Focussing on topics such as big data, cloud computing and healthcare, Wonil Kim, Kwang-Wook Lee and Ji Hye Seol of Yoon & Yang examine how new technologies will affect personal information regulation in South Korea.
The primary source of the law governing personal information protection in South Korea is the Personal Information Protection Act (PIPA) which has been implemented since 2011. The PIPA sets out the ground rules which apply generally to personal information protection. In addition to the PIPA, there also exist specific laws that govern personal information protection in certain sectors and industries. For instance, the Promotion of Information and Communications Network Utilisation and Information Protection Act (Communications Network Act) includes personal information protection provisions applicable in relation to telecommunications services; the Use and Protection of Credit Information Act contains provisions to protect personal information in the context of financial services; and the Medical Service Act governs personal information protection in healthcare sectors.
This coexistence of general and specific laws to govern personal information protection sometimes causes confusion in their application. The confusion is further compounded by the lack of rules and regulations to govern personal information protection in new fields where the advancement of technologies has led to untraditional ways of processing personal information. In this report, we will examine the regulations concerning personal information in the new fields involving big data, cloud computing, healthcare, drones and the Internet of Things (IoT).
As the economic effects from accumulation of massive data sets are getting increasing attention, the risk of potential infringement of personal information is also proportionally increasing.
The PIPA and the Communications Network Act define ‘personal information’ as information about a living individual identifiable by reference to his or her name, resident registration number or images, including information that may not be personally identifiable by itself but may identify an individual when combined with other information. Information that is not personally unidentifiable, whether by itself or in combination with other information, at its collection stage would not constitute ‘personal information’ and not be subject to the regulations under the PIPA and the Communications Network Act.
Given that the connection between data sets lies at the core of the processing of big data, personal data which is unidentifiable at the collection stage may subsequently serve to identify individuals. However, as discussed above, such personally unidentifiable data does not constitute ‘personal information’ under the current laws, and thus will not be subject to their regulations. In practice, there has not been any case yet where the government authorities intended to regulate big data on the grounds that they may constitute personal information. The increasing concern that the current legal framework may not effectively regulate personal information protection concerning the processing of big data led to legislative proposals to enact a relevant law, but such efforts have not yet resulted in actual legislation.
Taking into account the market potential of big data, over-regulation should be avoided lest it should bring chilling effects and impede the growth in relevant industries. On the other hand, the possibility of personal information infringement in the processing of big data should not be treated lightly. The balanced approach to these issues would have to be achieved by enactment of special legislation. Until then, controversies will continue over the issues.
Using cloud services, individuals can store files on the cloud offered by the cloud service provider rather than on their local hard drive. Cloud services alleviate the costly search for extra storage space, but also pose the risk that personal information stored by an individual on the cloud may be accessible to others.
In order to address issues relating to cloud computing, the Act on Development of Cloud Computing and User Protection (Cloud Computing Act) has been implemented since September 2015. While the Cloud Computing Act has certain provisions to protect cloud service users, it does not include provisions specifically addressing personal information protection. Accordingly, personal information protection in the context of cloud computing is still governed by the general provisions of the PIPA and the Communications Network Act. For instance, when individuals store their data on the cloud provided by the cloud service provider, the cloud service provider constitutes a ‘telecommunications service provider’ under the Communications Network Act, and, as such, is required to obtain consent from the service users for collection and use of personal information.
One of the controversies regarding personal information protection in cloud computing is how to regulate personal information stored in cloud servers located overseas. Under the Communications Network Act, when transferring personal information of service users abroad, the service provider is required to obtain consent from the service users after informing them of the items of personal information to be transferred; country to which the personal information is transferred; date and method of the transfer; name of the transferee; purpose of use, and duration of storage, of personal information to be transferred. Some argue that these requirements under the Communications Network Act would adversely affect the business of foreign cloud service providers who have their servers overseas, compared to domestic could service providers. With respect to this issue, it is also argued that as long as the foreign cloud service provider does not access, use or transfer personal information of domestic service users as stored in the cloud server located overseas but simply has its server physically located overseas, the requirements relating to foreign transfer of personal information under the Communications Network Act should not be applied. This is another issue that needs to be resolved through future legislation.
Personal information of patients is strictly regulated under the PIPA and the Medical Service Act. However, the strict regulations of personal information in the healthcare industry are often criticised as impeding the advancement of smart healthcare which has a great market potential as the application of new technologies including ICT is becoming more frequent in the healthcare industry.
Personal information of patients constitutes sensitive information under the PIPA. Under the PIPA, the processing of sensitive information (including collection, creation, liaison, linkage, recording, storage, retention, editing, search, copy, correction, recovery, use, provision, access, disclosure, destruction, and other similar activities) requires the consent of the data subject unless otherwise stipulated in other laws.
The Medical Service Act imposes on medical institutions certain requirements regarding the protection of personal information of patients. One of the requirements is that medical institutions should store electronic medical records in a backup storage system not connected to a network. This requirement basically prohibits medical institutions from using cloud services for the storage of electronic medical records. In 2015, the prosecution has actually indicted an IT company for violation of the PIPA where sensitive information of patients was processed by an outsourcing IT company.
In order to address the issues relating to personal information protection in healthcare industries, there have been efforts to legislate an act to govern management and protection of medical information, but such efforts did not lead to actual legislation. Instead, it is expected that amendments to the current laws will be made concerning remote medical treatments and cloud services for medical information.
Developed for military purposes, unmanned aircraft systems, better known as ‘drones’, nevertheless have a wide range of civil and commercial applications. As drones carrying cameras, sensors and recorders raise the prospect of an extensive collection of sound, image or location information containing personal information, they also bring with them concerns about privacy and personal information protection.
Under the existing framework of personal information protection, the processing (including collecting, using or transferring) of identifiable personal information gathered by drones is regulated by the PIPA and the Communications Network Act. However, it is not clear whether the scopes of the terms ‘personal data processor’ and ‘telecommunications service provider’ that are subject to the regulations of the PIPA and the Communications Network Act may also cover drone operators. It would also be difficult to trace the owners or pilots of small drones even if they violate personal information.
As attempts to address potential loopholes of the existing legal framework, it is being considered to expand the definition of ‘image information processing devices’ under the PIPA to include drones; to specify drone operators’ personal data protection obligations in the Aviation Act; and to explicitly impose personal data protection obligations on drone operators and manufacturers.
Internet of Things
In cases of IoT services, it is very difficult to obtain prior consent of the data subject, given that data is collected by internet-connected devices. As the exchange of information in IoT services occurs through machine-to-machine communications, the only way to obtain the consent of the data subject whose personal information is communicated machine to machine would be to get a comprehensive consent of the data subject in advance. However, as such a prior comprehensive consent would not be interpreted as a proper consent under the meaning of the PIPA and the Communications Network Act, IoT service providers may face the risk of potential violation of those acts. For instance, the IoT services for autonomous vehicles where information is exchanged between the vehicles to monitor vehicle-to-vehicle distance might be exposed to the risk of violation of the PIPA or the Communications Network Act for not obtaining proper consent of the data subject.
It has been argued that the current legal framework of personal information protection which requires prior consent of the data subject may pose a significant obstacle to the further development of IoT services. These issues would also have to be solved through relevant legislation.
With the introduction and advancement of new technologies, personal information will be collected, provided or otherwise processed more extensively. Accordingly, infringement of personal information will also likely increase and grow in scale, and more effective legal framework would be needed to protect personal information from new vulnerabilities. On the other hand, over-regulation to protect personal information would inevitably impede further developments of new technologies. A well-balanced approach to these issues would be crucial in improving the legal and regulatory framework for personal information protection and fostering further developments in new technologies.
One of the efforts to improve the legal framework would be to reduce criminal penalties imposed on infringement of personal information under the current laws. Given that the risk of potential criminal penalties would likely interfere with bold application of new technologies and that civil and administrative penalties available under the current laws can accomplish the purpose of the regulations, it would be advisable to move toward gradually reducing criminal penalties for infringement of personal information.
Recent examples of consent decrees in Korea and their implications