Amendments to the Data Privacy Laws in Korea and Future Concerns
Abstract
On 9 January 2020, the Korean National Assembly passed the amendments to the three major data privacy laws in Korea: The Personal Information Protection Act (PIPA), the Act on the Promotion of Information and Communications Network Utilization and Information Protection, and the Credit Information Use and Protection Act. In particular, the Amendments introduced the concept of ‘pseudonymized information’, a processed personal information that cannot identify a particular individual without additional information. The revised Personal Information Protection Act stipulates that pseudonymized information can be shared and used for i) statistical purposes, ii) scientific research purposes, and iii) archiving purposes for public interest without the data subject’s consent. The Amendments overall focused on constructing a solid legal framework for utilizing data and protecting it at the same time. However, there is still much ambiguity surrounding this revision, particularly because the revised Credit Information Use and Protection Act stipulates the use of pseudonymous data without subject’s consent differently from that of the PIPA. Other concerns regarding privacy infringement and misuse of personal information are still being discussed. After the new laws are implemented this August, two tasks need to be done: (1) reviewing whether the revision is suitable for real life practice, (2) and finding a way to stay in the middle ground between utilizing and protecting personal information.
I. Introduction[1]
Behold, the 4th Industrial Revolution: an era where society is faced with what is called a ‘data-driven economy’. It is no surprise that countries are trying to push strategies that can stimulate data economies. It is already an ongoing movement in the EU as they implemented the General Data Protection Regulation (‘GDPR’, in effect since May 2018). The GDPR is a regulation in the EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). The situation is similar in Korea, where people have been demanding a new and effective way to use personal information; hence came forth the amendments on 9 January, 2020. This was the very day the Korean National Assembly passed the amendments(collectively, the ‘Amendments’) to three major data privacy laws: the Personal Information Protection Act (‘PIPA’), the Act on the Promotion of Information and Communications Network Utilization and Information Protection (‘Network Act’) and the Credit Information Use and Protection Act (‘Credit Information Act’).
The Amendments largely aim to (1) correct the redundancy in regulatory activities and confusion among regulated persons due to overlapping data privacy regulations and multiple supervisory bodies; (2) construct a ‘data economy’ through the use of ‘pseudonymized data’ and provide a legal basis where data can be utilized more flexibly.
II. Key Changes in the Data Privacy Laws[2]
- The PIPA
The main changes to the PIPA are the following: (1) clarified and distinguished important concepts related to personal information like ‘personal information’, ‘pseudonymized information’, and ‘anonymized information’, (2) allowed the use of pseudonymized information for statistical purposes, scientific research purposes, and archiving purposes in the public interest, (3) built restrictions on the combination of pseudonymous data; they have to be conducted by a specialized institution designated by the Protection Commission or the head of the related central administrative agency, and necessary matters will be prescribed by the Presidential Decree, (4) ordered safety measures in the case of processing pseudonymous data and prevent the act of identifying a certain individual; there will be retributions if violated, (5) Strengthened the power and status of the Personal Information Protection Commission (hereinafter referred to as the ‘Protection Commission’ by establishing it under the Prime Minister as a central administrative agency to independently conduct work, (6) Deleted statutes related to the protection of personal information in the Network Act and leaving only the distinguishable ones as special statues.
- The Network Act[3]
Some main changes in the Network Act include: (1) deleting all the similar or redundant provisions with the PIPA, (2) transferring some of the deleted provisions as special provisions in the PIPA, (3) keeping provisions that are not directly related to the protection of private information within the Network Act.
- The Credit Information Act[4]
The revised content in the Credit Information Act are the following:
(1) Organized and modified provisions similar to or redundant with those from the PIPA
The Credit Information Act has embraced a number of statutes in the PIPA that were related to i) the processing of personal credit information, ii) consigning, distributing, and managing the tasks required, and iii) protecting the owner of the credit information; this was done to provide a better fit for the financial sector and clarify the distinction between the general law and the special laws. The revised law aims to increase the efficiency of the current system for protecting personal information through applying pre-existing statutes in the PIPA that can be related to cases defined in this law.
(2) Introduced the concept of pseudonymized information
The revised law introduced the term ‘pseudonymized information’ (also referred to as ‘pseudonymous data’) which stands for personal credit information that is pseudonymized to prevent others from recognizing the specific individual without the additional information needed to decode the pseudonymization. Furthermore, the revised law allows the use of such pseudonymized information without the owner’s consent for statistical purposes, scientific research purposes (including industrial research), and archiving purposes for public interest. This is expected to accelerate and stimulate big data analysis in the financial sector.
(3) Internalized the system of obtaining consent from data subjects
The revised Credit Information Act allows information users to obtain consent from data subjects through informing only a summarized version of the notice and forces full disclosure of the notice when requested by the data subject. It also requires the Financial Services Commission (FSC) to give out a ‘consent grade’ that measures (1) the danger of privacy infringement, (2) the risks and benefits of the data subject obtain from giving consent to use their information, and other criteria of the consent forms distributed by financial organizations. By informing data subjects such grades when obtaining consent, there will be more transparency and allow data subjects to better witness the effects of their consents.
(4) Introduced a new concept for the right to informational self-determination
The revised law enables individuals to ask financial companies and public organizations to transfer his or her own personal credit information to other financial organizations. This is called the right to data portability. Individuals also acquire the right to ask for further explanation regarding the profiling of their credit information, and the right to request a re-do, deletion, or addition of the information.
III. Future Concerns[5]
In short, the Amendments introduced the concept of ‘pseudonymized information’ that allows personal information, when pseudonymized, to be utilized for other purposes that are different from when it was first collected. To balance out the privacy infringement problems that may rise from such use, there have been safety measures and retributions installed to minimize such use.
There is no doubt that the revised laws will provide a foundation for data economy and accelerate the 4th industrial revolution. However, we must investigate the side-effects this can bring, particularly in the use of pseudonymous data without the data subject’s consent. Establishing justifiable grounds for using personal information without having obtained the data subject’s consent will be a hard task to achieve.
The followings are expected concerns that has risen from the Amendments:
(1) Regarding the specific range of utilizing pseudonymous data
The revised law allows the use of pseudonymous data without obtaining data subject’s consent for statistical purposes, scientific research purposes, and archiving purposes for public interest. Although the law specifically requires ‘public interest’ for archiving purposes, it does not for the remaining two. In addition, unlike PIPA, the Credit Information Act includes industrial use under statistical purposes and includes industrial research under the term ‘research’ specified in the law. This entails the question of how to define and limit the term ‘research’, how to protect personal information, and even how to define personal information. There needs to be a clear line drawn in between to differentiate non-personal data and personal data. Further discussion is needed in order to design the specific presidential decrees regarding the definition and limitation of the term ‘industrial purposes’.
(2) Regarding the misuse of sensitive personal information
Perhaps the most evident concern regarding the new laws, is that even with the pseudonymization and anonymization can the data be recognized when combined all together. Although the revised PIPA newly added biometric recognition information (ex. fingerprints), race and ethnicity information under sensitive information, one may argue that such sensitive personal information should be approached differently from other personal information; meaning there should be a separate solution to prevent data leakage and to receive the consent from data subjects when such sensitive information is used.
(3) Regarding the transfer of data overseas
Transfer of personal data overseas refers to the concept of transporting personal information physically outside of the country. Therefore, this includes providing personal information to a foreign third party, including the transfer of personal data overseas to entrust processing of personal information to the foreign third party. The issue surrounding the transfer of data overseas is yet too early to discuss. Further revision is needed to systematically tackle personal information that have been transferred overseas and the consent system in general.
(4) Achieving balance between utilizing and safely protecting data
When the revision was announced initially, various industries welcomed it with enthusiasm. However, they were soon disappointed to find that the ambiguity within the laws still remained. For example, although the PIPA and the Credit Information Act were classified together as ‘data laws’, the statutes were written differently. While the former did not state ‘industrial research’ and ‘industrial statistics’ in its statutes, the latter did. Because of this difference, whether the definition of ‘scientific research’ and ‘pseudonymous information’ includes industrial research and statistical purposes remains unclear. Due to this ambiguity, confusion is expected when the laws are applied in real life practice.
Some argue that the conditions required to use personal data without having obtained the data subject’s consent are too strict. The revised PIPA requires i) considerable relevance between the purpose for initially collecting data and the purpose for additional processing, ii) predictability based on the circumstances of the collection and processing practices, iii) to not invade the data subject or a third party’s benefits, iv) pseudonymization (if the purpose for additional processing can be achieved even after pseudonymization) to utilize personal data without the data subject’s consent. Having to meet all four conditions makes it difficult to apply the laws in real life practices.
On the other hand, one cannot disregard the infringement issues this revision may bring. Pseudonymization seems to be an effective solution now, but there still remain a possibility that companies may personally use the data for their own profits. Leakage of data will always be a concern, so finding a balance between promoting industrial use of data and protecting data is needed.
IV. Conclusion: What is Next?
The term ‘big data’ has been in trend for quite a while. Words like artificial intelligence or big data analysis are nothing new in this rapidly evolving society. People are facing a world where data equals to profit and power. It is not surprising to find the item you were searching on Google appear as an advertisement in a different application. Data is used everywhere, whether people recognize it or not. The more companies know about their consumers, the better they market consumers to buy their stuff. The logic is very simple. So, there is no doubt that the Amendments will stimulate industrial growth by providing ways to share and use data more freely. However, this is only the beginning stage of the many discussions that must follow after. Once the laws are newly implemented this August, further discussion must address the ambiguity and other concerns surrounding the Amendments, particularly whether privacy infringement issues have been well-prepared or not.
References
Kang (Yulchon LLC), Chris H., et al. “Korea Introduces Major Amendments To Data Privacy Laws – Privacy – South Korea.” Mondaq, Lus Laboris, 2 March 2020, www.mondaq.com/privacy-protection/898830/korea-introduces-major-amendments-to-data-privacy-laws.
Kim, Seo-An. “Meanings and Tasks of the Three Revised Bills Which Ease Regulation on the Use of Personal Information.” Journal of Convergence Security (KOCOSA), vol. 20, no. 2, 22 June 2020, pp. 59–68.
Lee, Sang Bin. Amendments to the Main Three Data Privacy Laws and Informatization of Local Finance Due to ICT Technology Changes and Challenges to Improve Tax Regulations. Korea Institute of Local Finance, vol. 27, 2020, pp. 52-68 (trans. by writer)
Lee, Yang-bok. “A Study on the Revision Trend of Data 3 Act.” Comparative Law, vol. 27, no. 2, 2020, pp. 423–465.
[1] Kang (Yulchon LLC), Chris H., et al. “Korea Introduces Major Amendments To Data Privacy Laws – Privacy – South Korea.” Mondaq, Lus Laboris, 2 Mar. 2020, www.mondaq.com/privacy-protection/898830/korea-introduces-major-amendments-to-data-privacy-laws.
[2] Lee, Sang Bin. Amendments to the Main Three Data Privacy Laws and Informatization of Local Finance Due to ICT Technology Changes and Challenges to Improve Tax Regulations. Korea Institute of Local Finance, vol. 49, 2020, pp. 52-68 (trans. by writer)
[3] Kim, Seo-An. “Meanings and Tasks of the Three Revised Bills Which Ease Regulation on the Use of Personal Information.” Journal of Convergence Security (KOCOSA), vol. 20, no. 2, 22 June 2020, pp. 59–68.
[4] Lee, Yang-bok. “A Study on the Revision Trend of Data 3 Act.” Comparative Law, vol. 27, no. 2, 2020, pp. 423–465.
[5] Lee, Yang-bok. “A Study on the Revision Trend of Data 3 Act.” Comparative Law, vol. 27, no. 2, 2020, pp. 423–465.