Data privacy in Korea, for “Big Data” and financial sector

Draft regulations follow up on amendments of Personal Information Protection Act (PIPA) and Credit Information Use and Protection Act (CIPA), which will widen the path for “Big Data” type data processing and services.

Announced on March 31, 2020, the draft modified Enforcement Decrees for PIPA and CIPA (PIPA-ED, CIPA-ED) would clarify requirements for handling pseudonymized information, and scope for possible consolidation of data.

PIPA-related provisions address standards for wider permitted use of personal information, while stiffening treatment of biometric (e.g. facial recognition) and certain other data.

CIPA-related provisions further spell out data portability rights, and scope and requirements for credit information businesses (credit bureaus) and MyData type services.

The draft regulations seem likely to be adopted (with little if any change) by June 2020, and agencies plan to then publish further guidance ahead of August 5, 2020 effective data of amended PIPA and CIPA.

As reported in our , on January 9, 2020 Korea amended its core data privacy statutes – mainly the Personal Information Protection Act (PIPA) and Credit Information Use and Protection Act (CIPA) – so as to better allow for generation and use of pseudonymized information (PsI, such as hashed data and other common forms of de-identified data), clarify latitude for use of personal information (PI) and personal credit information (credit PI), and set up the framework for a range of credit data based services. The major statutory changes, which will go into effect on August 5, 2020, mark potentially a “Big Data Big Bang” in Korea, but must rely on a variety of standards and sub-rules to be further determined in ensuing regulations.

The government on March 31, 2020 released a main set of draft regulations, in the form of draft amended Enforcement Decrees (EDs), or prime implementing regulations, for PIPA and CIPA (PIPA-EDand CIPA-ED). The draft regulations address requirements and restrictions for handling of PsI, including security issues and scope for possible consolidation of PsI, clarify certain boundaries for use of PI generally and use of credit PI, and supplement the framework for credit information-based services and data portability.

Drawn up by the key agencies (Ministry of Interior & Safety, Korea Communications Commission, Financial Supervisory Commission), the draft amended EDs have been announced for purposes of public comment, but appear likely be confirmed as the final versions, save for possible minor changes, by the end of May 2020. The agencies are then expected to issue further guidelines and sub-rules, and interpretative guidance, before the amended statutes take effect in August.

Outlined here are the main features of the draft ED amendments. It is hoped this will serve as useful reference in conjunction with our which explained the main statutory changes passed in January.

1.        PIPA-ED: Certain requirements for use of PsI, and limits on consolidation · scope for use of PI more generally · “sensitive” data classification for biometric and other data

1.1.  Security related requirements for PsI
PIPA as amended will allow use of PsI (without need of additional consent) to generate statistical data, and for research purposes. (Probably this includes commercial applications, though the point remains not wholly clear, as noted in our previous bulletin.) The amended PIPA provides, however, for a range of measures to safeguard PsI, and the draft PIPA-ED amendments now set out administrative and technical strictures for the production and handling of PsI. Requirements, for any entity that processes PsI, will include having managerial plans in place for handling of PsI, appointing a chief data protection officer and providing staff training, controlling data access, maintaining access logs and other records, and separately storing any data whereby PsI could be rendered identifiable. Non-compliance, depending on the type and impact, would be subject to administrative fines (including, in case of processing of PsI to re-identify the data, a fine of up to 3% of relevant revenue) and, potentially, criminal penalties.

1.2.  Consolidation of PsI
PIPA as amended newly permits consolidation of PsI from different data controllers, by specialized data institutions designated for this purpose. (That is, designated by the Personal Information Protection Commission or PIPC, which will take over the Korea Communications Commission’s data regulatory role.) As noted below, at least in the early stages, designated institutions are likely to be public sector only. At any rate, the draft PIPA-ED provides that, to be eligible, any such institution must meet various staffing and facility / equipment, requirements, and financial criteria. For now, the draft PIPA-ED gives descriptive indications, leaving definitive criteria to be fleshed out in further regulations, but the requirements will evidently include staffing of some number of data engineers with relevant experience; and facility partitions, and monitoring and logs. Further, the institution will be subject to PIPC-adopted safeguards to ensure against PsI consolidation resulting in re-identification of data subjects, including a restriction whereby an entity that requested consolidation may analyze the results only in a secure area within the institution; and requirements of prior review and approval for proposed external transfers of consolidated data, e.g. to a third party for AI analysis.

The draft PIPA-ED clarifies that any such designation of an institution to consolidate PsI will be for a term of 3 years, during which the institution’s PsI-related operation and facilities will be subject to close oversight by the PIPC. Further requirements and guidelines concerning consolidation of PsI are expected to be issued in the coming months.

While not so stated in the draft PIPA-ED, the regulators’ position is that, at least in the early phase, it will be only public institutions that are designated to handle PsI consolidation. This stance, seen as prudent given the newness of the frontier and need to build trust among the general public, would seem to mean that no private sector firms will be authorized to handle consolidation of PsI, from different sources, probably through at least the first year from August 2020.

1.3.  Additional Use of Personal Information
As noted in our previous bulletin, the amended PIPA permits further use and transfer of PI (once validly collected) by a data controller, without need of further consents, “within a scope reasonably related to the original purpose of collection” of the PI,*a standard patterned after a GDPR analog. The draft PIPA-ED clarifies that the “reasonably related” scope is to take account of (a) whether the further use/transfer has a substantial connection to the original purpose of collection; (b) whether the use/transfer was foreseeable, in the circumstances; (c) whether it poses a risk of unduly encroaching on interests of the data subject or a third party; and (d) whether pseudonymizing the data will meet the intended purpose (in which case this should be done).

(*In contrast, the amended CIPA allows for use of credit PI – financial records and the like – for further purposes “that do not conflict with the original purpose” of collection. The draft PIPA-ED and CIPA-ED do not address the salient discrepancy between the two formulations, but it is believed the regulators’ stance is not to extend the permissive scope under CIPA beyond that under PIPA.)

1.4.  Scope of “sensitive information”, subject to heightened constraints, extended to biometric information
The amended PIPA left it open to add further types of PI to the category of “sensitive information”, which triggers heightened consent requirements and stricter limits for data collection and use. Under the draft PIPA-ED, the “sensitive” category would also include biometric information, defined as unique information, generated using individual-recognizing technology, relating to physical, biological or behavioral aspects of individuals, including fingerprints, irises and faces. An underlying concern is that leakage of such data may lead to irreversible harm.

Also added to the “sensitive” category, under the draft PIPA-ED, is information relating to race or ethnicity that could lead to unfair discrimination against individuals.

2.        CIPA-ED:  Consolidation of credit PI, and limits ● supplemental standards for data portability ● framework for credit bureaus, other credit data-based services

2.1.  Consolidation of Credit PI
CIPA as amended left a possibility for authorized institutions to handle consolidation of personal credit information (which we refer to as credit PIhere). Under the draft CIPA-ED, any of the “credit information companies etc.” (such as credit rating agencies and financial institutions) could seek to consolidate credit PI, which it has compiled, with credit PI or other PI of another party, by applying for such consolidation by a specialized data institution designated for this purpose by the Financial Services Commission (FSC). (This framework parallels, in part, that for PsI generally, noted at part 1.2 above.) Upon the FSC’s go-ahead, and following a consolidation process, the data institution would then further de-identify the consolidated data, and take some further security measures, before transferring the consolidated data to the entity that requested the process or the other source of the credit PI.

As with the regulators’ indications for handling of PsI consolidation work pursuant to the PIPA, the FSC’s plan, for the early phase, is to include only public entities among the institutions authorized to undertake data consolidation. The scope will be expanded to private sector firms at some point down the road. The FSC has indicated it will, further, strive to ensure that the designated institutions implement adequate risk management systems, including e.g. in terms of personnel, and segregation of servers used for consolidation.

2.2.  Data portability
The amended CIPA gives data subjects the right to require credit information companies to transfer their credit PI to the data subjects themselves or to various kinds of credit information-handling companies. The draft CIPA-ED goes on to spell out, to a large extent, the categories of credit PI over which the data subjects may exercise such control, and the range of entities from and to which they may require transfer of their credit PI. Eligible categories of credit PI would include financial transaction data as well as tax payment records, social safety net (health insurance etc.) contributions, and telecom and utility payments, in possession of financial institutions and entities such as telecoms, KEPCO and other utilities. Recipients of requested transfers may include other financial institutions, personal credit assessment companies, and MyData type services.

2.3.  Framework for credit bureaus: security requirements; ancillary activities
The amended CIPA sets up a general framework for credit information businesses, or credit bureaus, divided among the credit assessment categories of (a) personal (individuals’ credit scores), (b) personal enterprise (individual proprietor businesses), and (c) corporate (to provide credit scores of or relating to companies, which can include assessment of their technology). In addition to capital (KRW 500 million to 5 billion, depending on the type) and personnel requirements under the amended CIPA, the draft CIPA-ED provides for conditions including facility/system requirements for secure data processing. However, the framework awaits further details, such as relating to encryption, firewall and recovery systems, and other operating features. Such details are supposed to follow in ensuing announcements, probably starting in late May or June 2020.

Where the amended CIPA also allows for some scope of ancillary business to be conducted, the draft CIPA-ED would indeed permit the various types of credit bureaus – personal credit, personal enterprise credit, corporate credit – to engage in supplemental business activities relating to data processing, subject to applicable requirements under separate laws. Corporate credit assessment businesses, in particular, will not be confined to financial business, but can enter other lines of business, subject to relevant licenses or registrations.

2.4.  MyData businesses and supplemental activities
In conjunction with portability rights for data subjects and their credit PI, the amended CIPA provides a framework for personal credit information management services. Now the draft CIPA-ED clarifies that a MyData type business may engage in additional, complementary business activities, such as electronic financial services, loan brokerage, and provision of investment advice using robo-advisors, subject to obtaining the relevant licenses or other clearances in each instance. In engaging in such ancillary services, a MyData business would be subject to certain constraints under the draft CIPA-ED. Among them, the business must not collect credit PI beyond what was originally transferred to the MyData business at the data subjects’ request, nor otherwise infringe upon the data subjects’ autonomy in respect of their credit PI. The draft regulations also contain restrictions on unfair contract terms with customers.

Standards and sub-rules governing MyData businesses are to be set out in a “Finance Sector MyData Industry Guideline”, said to be forthcoming in April 2020.

Summing up: The drafts of the amended Enforcement Decrees go some way to elaborating the framework under the major amendments of the PIPA and CIPA, which will take effect in early August 2020. Among other aspects, the draft implementing regulations spell out a number of parameters for use and consolidation of PsI as well as PI, and for credit PI-related services. There remain, however, a number of important aspects that must await additional regulations and guidance over the coming months.