In connection with the Internet of Things (“IoT”), a recently advancing core technology and industry, the concerns of potential breach in personal information are increasing, which makes a discussion for improvement in personal information protection policy necessary.

The IBM Security Intelligence is currently forecasting that approximately 212 billion units of IoT devices will be loaded in medical devices, automobiles and homes by 2020 and more than 30 billion units will be activated during such time. To put this in economic terms, the IBM Security Intelligence is forecasting the creation of a mega-size market worth USD 9 trillion by 2020. However, the vitalization of IoT also means that the number of devices connected to the Internet will increase, which ultimately enables the collection of a voluminous quantity of personal information. Therefore, as shown in the example below, there are instances where the direction of commercialization or service is altered due to the possibility of personal information breach and need for protection.

  • Movement Positioning Device Utilizing Beacon Technology

A movement position device collects location information of consumers through Beacon technology and subsequently analyzes taste, anticipated course of movement and other relevant information collected. Some retailers have suspended the movement positioning service because the above functions raise concerns of infringing upon the privacy of consumers

Although there are demands for regulations concerning personal information protection in the IoT industry, excessive regulations may impede the vitalization of such industry. For the past few years, several incidents of large-scale personal information breaches through hacking and other cyberattacks resulted in the gradual strengthening of regulations on personal information protection in Korea. Moreover, punitive damages and statutory damages regimes were introduced in the Korean legal framework for personal information protection through amendments to the “Use and Protection of Credit Information Act” and the “Personal Information Protection Act.” However, enhanced regulation does not always secure the protection for IoT users. Rather, a tough regulatory regime may act as an entry barrier for new companies, thereby impeding competition and even eliminating the global competitiveness of Korean companies. Therefore, achieving an appropriate balance is necessary. As one measure to achieve such balance, adequately supplementing regulations to support the protection for users’ personal information and reasonable growth of the IoT industry is necessary.

One example of supplementing the regulatory regime is the Act on the Protection, Use, Etc., of Location Information implemented on August 4, 2015. The above act relaxed the entry regulation for the locationbased service businesses by abolishing the reporting obligation for person(s) that intends to engage in location-based service business which does not use personal location information. In accordance with such reformation, the location information for an automobile would no longer be continuously received by a given location-based service provider. However, for example, once such automobile is stolen the information to pinpoint the location of the stolen automobile would be transmitted to the location-based service provider since, at such time, the location information would not be the “person information” of the owner of such automobile but merely the “location information” of the automobile. Therefore, in the case of an enterpriser that seeks to launch the relevant service described above after August 4, 2015, it would no longer be burdened with the reporting obligation under Korean law.

However, with respect to the IoT Industry, additional improvement in the regulatory regime remains necessary due to the personal information protection issues, and the following items may be considered in effectuating such improvement in the current regulatory regime:

  • By establishing supplemental interpretive standards for the definition of personal information, predictability of the scope of personal information protected by regulations may be enhanced.
  • Aside from the existing opt-in method which requires the prior consent for collection and use of personal information, an opt-out method which grants the user the right to demand suspension of personal information handling may be introduced to relax the regulatory rigidity.
  • Information where reasonable methods were taken so that such information was non-identifiable information may be excluded from the scope of personal information, thereby enabling the flexible utilization of personal information.
  • Security levels may be enhanced to prevent personal information infringement incidents, such as through hacking and other cyberattacks.