Personal Data Protection Laws in South Korea and Opportunities for Improvement
Abstract
This paper analyzes the main differences of the data protection law of Korea and ‘General Data Protection Regulation’, which was recently legislated by the European Union. I also reviewed the concept of the personal information self-determination and its constitutional grounds. Compared to GDPR, our law could be improved in terms of broadening the law’s geographical coverage, redefining the definition of ‘Personal Data’, and protecting more authority and rights of data subject. This paper is meaningful since it reviews the regulations newly enforced since May, 2018, not the European Union’s privacy protection guideline which was implemented until recently and gives solutions for improving Korea’s personal information protection law. However, there is also a limitation since there is not much information on the actual effect of the GDPR after its enforcement.
Ⅰ. Introduction.
- Background
With the advancement of digital information technology, legal disputes over personal data protection in public and private sectors are constantly occurring everyday. In digital information society, anyone can easily use, process, and transmit a lot of information, making it harder to protect personal data. An infringement on personal data protection may cause problems such as the use of information opposing to one’s will and disclosure of unwanted personal information. In 2005, the Constitutional Court of South Korea declared the basic right of self-determination on one’s own personal information. This means the entity of the information should be able to decide when and which information can be allowed to be known and used. Nowadays, it has become an urgent task to establish normative measures to effectively and efficiently protect this right.
- Constitutional grounds for ‘self-determination right on personal information’
The Constitution of South Korea protects the fundamental rights even the ones not explicitly acknowledged by the provisions of the Constitution by stating ‘The freedom and rights of the people are not neglected for not being defined by the Constitution’ (Article 37). The Constitutional Court recognized ‘self-determination right on personal information’ as a basic human right that takes into account the status of our highly digitalized society. Also, the court mentioned that this right is independent from the general moral rights or the right to pursue happiness, which means that self-determination right on personal information is equally important as the other rights mentioned/described. The court then acknowledged the right of the Constitution to grant the right to self-determine one’s personal data and the duty to protect one’s private information from the risks and the possibility of undermining the foundation of liberal democracy.
Ⅱ. Personal information laws in Korea
Prior to the enactment of the Personal Information Protection Act, personal information protection laws in Korea were divided into the one in the public sector and the others in the private sector. The former was ‘the Act on the Protection of Personal Information of Public Organization’, while the latter included ‘the Act on Promotion of information Network Usage and Information Protection’ and ‘the Act on Financial Real Name Transactions and Confidentiality’. Unfortunately, ‘the Act on the Protection of Personal Information of Public Organization’ failed to practically protect the procedural rights of information entities, and the laws of the private sector had very limited functions as a general law for the protection of personal information. In order to overcome these problems, ‘the Personal Information Protection Act’ was enacted on March 29, 2011 and was enforced on September 30 in the same year. Therefore, Korea now has an integrated legal system covering both public and private sectors. The purpose of this law is to protect private information from its collection, leakage, misuse, and abuse in order to promote the right and interests of the people, and to secure the dignity and value of oneself.[1] ‘The Personal Information Protection Act’ consists of 76 articles. The main concepts introduced in this law are ‘personal information’, ‘information subject’, and ‘personal information processor’. First, according to Article 2, ‘personal information’ refers to information about a living person such as name, address, and registration number that can identify the person. The third clause of the Article defines ‘information subject’ as a person who can easily be recognized by the information. Lastly, Article 2 defines ‘personal information processor’ as a public entity or an individual who processes personal information directly or indirectly to operate the data file for business purposes. By and large, this act stipulates obligation of information processors to protect personal information and how personal information should be handled.
In addition to ‘the Personal Information Protection Act’, ten articles regarding the protection of personal information have been revised and newly established under the amendment of ‘the Act on Promotion of Information Network Usage and Information Protection’. The main revisions are as follows; Article 23 states that the amount of personal information that can be collected must be limited to minimum even if there is user’s consent. Meanwhile, ‘when necessary for the enhancement of user convenience’ was added on Article 25, which regulates exceptional cases of entrustment of personal information without consent.
Ⅲ. Ways to improve current laws
In replacement of the previous Data Protection Directive 95/46/EC, the General Data Protection Regulation (hereinafter referred to as “GDPR”) of the European Union came into effect on May 25, 2018. GDPR is expected to become a standard of international privacy protection legislation beyond Europe, thus it is meaningful to compare our Personal Information Protection Act and GDPR to point out how to make improvements.
- Geographical coverage
GDPR stipulates, in chapter 1, the range of geographical application of the regulation. It confirms that even non-member countries of the European Union should apply GDPR when processing information related to the offering of goods and services to data subjects residing in the EU. Accordingly, in case of making an international contract with the EU member state, the partner country is required to provide equivalent level of protection on personal information to that of the EU. In case of violation, it is subject to penalties amounting to 2-4% of its total annual sales or 2 billion euros in accordance with Article 83. This penalty rule assures that personal information of the EU countries is protected at the level specified by GDPR even when their personal information is transferred overseas.
In the meantime, Korea’s Personal Information Protection Act states in Article 5 that the state and local governments shall protect the dignity of the person and the privacy of the individual by preventing misuse of personal information. This article is only asking for the government to prepare measures so as not to infringe on the rights of information entities. Even when the level of privacy protection of another country is low, there are no legal causes to ask for a higher level of protection when making a contract. Moreover, there is no provision of compensation for damages or of any active involvement of supervisory agencies. This will be a crucial weakness of the act since a legal protection of personal information transferred to other countries cannot be guaranteed.[2]
So far, there have been some cases in Korea which applied domestic laws to a third party. In 2014, the Korea Communications Commission issued a ‘street view case’ on Google, applying domestic laws and penalty rules. In 2016, the High Court of Justice partly applied domestic laws on Google in the case where Google had disclosed personal information of Korean citizens. However, general legal improvements would be more effective than applying the laws on individual cases once the cases have occurred.[3] In conclusion, our law should be amended as follows; “When processing personal data of Korea in a country other than Korea, while monitoring goods and services, the Personal Information Protection Act shall be applied”. Penalty regulations should also be added so that personal information processors become more conscious and cautious when processing information.
- Definition of ‘Personal Data’
GDPR defines ‘personal data’ in Article 4, as “any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified directly or indirectly by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person”.
Article 2 of the Personal Information Protection Act of Korea also states that “personal information is information about a living person, including information that can identify an individual”. In other words, it has the same standard as GDPR when defining personal data. However, it is questionable whether it is better to restrict personal data to information that can identify an individual. For an effective protection on personal data, personal data should be defined more broadly.[4] Some information may not identify a person at that time, but may be able to later on with the development of technology. Moreover, under the current definition of personal data, data which does not identify a person but is very much detailed cannot be protected by the data protection act. For example, according to our Act, data subject has the right to be forgotten, thus allowing the subject to ask for deletion of the data on the internet. Accordingly, one has the right not to be tracked by his or her Internet shopping information. However, since online site visiting history is not counted as personal data, it remains on the online database.
To conclude, personal data should be defined as ‘all data relating to a living person’, considering the fact that science and technology are advancing so quickly these days, and to fully protect one’s right to be forgotten.
- Authority and Rights of data subject
GDPR approves various authorities and rights of data subject such as the right to restrict processing, right regarding an automated individual decision-making, right to data portability, and etc. It would be a meaningful improvement to include these rights into the Personal Information Protection Act of Korea.
Article 18 sates as follows; the data subject shall have the right to restrict the processing of information. Where the processing has been restricted, such personal data shall only be processed with the data subject’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another person or for reasons of important public interest of the Union or of a Member State.
Article 20 is about the right to data portability. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a data controller, in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. This article shows a big difference of GDPR from the Data Protection Act of Korea, which only emphasizes the passive rights of data subjects. GDPR not only stipulates the right to ask for a protection or deletion of data but also confers the right to freely choose how and where to provide one’s own personal information.[5]
Lastly, Article 22 is about an individual decision-making, including profiling. The data subject shall have the right not to be subject to a decision based solely on automated processing including profiling, which produces legal effects concerning him or her, or similarly affects him or her significantly. This ensures the protection of personal data which goes through an automated processing method developed from the big data and the AI technology. In accordance with this provision, the right to request for human intervention, the right to express views of the information entity and the right to object are guaranteed. In addition, there are safeguarding rules that ensure the fairness and transparency in information processing, and the use of appropriate methods in processing. The safeguards should ensure compliance with data protection requirements and the rights of the data subjects regarding processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, such as obtaining effective administrative or judicial redress and to claim compensation, in the Union or in a third country.
In overall, GDPR protects many more rights of information entities than the Data Protection Act of Korea.[6] Various rights mentioned above all play a role in helping the owner of the information to make free decisions by explicitly recognizing the authority of the information subject. Legal regulations certainly offer more grounds for protection of individual rights. Therefore, Korea’s personal information protection law must be improved by guaranteeing broader and more diversified rights of information subjects other than the rights approved by current laws.
References
Intersoft consulting, General Data Protection Regulation (GDPR) – Final text neatly arranged, Intersoft consulting services AG, https://gdpr-info.eu/ (2018).
Korea Internet & Security Agency, GDPR vs. Personal Information Protection Act, Korea Internet & Security Agency, https://www.kisa.or.kr/business/gdpr/gdpr_tab4.jsp 2 (2018).
Kwon, Geon-Bo, A study on the scope of personal information and the right to self-determination over personal information, Korean Comparative Public Law Association (2017).
Lim, Gyeo-Cheol, A study on the improvement of legislation of domestic personal data protection act through critical acceptance of GDPR and 2018 BDSG, Kyungpook National University Law Journal, at 61, 81-115.
Personal Information Protection Commission, EU Privacy Protection Legislation Analysis and research on personal Information Protection Legislation Demand (trans. by writer), Personal Information Protection Commission Report (2016).
Personal Information Protection Commission, Report on overseas private information enforcement system and personal information protection (trans. by writer), Personal Information Protection Commission Report (2012).
[1] Kwon, Geon-Bo, A study on the scope of personal information and the right to self-determination over personal information, Korean Comparative Public Law Association (2017).
[2] Personal Information Protection Commission, Report on overseas private information enforcement system and personal information protection (trans. by writer), Personal Information Protection Commission Report (2012).
[3] Personal Information Protection Commission, EU Privacy Protection Legislation Analysis and research on personal Information Protection Legislation Demand (trans. by writer), Personal Information Protection Commission Report (2016).
[4] Personal Information Protection Commission, EU Privacy Protection Legislation Analysis and research on personal Information Protection Legislation Demand (trans. by writer), Personal Information Protection Commission Report (2016).
[5] Korea Internet & Security Agency, GDPR vs. Personal Information Protection Act, Korea Internet & Security Agency, https://www.kisa.or.kr/business/gdpr/gdpr_tab4.jsp (2018).
[6] Lim, Gyeo-Cheol, A study on the improvement of legislation of domestic personal data protection act through critical acceptance of GDPR and 2018 BDSG, Kyungpook National University Law Journal, at 61, 81-115.