Recent major amendments to three South Korean data privacy laws and their implications
Chris H Kang
Yulchon LLC, Seoul
Sun Hee Kim
Yulchon LLC, Seoul
On 9 January 2020, South Korea’s National Assembly passed amendments (the 'Amendments') to the three major data privacy laws: the Personal Information Protection Act (PIPA); the Act on the Promotion of Information and Communications Network Utilisation and Information Protection ('Network Act'); and the Act on the Use and Protection of Credit Information ('Credit Information Act'). The Amendments are expected to come into force on 5 August 2020, except for certain provisions in the Credit Information Act which will come into effect in a year to 18 months after its promulgation.
The Amendments largely aim to:
• minimise the burden of redundant regulatory activities and confusion among regulated persons stemming from previously overlapping data privacy regulations and multiple supervisory bodies; and
• develop a ‘data economy’ by introducing the concept of ‘pseudonymised data’ and legal basis on which data may be used in a more flexible way to an extent reasonably related to the original purpose of collection.
This article briefly summarises key changes introduced by the Amendments and sheds some light on potential implications they may have on businesses.
The key amendments
Introduction of ‘pseudonymised data’ concept
The Amendments will distinguish between ‘personal data’, ‘pseudonymised data’, and ‘anonymised data’ but exclude ‘anonymised data’ from the scope of personal data. Pseudonymised data may be processed without obtaining consent if, generally speaking, the purpose of its use falls within the boundaries of preparing statistics, research and keeping public records.
However, distinguishing between what is ‘personal’, ‘pseudonymised’ and ‘anonymised’ data is likely to be challenging due to the lack of clear guidance. Nevertheless, the consequence of wrongly characterising ‘personal data’ as ‘pseudonymised data’ could potentially be quite severe, as the law provides for sanctions such as fines of up to three per cent of the violator’s annual turnover as well as other criminal penalties.
Permitting reasonable use of personal data without consent
The use of personal data without obtaining the data subject’s consent may be permitted if used ‘within a scope that is reasonably related to the original purpose of collection’ and ‘after considering whether the data subject’s rights would be infringed upon and/or measures to secure the integrity of the personal information have been properly taken.’
The draft Enforcement Decree of the PIPA that has recently been announced further specifies such scope and measures as follows:
• substantial relation between the original purpose of collection and intended use;
• predictability based on the circumstances under which data had been collected and customs of processing;
• such use does not unduly infringe on the data subject or any third-party’s interests; and
• if the purpose of such use may be achieved when the data is pseudonymised, data should be pseudonymised.
The scope and measures specified in the PIPA are similar to the corresponding provisions of GDPR.
There are concerns from businesses that the requirement to fulfil all of the above conditions could unreasonably limit the use of personal data. It will be interesting to see if these concerns have been addressed by regulators in the revised version of the draft Enforcement Decree.
Possibility of the amalgamation of data sets
Data sets held by different personal data controllers may be amalgamated, if and to the extent such an amalgamation is performed by specialised agencies specified by regulations in compliance with the requirements.
The draft Enforcement Decree of the PIPA provides that, in principle, the amalgamated data sets should be used within a specific location designated within the specialised agencies and the data processor would need the approval of the head of the specialised agency to take the data set outside the agency. Many companies have raised concerns that such restrictions could unreasonably deter the use of Big Data. Again, it will be interesting to see if those concerns are addressed in the revised version of the draft Enforcement Decree.
Strengthening the Personal Data Protection Commission’s authority
Enforcement powers and authorities relating to the protection of personal data, which had been scattered throughout various government agencies, are now more centralised with the Personal Data Protection Commission (PDPC).
Implications and key points
First, there is hope that companies will now be able to make use of data in a more flexible way by implementing ‘pseudonymisation’ processes to their existing datasets, to the extent that the purpose of use falls within the boundaries of preparing statistics, research and retaining public records.
Second, while there now is some room for use of personal data without expressly obtaining consent from the data subjects, companies will nonetheless need to establish justifiable grounds for using personal information without obtaining the data subject’s consent by evaluating the ‘reasonable relevance’ of personal data that they intend to use and maintaining and retaining relevant records.
Third, companies may now seek possible opportunities in providing new services through amalgamating data sets generated from different industries, on the premise that they ensure compliance with the legal requirements specified in the law (eg, safety measures to ensure integrity of the data sets) when doing so. That said, from a practical perspective, we anticipate that the personal data controllers who intend to amalgamate their data sets will need to discuss relevant issues between them sufficiently. These issues would include the selection of the specialised agencies, temporary substitute key identifiers and algorithms, scope of use, whether data sets are expected to be further processed or released and retention periods. It would also be important to establish sufficient technical, organisational and physical security measures to protect data from unauthorised access.
Finally, South Korea is yet to receive the adequacy decision by the European Union Executive Commission due to its finding of a lack of independence on the part of PDPC. Since the Amendments have transferred certain responsibilities from other bodies to the PDPC, it is hoped that South Korea will receive an adequacy decision from the Commission. On the premise that an adequacy decision will shortly be received, we anticipate that South Korean companies’ entry into the EU market may be facilitated as transfer of personal data between South Korea and EU Member States will become easier. In this regard, companies will need to verify in advance whether they are subject to the EU’s General Data Protection Regulation (GDPR) and, if so, ensure compliance with its legal requirements to reduce legal risk.