On December 4, 2019, the Korean National Assembly’s Science, ICT, Broadcasting, and Communications Committee passed the revised bill of the “Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. (hereinafter “Network Act”).
Now, the so-called Three Major Data Laws have all passed the relevant standing committees within the Korean parliament, and await the final steps in the process – the approval by the National Assembly’s Legislation and Judiciary Committee, followed by the passage of the bills by the National Assembly in the plenary session. The earliest we expect such approval to occur is by the end of this year. Even if this occurs, the Three Major Data Laws will take effect in 2020, allowing companies to use pseudonymized information.
The Three Major Data Laws were proposed over one year ago, on November 15, 2018. The revised set of bills aims to strike a balance between the use and protection of personal information, and promote data-based industries of the future.
1. Background and Purpose of the Revisions
In the meeting of the Presidential Committee on the Fourth Industrial Revolution held in February and April 2018, representatives of civic organizations, industry and legal experts, key government stakeholders, among others, agreed to introduce regulations on pseudonymized information and to improve the personal information management system, all with the goal to promote use of personal information.
Due to differences in opinions between the ruling and opposite parties as well as opposition by civic organizations, the relevant National Assembly standing committees did not pass these bills for approximately one year. Just prior to the expiration of the 20th National Assembly, the standing committees have recently passed the three revised bills, enabling the legislative process to move forward.
2. Summary of Revised Legislations
A. Overview of the Proposed Changes to PIPA
Introduction of pseudonymized information: Use of pseudonymized information is provided by: (i) the defined concept of pseudonymized information, through which a specific individual may not be identified unless used or combined with additional information; (ii) enabling the use and provision of pseudonymized information without the prior consent of the information subject for the purpose of statistics, scientific research, and preservation of public records; and (iii) ensuring that the combination of pseudonymized information between companies is managed by the “Personal Information Protection Commission” or another specialized agency designated by the relevant government (administrative) agency.
Introduction of compatibility: Personal information (or data) controller is allowed to use personal information of the information subject without prior consent by taking certain protection measures, to the extent that such use is consistent with the purpose of information collection and is deemed reasonably relevant, applying the concept of compatibility within the scope of purpose as defined by the EU GDPR.
Establishment of a criteria for combining information: Criteria for whether personal information may easily be combined with other information are clearly set forth in the definition of personal information under the current law. This has been done to reduce confusion in the application of the laws, and anonymous information is excluded from application of these laws.
Streamlining personal information regulatory authorities: Under the revision, the newly established Personal Information Protection Commission is elevated to a central administrative agency reporting to the Prime Minister. Also, personal information protection services handled by the Ministry of Public Administration and Security, Korea Communications Commission, and the Personal Information Protection Commission will be unified (under the Personal Information Protection Commission).
- The Personal Information Protection Commission will be comprised of nine members who are to be appointed by the President, including the chairperson and the vice-chairperson, who are also to be recommended by the Prime Minister, two members to be recommended by the chairperson and the ruling party, respectively, as well as three members, who are to be recommended by the opposition party.
B. Overview of the Proposed Changes to the Network Act
Provisions relating to personal information protection: Provisions related to personal information protection set forth in the Network Act are deleted and transferred to the PIPA. Further, the regulation and supervision of online personal information protection are no longer to be managed by the Korea Communications Commission, but by the Personal Information Protection Commission.
C. Overview of the Proposed Changes to the Credit Act
Introduction of pseudonymized information: Under the bill, pseudonymized information is introduced for data utilization and protection in the finance sector, and the scope of the use and provision will be expanded. Also, legal grounds for data combination and a specialized agency for data protection are established.
Restructuring of the credit information industry: The existing credit inquiry services will be divided into several different services, including a personal credit rating service, an individual business credit rating service, a company credit rating service. This is being done to improve the regulatory framework of the credit information industry. Additionally, a self-credit information management service (“MyData”) is being introduced to support credit management of the individual credit information subject.
Strengthening the right of the information subject (informed consent): First, under the revision, the personal information collection and usage agreement is being simplified. Also, the organizations that wish to use the information subject’s personal information must provide the information subject with the purpose and the reasons for whether to give consent. Also, a personal information protection rating system and the right to data portability is being introduced. Further, the information subject must be provided with several protection measures in relation to personal credit rating and automated individual decision-making and profiling, including the request to comment on the result, and the right of appeal.
3. Significance & Potential Implications
Key reasons for the revised bills include the desire of the Korean government to focus on the establishment of grounds for the appropriate use of data, which will be the key resources in the Fourth Industrial Revolution era, while enabling companies to widely utilize personal information for various purposes, which will help promote the industries that are becoming increasingly defined by big data. However, many civic organizations are still against the introduction of pseudonymized information, so there may be differing opinions regarding the interpretation and the application of the revised bills.
As such, we will need to continue monitoring related regulatory trends, including the Korean government’s stance and provision of details, authoritative interpretation, manual/guidelines on enforcement, precedents, among others. Moreover, it should be noted that the PIPA includes strong punishment provisions, such as providing for a criminal penalty for violation of the laws.
Should the Three Major Data Laws pass through the National Assembly plenary session, South Korea is highly likely to obtain a GDPR adequacy decision, and transfer of personal information from the EU to Korea may become easier.