On January 9, 2020, the National Assembly passed the amendments to the “Three
Major Data Laws,” including the Personal Information Protection Act (“PIPA”), during the
plenary session. We expect the Three Major Data Laws to become effective at the end of
July 2020, or six months fr om the date of promulgation.
As strict regulations have been one of the biggest barriers to data-driven businesses in Korea, the deregulatory measures provided by the passage of the Three Major Data Laws raise hope for a significant change for companies and institutions that use personal information.
Details
Key implications of the amended Three Major Data Laws include the below.
● Expectations: The revised bills focus on introducing the concept of pseudonymized data and on creating legal grounds for combining pseudonymized data, which would enable companies to utilize a broad pool of personal data for multiple purposes.
● Use of Pseudonymized Data: Immediately after the Three Major Data Laws passed the plenary session of the National Assembly, the Ministry of the Interior & Safety (“MOIS”) stated in a press release that the introduction of pseudonymized information has allowed for the handling of “safely processed data that cannot identify specific individuals” for industrial research purposes. This raises expectations and possibilities for new industrial activities, such as test beds, applied research, smart cities, and fintech for innovative technological development, while also protecting personal information (see MOIS press release on January 9, 2020).
- Further, the MOIS provided examples for personal data, pseudonymized data, and anonymized data as shown in the table below. Companies using pseudonymized data
may wish to refer to this guideline for more detailed explanations.
- However, given that they are examples only, when using pseudonymized data in practice,
each case must be individually and specifically reviewed for any legal issues that may be raised. In other words, in the introductory phase, legal risk assessments may be inaccurate due to lack of evaluation criteria. Hence, government guidelines, authoritative interpretations, and policy trends should be closely monitored and reviewed.
- Further, it should be noted that the laws on pseudonymized data include administrative
penalties and criminal penalties for using pseudonymized data for reidentification purposes.
● Combination of Pseudonymized Data: The revised bills allow pseudonymized information held by different personal data processors to be combined by designated organizations. This raises expectations for value-added activities using cross-sectoral data, including from IT, financial and medical industries.
- For example, insurance companies may provide customized insurance services by combining and analyzing drivers’ insurance information that they possess with the driving habit data from telecommunications companies, and apply specific insurance
rates for typical driving habits when determining insurance premiums. Service providers in other sectors may give commercial district analysis by combining an individual’s GPS data in a specific district with his/her credit card information.
● Data Usage Policy: As a follow-up to the passage of the amendment to the Three Major
Data Laws at the National Assembly plenary session, the Ministry of Science and ICT
(“MSIT”) stated that it will promote open data and their distribution, since they are the critical resources in the age of the Fourth Industrial Revolution. The MSIT also noted that the passage of the Three Major Data Laws will bolster the growth of the data industry by encouraging the combination and utilization of information. Further, the MSIT announced that a “Data Economy Task Force” would be launched with members from all relevant government bodies, and that a comprehensive support plan will be prepared by February 2020 (see MSIT press release on January 9, 2020).
● EU Adequacy Assessment: With the revision of the Three Major Data Laws, Korea is highly likely to obtain a GDPR adequacy decision from the EU, and transfer of personal information from the EU to Korea will become easier going forward.
Recommendation to Monitor Regulatory Developments:
● Although the National Assembly passed the amendments to the Three Major Data Laws,
there are still voices of concern over deregulating personal information. We expect to
see continued conflict between supporters and opponents of deregulation during the interpretation and implementation phases.
- From a corporate point of view, it is important that you keep monitoring and sharing your
opinion on the interpretation criteria, and to monitor the developing regulatory trends
(which will provide further clarity on the government’s stance), as well as authoritative
interpretations, enforcement guidelines and any precedent-setting court decisions to accurately assess and to appropriately mitigate risks to your business.
● Additionally, now that all privacy regulatory functions, including for online data, have
been centralized under the PIPC, the PIPC’s opinions and actions must be closely monitored.
- Finally, the executive branch will issue subordinate laws and relevant guidelines. Specifically, the Presidential Decrees will follow, providing details as to the scope of compatible use of personal data, the procedure and method of combining pseudonymous
information, and the designated agency that will combine pseudonymous information,
we recommend that you closely monitor the relevant legislative trends and discussions,
and adequately assess and reflect any further impact to your business.
ㅡ About Shin & Kim’s TMT Practice Group
Shin & Kim’s TMT practice possesses unparalleled expertise, experience and network within the information and communications technology (“ICT”) field (including former Vice
Minister of the Public Administration and Security, Mr. Young-Ho KIM, and former Vice
Minister of the Science, ICT and Future Planning, Mr. Jae-You CHOI).
Our team of industry and subject matter experts provide both domestic and foreign-based
businesses with the utmost professional advice on personal information protection (e.g., domestic & foreign personal information regulations such as the GDPR, responses to personal data leakage cases, development of compliance systems for personal information protection). Our lawyers (both Korean and foreign-licensed), former high-ranking government officials, and researchers provide practical legal advice on how to identify and contribute to the development and improvement of regulations relating to the broadcasting, communications and ICT fields. Our professionals also work with our clients to communicate with relevant government agencies to discuss ways to improve the legal and regulatory system. We also provide related legislative and public affairs consulting services (e.g., regulatory impact analysis, customized company strategy development).