The National Assembly of South Korea recently passed a bill to amend the so-called “Three Data Laws” of Korea — the Personal Information Protection Act, the Act on Promotion of Information and Communications Network Utilisation and Information Protection, Etc. (hereinafter Information and Communications Network Act) and the Credit Information Use and Protection Act (hereinafter Credit Information Protection Act) — in January 2020. This amendment will take effect beginning August 5, 2020. Revisions to any related enforcement decrees and enforcement rules, which will elaborate on the amended provisions of these acts, will be prepared by March and then will be pre-announced in March or April.
More data use with the introduction of “pseudonym information”
The recently amended Personal Information Protection Act introduced the idea of “pseudonym information”. It refers to information which was processed to prevent certain individuals from being identified by using a pseudonym (or “de-identification”) such as deleting any part of personal information or replacing any identifiable information fields with pseudonyms.
Pseudonym information may be processed (such as through collection, creation, interlocking, provision, disclosure, etc) without the consent of the information object in any scientific research, including for statistical and industrial purposes. Any pseudonym information retained within a company can be combined autonomously but combining pseudonym information held by more than one company can be done only by the Personal Information Protection Commission or other designated specialised agencies. In addition, the amended Credit Information Protection Act also allows the use of pseudonym personal credit information without obtaining consent when producing statistics for commercial purposes and for industrial research.
Moreover, when pseudonym information is provided to a third party, it must not include any information which can help identify the individuals involved. If pseudonym information is processed for the purpose of identifying an individual, a company engaging in that conduct can be fined up to 3 percent of the company’s annual sales.
The allowance of pseudonym information systems is intended to help nurture research needed for new technology development and to help promote new industries such as smart cities, fintech, etc. The prevailing forecast is that the introduction of such pseudonym information will contribute to revitalisation of data economy and AI development. However, standards and guidelines related to such pseudonym personal information have not yet been developed and much concern has been voiced about the importance of creating further safeguards for pseudonym information. Companies and research institutes are also showing keen interest in follow-up measures for this newly introduced system by the Personal Information Protection Commission.
Unification of the personal information protection system
Currently, the protection of personal information in Korea is being regulated by several agencies such as the Ministry of the Interior and Safety, the Korea Communications Commission, the Personal Information Protection Commission and others. But the amended Personal Information Protection Act will unify these scattered personal information protection services to be solely handled by the Personal Information Protection Commission, while elevating the status of such agency to become a central administrative organisation. Provisions on personal information protection stipulated in the Information and Communications Network Act will all be deleted, and such deleted provisions will be incorporated into the Personal Information Protection Act. This is to ensure the independence and extensiveness of the regulatory authority for personal information protection, and it is also relevant to the current effort to obtain the EU’s recognition of South Korea’s compliance with GDPR goals.
Strengthened rights of credit information objects
The amended Credit Information Protection Act is also granting individuals, as the subjects of credit information, a new right to demand that any financial company transfer their own credit information to other companies or agencies. Such measure is interpreted to be based on the information subjects’ right to data portability recognised by the EU’s GDPR. This will in turn boost the so-called “my data” industry that provides various services, such as integrated inquiry of personal credit information, credit and asset management, etc.
T: (82) 2 2262 6229
F: (82) 2 2279 5020