an obligation to designate a Privacy Officer and that organizations must enable the PO to fulfill their role. 

        Based on existing laws such as Bill 64 in Quebec, it seems likely that Canada will follow the trend in developing stronger protection and authority for Privacy Officers, to enable them to properly ensure compliance with privacy protection laws. 


Written by Simplawfy

Comments

Post a Comment

Popular posts from this blog

Seeking ChatGPT's Insight: Are the Biden Administration's 'Trump-Proofing' Efforts Legally and Morally Justifiable?

-
Image
  Recently, polls indicate that former President Trump's chances for returning to Presidency have become increasingly likely. Given this, there have been rising attempts over the past year by the Biden administration to "Trump-proof" matters so that if Trump is re-elected, he will be unable to (or at least have difficulty in) reversing or nullifying the current policy and agreements.  I decided to ask ChatGPT on this topic because I was curious on whether these efforts by the Biden administration would be successful in restraining Trump, or even whether such actions were morally and legally viable. My doubts arose because actions taken to completely deny or restrain future Presidents from changing policy or agreements (generally speaking), especially if such measures came from Executive Orders, seem to be against the democratic spirit even if they are meant to protect against possible abuse of presidential power.  My question to ChatGPT: Do you believe that the Biden admi
Read more

ChatGPT's Age-related Slogans for Biden, Trump, and Desantis.

-
Image
          Looking at the upcoming US presidential elections, two of the three (as of now) nominees seem to face questions over whether they are 'too old' to run. At 80 years old, Biden is the oldest president to serve, with Trump similarly advanced in years at 76. Compared to them, DeSantis at 44 years old is far younger. Given this potential point of debate, I asked ChatGPT 4 to theorize how these presidential candidates might defend their positions or attack their opponents on the topic of age, as well as to generate possible political slogans they could use relating to this. Here is the political strategies ChatGPT suggested, as well as some creative slogans it came up with. Keep in mind, the entire following article and slogans were generated by ChatGPT, with no edits by myself aside from the initial prompting and guiding (through more prompts) to arrive at this result.  ChatGPT 4.0:  Title: Age as a Tool: Politicking in the Prime of Life and Beyond           In today's
Read more

Unraveling the WGA’s MBA with ChatGPT: Expert Analysis or Algorithmic Bias Towards Legalese?

-
Image
On Oct 9, the Writers Guild of America (WGA) overwhelmingly voted in favour of ratifying the 2023 Minimum Basic Agreement (MBA), which will apply until May 1, 2026. While most news outlets have reported on this as a major win for the writers guild, I grew curious on whether there were any shortcomings in the agreement since the the entertainment industry’s capitulation seemed to come quite abruptly compared to their former hardline opposition to any concessions. Since I am not a legal expert on contract law, I turned to ChatGPT instead to see if it could provide a fresh perspective. Given that the WGA provided both the complete 2023 MBA as well as a summary, I chose to try inputting both into ChatGPT, focusing particularly on the Artificial Intelligence clauses. However, the results made me ponder whether ChatGPT’s analysis might be influenced by bias or randomness. ChatGPT’s analysis of the summary and the complete 2023 MBA: Upon analyzing the summary, ChatGPT initially gave off a ske
Read more