Amendments to Korea’s Major Data Protection and Privacy Laws Proposed | In recent years, the need for balance between the utilization versus protection of personal information has been a hot topic among industry professionals and experts in Korea. On November 15, 2018, a number of bills amending four of Korea’s major data protection and privacy laws (individually a “Bill” and collectively, the “Bills”) were introduced in the National Assembly, and each of the Bills aims to achieve such a balance while encouraging the active use of big data and other data-based applications by businesses. The four laws for which the Bills were introduced are: the Personal Information Protection Act (“PIPA”), Act on Promotion of Information and Communications Network Utilization and Information Protection (“Network Act”), Act on the Protection and Use of Location Information (“Location Information Act”), and Credit Information Use and Protection Act (“CIUPA”). | Ⅰ. Purpose of the Bills
The Bills reflect the results of the Regulatory and Institutional Reform Hackathon that was held by the Presidential Committee on the Fourth Industrial Revolution in early 2018. Specifically, the Bills clarify the definition of “personal information” by introducing the concepts of pseudonymized data and anonymized data, and also set forth the detailed scope for which pseudonymized data may be used. Under the Bills, the Ministry of Interior and Safety (“MOIS”) and the Korea Communications Commission (“KCC”) are, in principle, no longer in charge of handling matters related to the protection of personal information, as that responsibility is transferred to the Personal Information Protection Committee (“PIPC”). Also, by integrating the Network Act’s personal information-related provisions as special provisions in the PIPA, the Bills aim to achieve consistency in the application of Korea’s various data protection and privacy laws. In addition, the Bills allow for the combination of data sets, which is likely to make it easier for data handlers to utilize personal credit information in their possession. Meanwhile, under the influence of the European Union’s General Data Protection Regulation (“GDPR”), the Bill for the CIUPA introduces new types of rights to be exercised by data subjects, such as the right to request the transmission of one’s personal credit information (which is similar to the right of data portability) and the right to control automated individual decision-making. Until now, Korea’s data protection regime has been heavily focused on protecting data, which has meant that the effective use of data was limited, due to the tight restrictions placed on their use. As such, Korea’s data protection regulations were known as some of the most stringent in the world. However, this is likely to change to some extent, now that the Bills, which are designed with the GDPR and other countries’ current data protection regulations in mind and strive to strike a balance between the protection of data and its active use, have been introduced to the National Assembly. While the Bills have yet to be passed by a plenary session of the National Assembly, there is a high likelihood that they will be passed eventually (even if some changes are made to their current drafts), since it has been reported that the Bills reflect the mutual discussions between the ruling party and the Korean Government over the past several months. However, a number of certain civil societies have apparently requested that additional changes be made to the current drafts of the Bills in order to strengthen their data protection aspects. Regardless, once the Bills are adopted, they are expected to bring about the largest scale of wide-sweeping changes across Korea’s data industry since the PIPA was first implemented. | II. Key provisions of the PIPA Bill 1. Vitalization of secure data processing | | Personal information is divided into three categories: personal information, pseudonymized data and anonymized data. Pseudonymized data, which is personal information that has been processed/pseudonymized such that it cannot be used to identify a specific individual without the use or combination with other information, may be used to compile statistics, carry out scientific research, or preserve public records without the data subject’s consent. Yet, even in such case, combining the data sets of two or more data handlers must be done through a professional institution (i.e., a third party institution qualified under the PIPA) and requires the approval of the professional institution before the combined data set may be exported to a third party. | | Data handlers are required to implement certain statutorily-prescribed security measures when processing pseudonymized data or combining two or more different data sets. Data handlers cannot engage in any act that will allow a specific individual to be identified from the pseudonymized data or combined data sets, and failure to do so may result in criminal sanctions or a penalty surcharge. | 2. Reform of related data protection laws and supervisory authorities | | Personal information-related provisions have been deleted from the Network Act, and instead special provisions regarding (i) safeguards to be implemented for the cross-border transfer of personal information, (ii) restrictions on the onward transfer of personal information, (iii) the designation of a local representative, and (iv) purchase of insurance for damage compensation have been added to the PIPA. For your information, the Bills for the Network Act, Location Information Act, and CIUPA are subject to the (adoption of the) PIPA Bill. | | The PIPC is promoted to a central administrative agency that has the independent authority to handle matters relating to the processing of personal information under the PIPA, and all functions of the MOIS under the PIPA and the KCC under the Network Act related to personal information matters are transferred to the PIPC. The powers that are granted to the PIPC include the authority to investigate alleged violations of applicable data protection and privacy laws, and impose a penalty surcharge and/or administrative fine on violators. Also, the KCC and PIPC will jointly enforce the Location Information Act. | III. Key provisions of the CIUPA Bill 1. Use and Protection of Data in the Financial Sector
| | By introducing the concept of pseudonymized data and professional data institutions, a legal basis for analyzing, using, and combining data in the financial sector will be established. | | All credit information companies, credit information collection agencies and credit information providers/users (collectively, “Credit Information Companies”) are required to implement a security plan to ensure the safe processing of pseudonymized data. If the pseudonymized data is used to re-identify a specific individual for commercial or illegal purposes, the Credit Information Companies will be subject to criminal sanctions and/or a penalty surcharge. | 2. Reform of regulatory regime to promote competition in the financial information industry | | The current version of the CIUPA defines “credit inquiry service” rather broadly. The CIUPA Bill breaks down the credit inquiry service into subcategories based on the nature of the service, such as the “personal credit evaluation service,” “sole proprietorship credit evaluation service,” and “corporation credit inquiry service,” while adding new types of services (i.e., “professional individual credit evaluation service” and “self-credit information management service (MyData)”) that use non-financial data to evaluate an individual’s credit rating. | | Credit bureaus are no longer prohibited from performing any other commercial business at the same time as a credit information business, and are allowed to concurrently carry out a commercial business that is not at risk of harming a credit information subject or the sound practices of credit transactions. | | Changes made to the regulations on the ownership structure of financial information companies and business activities that Credit Information Companies are allowed to engage in. | | More roles are assigned to credit information collection agencies. | 3. Protection of credit information subjects | | Rating system introduced for consent forms, such that different ratings will be assigned to consent forms depending on the risk(s) and benefit(s) associated with giving consent. | | Influenced by the GDPR’s concepts of a data subject’s right to data portability and automated individual decision-making, new types of rights such as the right to request the transmission of one’s personal credit information and right to control automated individual decision-making have been introduced. | | Regular review system introduced in order for the Financial Services Commission to monitor the use and management of personal credit information by financial institutions. | IV. Conclusion The Bills are known to be the product of more than several months of extended discussions between various interested parties across the private sector, civil society, academia, legal sector, and industrial circles. In light of the Bills, the adequacy assessment under the GDPR that the Korean Government has been pursuing in consultation with the EU Commission is likely to continue on the basis of the PIPA instead of the Network Act. Companies that process large volumes of personal information in the course of their business are advised to closely monitor the final drafts of the Bills, and make the necessary preparations to their practices in light of the changes that are expected to occur once the Bills are adopted into law. | | | | | | |
| |