South Korea

Screenshot 2020-04-03 at 12.16.28 PMBy Mi-Jeong Oh, Dentons Lee


The National Assembly of South Korea recently passed a bill to amend the so-called “Three Data Laws” of Korea — the Personal Information Protection Act, the Act on Promotion of Information and Communications Network Utilisation and Information Protection, Etc. (hereinafter Information and Communications Network Act) and the Credit Information Use and Protection Act (hereinafter Credit Information Protection Act) — in January 2020. This amendment will take effect beginning August 5, 2020. Revisions to any related enforcement decrees and enforcement rules, which will elaborate on the amended provisions of these acts, will be prepared by March and then will be pre-announced in March or April.

More data use with the introduction of “pseudonym information”

The recently amended Personal Information Protection Act introduced the idea of “pseudonym information”. It refers to information which was processed to prevent certain individuals from being identified by using a pseudonym (or “de-identification”) such as deleting any part of personal information or replacing any identifiable information fields with pseudonyms.

Pseudonym information may be processed (such as through collection, creation, interlocking, provision, disclosure, etc) without the consent of the information object in any scientific research, including for statistical and industrial purposes. Any pseudonym information retained within a company can be combined autonomously but combining pseudonym information held by more than one company can be done only by the Personal Information Protection Commission or other designated specialised agencies. In addition, the amended Credit Information Protection Act also allows the use of pseudonym personal credit information without obtaining consent when producing statistics for commercial purposes and for industrial research.

Screenshot 2020-04-03 at 12.19.15 PM

Moreover, when pseudonym information is provided to a third party, it must not include any information which can help identify the individuals involved. If pseudonym information is processed for the purpose of identifying an individual, a company engaging in that conduct can be fined up to 3 percent of the company’s annual sales.

The allowance of pseudonym information systems is intended to help nurture research needed for new technology development and to help promote new industries such as smart cities, fintech, etc. The prevailing forecast is that the introduction of such pseudonym information will contribute to revitalisation of data economy and AI development. However, standards and guidelines related to such pseudonym personal information have not yet been developed and much concern has been voiced about the importance of creating further safeguards for pseudonym information. Companies and research institutes are also showing keen interest in follow-up measures for this newly introduced system by the Personal Information Protection Commission.

Unification of the personal information protection system

Currently, the protection of personal information in Korea is being regulated by several agencies such as the Ministry of the Interior and Safety, the Korea Communications Commission, the Personal Information Protection Commission and others. But the amended Personal Information Protection Act will unify these scattered personal information protection services to be solely handled by the Personal Information Protection Commission, while elevating the status of such agency to become a central administrative organisation. Provisions on personal information protection stipulated in the Information and Communications Network Act will all be deleted, and such deleted provisions will be incorporated into the Personal Information Protection Act. This is to ensure the independence and extensiveness of the regulatory authority for personal information protection, and it is also relevant to the current effort to obtain the EU’s recognition of South Korea’s compliance with GDPR goals.

Strengthened rights of credit information objects

The amended Credit Information Protection Act is also granting individuals, as the subjects of credit information, a new right to demand that any financial company transfer their own credit information to other companies or agencies. Such measure is interpreted to be based on the information subjects’ right to data portability recognised by the EU’s GDPR. This will in turn boost the so-called “my data” industry that provides various services, such as integrated inquiry of personal credit information, credit and asset management, etc.



Screenshot 2020-03-04 at 3.13.38 PM



T: (82) 2 2262 6229

F: (82) 2 2279 5020

Related Articles
The Greater China IP Updates – April 2022
Taiwan Semiconductor Manufacturing Company continues to lead against its competitors in the IP field. Currently, the company is using its advanced 5-nanometer process in the commercial production of the A-series processors for Apple’s iPhone line. TSMC is also involved ...
Related Articles by Jurisdiction
The controversy over “different franchise fees” in Korea
In Korea, many franchisors require their franchisees to purchase franchise products from the franchisors. They do this to ensure a level of uniformity in the franchise business, enabling franchise customers to receive the same types and quality of goods from ...
The latest win by Lone Star against national tax service
On June 13, 2014, the Seoul Administrative Court ruled in favour of Lone Star Funds and ordered the tax office to refund US$117 million in taxes collected on the sale of a block of shares …
South Korea focus
This month’s Asian-Counsel marks our South Korea focus issue, providing an overview of the latest developments on Korea’s corporate legal scene by the nation’s leading firms. Meanwhile, our feature story discusses how the current global economy will ...
Latest Articles