Huntonprivacyblog.com reported on 9 Jan 2020 that according to MLex, a South Korean court has found the Data Protection Officer (DPO) of Hana Tour service guilty of negligence in failing to prevent a 2017 data breach that involved more than 465,000 customers. He was fined 10 millions won (USD 8,500) while the company was fined 327 millions won ($280,000). IAPP and Lexology also picked up this story quoting the same source.
In this fake news era, I wanted to verify the validity of the news from other independent sources but to no avail. If you know, please share with us.
Regardless of whether the news is true or fake, it does raise an interesting but serious question: Are DPO accountable under the data privacy law?
I searched the South Korean PIPA – the Act; the Enforcement Rule; and the Enforcement Decree – but did not find clauses on accountability and penalty on data privacy officer for failure in discharging his duty.
While Singapore’s PDPA makes clear that it is the businesses that is accountable, not the DPO, this is not so in the Philippines. According to Philippines National Privacy Commission’s Advisory No. 2017 – 01 “Designation of Data Protection Officers”, its Accountability clause states that,
“While the responsibility of complying with the DPA, its IRR, issuances by the NPC, and other applicable laws remains with the PIC or PIP, malfeasance, misfeasance, or nonfeasance on the part of the DPO or COP relative to his designated functions may still be a ground for administrative, civil, or criminal liability, in accordance with all applicable laws”.
(note: malfeasance / misfeasance / nonfeasance in simpler English roughly means malpractice / incompetence / failure-to-act).
Professions such as doctors, lawyers, chartered accounts, and chartered engineers are liable for mal/mis/non-feasance. These are professionals and they are governed by professional bodies.
To require the same for DPO would mean we regard DPO as a profession whose responsibility is of similar important in nature to that of doctors, lawyers, or chartered accountants.
In the mean time, maybe DPO (at least in the Philippines) want to consider insuring themselves with liability insurance.
What do you think?