The amended Act on Protection of Personal Information (APPI) came partially into force on 1 January 2016. To become fully in force, further details and amendments have to be determined by the newly established Personal Information Protection Commission (PPC).
The PPC released draft amendments to the APPI's Order for Enforcement and Ordinance for Enforcement, which were open for public comment from 2-31 August 2016. The amendments include detailed definitions for the terms "personal identification code", "sensitive personal information", "deidentified information database, etc." that have been newly introduced under the amended APPI. For example, "sensitive personal information" as defined under the APPI includes a person's race, creed, social status, medical history, criminal records, the fact that a person has incurred damages through an offense, etc. The amended Order for Enforcement and Ordinance for Enforcement elaborate on the types of medical history and criminal records that would be regarded as "sensitive personal information".
Further, the amended Ordinance for Enforcement clarifies the process for notification to the Personal Information Protection Commission (PPC), including the following:
- process for sharing of personal data via the opt-out method;
- standards for sharing of personal data with third parties located in a foreign country;
- recording and verification for sharing of personal data with third parties; and
- standards for de-identifying personal information.
The results of the public comments have yet to be released. It is anticipated that the draft amendments to the various guidelines on the APPI will be released for public comment, before the amended APPI comes into full effect on 7 September 2017.