Asian-mena Counsel: Data + Cyber Security Special Report 2020Published in
By Kwang-Wook Lee, Helen H. Hwang, Chulgun Lim and Keun Woo Lee, Yoon & Yang
Three primary data privacy laws in Korea are (i) the Personal Information Protection Act (“PIPA”) enacted in 2011; (ii) the Act on the Promotion of the Use of the Information and Communications Network and Information Protection (the “Network Act”) enacted in 1999; and (iii) the Credit Information Use and Protection Act (the “Credit Information Act”) enacted in 1995. The PIPA is a general law that regulates general matters of data protection, whereas the Network Act and the Credit Information Act are sector-specific laws. The Network Act applies to data protection for online service users. The Credit Information Act regulates credit information protection.
These three data privacy laws have recently been amended extensively. The amendments to the data privacy laws are intended to streamline the regulatory framework for data protection and governance, addressing the need for efficient use of data for the emerging economy based on new technologies such as artificial intelligence, cloud computing and big data.
The amendments to the data privacy laws came into force on August 5, 2020 except for certain amendments to the Credit Information Act which will take effect in 2021.
Key aspects of the amendments to the PIPA and their implications
(1) Regulatory authorities
Prior to the amendments, the data privacy laws were enforced by multiple regulatory authorities. The PIPA was regulated by the Ministry of the Interior and Safety (“MOIS”). The regulatory bodies responsible for the enforcement of the Network Act and the Credit Information Act were the Korea Communications Commission (“KCC”) and the Financial Services Commission (“FSC”), respectively. To streamline the overlapping layers of regulatory bodies, the amendments to the data privacy laws centralise the enforcement authority at the Personal Information Protection Commission (“PIPC”), transferring data protection tasks of the MOIS and the KCC to the PIPC. The PIPC has the authority to conduct investigations and impose corrective orders and administrative fines for violation of the data privacy regulations.
(2) Scope of personal information
The amended PIPA provides criteria for determining the scope of personal information. Prior to the amendments to the PIPA, the definition of “personal information” includes information that cannot identify an individual when used alone, but can be easily combined with other information to identify an individual. There was some obscurity as to the meaning of the phrase “easily combined with other information,” resulting in difficulty in enforcement. To address this issue, the amended PIPA provides more clear criteria such that the phrase “easily combined with other information” will be reasonably construed considering the time, cost and technology required to identify an individual as well as the availability of other information.
(3) Pseudonymised information and anonymised information
The amended PIPA introduces the conceptual framework of “pseudonymised data” which is defined as information which has been pseudonymised such that it cannot identify an individual without using or combining with additional information to restore it to its original state. Pseudominisation refers to processing personal information by deleting part of personal information or replacing all or part of personal information so that it cannot identify an individual without additional information. Under the amended PIPA, data controllers can process pseudonymised data without the consent of the data subject for the purposes of statistics preparation, scientific research and record preservation for public interest.
The amended PIPA further clarifies that the regulations under the PIPA do not apply to anonymised information, i.e., information which cannot identify an individual even when combined with other information, reasonably considering time, cost and technology required for such combination.
(4) Use of personal information for purposes reasonably related to the original purpose may not require the data subject’s consent
Under the amended PIPA, data controllers may use or provide personal information without the consent of the data subject within a scope reasonably related to the original purpose of collection as notified to the data subject at the time of the collection of personal information, if certain conditions (such as security measures such as encryption) are satisfied. Thus, flexibility is expected in data processing within a reasonable scope.
Key aspects of the amendments to the Network Act and their implications
(1) Deletion of provisions similar to or overlapping with the PIPA
The amendments to the Network Act delete the provisions which are similar to or overlapping with the PIPA so that the general law of the PIPA can apply first for personal information protection. Most of the provisions under Chapter 4 of the Network Act are deleted, and the title of Chapter 4 of the Network Act is changed from “Personal Information Protection” to “Creation of a Safe Environment for the Use of Online Services.”
(2) Transfer of provisions to the PIPA
Among the provisions deleted from the Network Act, those that differ from the PIPA or exist only in the Network Act are transferred to Chapter 6 of the PIPA (“Special Provisions Regarding Processing of Personal Information by Online Service Providers”) to protect personal information of online service users. In the case of online service providers that do not have business places or addresses within Korea and whose sales or number of users exceed certain thresholds must designate a local representative to deal with matters concerning personal information protection.
Key aspects of the amendments to the Credit Information Act and their implications
(1) Relationship with the PIPA
To secure credit data protection, the amendments to the Credit Information Act adopt certain provisions under the PIPA with changes appropriate to the financial sector. Under the amended Credit Information Act, some provisions of the PIPA apply mutatis mutandis. The Credit information Act is a special act to the PIPA, meaning that the amended Credit Information applies over the amended PIPA in the case of any conflict between them.
(2) Use of big data by pseudonymisation or anonymisation
In line with the amendments to the PIPA, the amended Credit Information Act introduces the conceptual framework of pseudonymisation and anonymisation. Under the amended Credit Information Act, if a data expert institution designated by the FSC confirms that certain information has been properly pseudonymised or anonymised, such information is deemed to have been processed such that it cannot identify an individual. This is expected to ease legal uncertainty for financial institutions in their use of big data. Under the amended Credit Information Act, as under the amended PIPA, pseudonymised data can be used or provided without the consent of the credit data subject for statistics preparation, research and record preservation for public interest. The amended Credit Information Act further specifies that “statistics preparation” includes statistics preparation for commercial purposes such as market research, and “research” includes industrial research.
(3) Changes to consent requirement
The amended Credit Information Act allows certain financial service providers to notify the credit data subject solely of a summary of important matter when obtaining the consent of the credit data subject, unless otherwise required by the credit data subject.
Under the amended Credit Information Act, some financial service providers are assigned with a “consent level” evaluated by the FSC. Such service providers must inform the credit data subject of the consent level so that the credit data subject can be aware of potential consequences of their consent.
(4) Rights of the data subject
The amended Credit Information Act enhances the rights of the credit data subject by introducing the right to data portability, the right to object and the right to be informed concerning automated decision making and profiling.
(5) Punitive damage
The amended Credit Information Act expands the award of punitive damages for intentional or grossly negligent leakage of credit information up to five times the amount of compensatory damages.
The amendments to the privacy laws have significance in that they provide a regulatory framework not only for personal information protection but also for data use. By clarifying the definition of personal information and introducing the concept of pseudonymised data, the amendments to the privacy laws are expected to invigorate the emerging data economy based on new technologies.
While the privacy laws have been amended extensively at the same time, they contain partially different provisions with different scope of application. Therefore, there still remains the possibility that those provisions may be construed differently in the context of each privacy law. In that regard, the regulating authorities are expected to further publish subordinate regulations and guidelines.
It is also noteworthy that the amendments to the privacy laws introduce the concept of pseudonymised and anonymised data. However, necessary details for its application need to be further clarified.