Bills before legislature seek to revise main data regulations, to better recognize pseudonymization and facilitate data aggregation and related services.
Amendments to Personal Information Protection Act and Credit Information Protection Act appear likely to pass within first half of 2019, with effect from around second half of 2019.
Bills would consolidate and vest regulatory authority in Personal Information Protection Commission.
Main provisions tend to align with GDPR and are geared toward a GDPR “adequacy” decision.
Korea’s regulatory framework for personal data regulation appears on the verge of changing significantly, to better enable a “4th industrial revolution” range of data-crunching based services. A group of bills, introduced in the National Assembly in November 2018, would amend the main personal information and credit information protection laws, to allow for a significant scope of processing, analysis and storage of pseudonymized personal information. Evidently backed by the Blue House (along with the important Presidential Committee on the Fourth Industrial Revolution), the bills seem likely to advance without major delay or modification, perhaps passing as early as 1Q 2019 (so as to take force later in 2019). The rules would be subject to further standards and other details to be defined by Presidential Enforcement Decree (or prime implementing regulation). However, the amendments would certainly loosen present strictures for “Big Data” business models.
The proposed amendments to thePersonal Information Protection Act (PIPA) and theCredit Information Protection Act (CIPA) would (i) clarify the meaning of “personal information” (PI) and add a concept of “pseudonymized information” (called PsI in this bulletin); (ii) expand the scope of usage of PI that is permissible without individual consent, subject to the additional purposes being compatible with the primary purposes of data collection, and subject to fulfillment of a minimum level of encryption or other security process, to be further stipulated in the Presidential Enforcement Decree (ED); and (iii) free up statistical output using PsI, along with further usage of that data subject to ED-defined security measures. The bills would vest many data regulation functions in the Personal Information Protection Commission (currently more a policy and planning body), including standard-setting, monitoring and enforcement.
If amended as proposed,PIPA would permit a broader range of usage of PI once collected, provided that usage is sufficiently related to the original or main purpose, is not detrimental to the individuals, and involves encryption and/or other security measures, to be later defined in the ED. (At the same time, the bills would resolve a persisting overlap in PI regulation between PIPA and a related statute called the Act on the Promotion of Information and Communications Network Utilization and Information Protection, etc., which governs telecom and online businesses.)
The amended PIPA would recognize pseudonymized information (PsI) as a new category, subject to a broader permitted scope of usage and processing (without individuals’ consent, which is required under current rules). PsI is defined as information that has been pseudonymized so that a specific individual is not identifiable by that information without using, or combining it with, additional information so as to restore it to its original state. (This pseudonymized information definition is analogous to the one under GDPR, the General Data Protection Regulation that took effect in the EU in 2018.) Separately, the amended PIPA would define the related concept of information being “identifiable” when combined with other information, clarifying that this will involve issues such as the reasonability of time and expense required for identification.
The amended statute would allow production of statistical information from PsI, including for business purposes, and permit scientific research, public purpose recordkeeping and certain other public-oriented uses, provided that further processing and re-combination of PsI would have to meet security requirements, to be defined later in the ED. (While freeing up the use of PsI, the amended statute would impose new, fairly stiff penalties (including criminal), in case of re-identifying data with specific individuals.)
At the same time, proposed amendments to CIPA would, in ways similar to the PIPA amendments, reset the rules governing individual financial and banking information, to allow latitude for “Big Data” processing, new types of credit information services, and data portability.
Consistent with proposed changes to PIPA, the new credit information rules would allow a somewhat wider scope for collection and usage of credit-related PI (without need of individual consent). Among other things, businesses that collect such PI from their customers in order to provide a given service would be permitted to transfer the PI to 3rd parties (without specific consent of customers) for purposes of carrying out that service. (Such “entrustment” is allowed under the PIPA, but the issue is unclear for credit-related PI under the current CIPA.)
As with PIPA, the amended CIPA would recognize thecategory of pseudonymized credit information, and permit production of statistics from such PsI (including for business purposes), and various public-oriented purposes. Further processing and re-combination would be subject to compliance with security measures, to be defined under the ED. At the same time, as with general PsI, there would be potentially stiff penalties for re-identification of data.
The rules, consistent with GDPR, would provide for aright to object to “automated ratings” of credit, and provide for portability of credit data (a “right to demand transfer”). As new business subcategories for which use of credit PI will be allowed (and in line with the government’s push to open the way for “MyData” systems), the amended CIPA would introduce “expert personal credit rating services” and “personal credit management business”. (Relating to the latter, the amended statute would specifically prohibit “screen scraping”, and move to an API based framework.)
The bills also seek to modify the government administrative framework: The amended PIPA and CIPA would concentrate in the Personal Information Protection Commission a range of PI regulatory functions (currently within purview of the Ministry of Interior & Safety, Korea Communications Commission and, partly, the Financial Services Commission), including the drawing up of model privacy policies, certification of data protection levels, and monitoring, investigative and enforcement functions. The re-allocation of authority would seem to be intended, at least in part to meet GDPR standards for an “independent regulator”, so as to achieve an adequacy decision freeing up data transfers from the EU to Korea.
In summary, the pending legislation would clarify, and in significant respects relax, constraints on use of PI generally. The bills would also introduce pseudonymized information (following the GDPR model) and, with such PsI as base, allow a considerably wider scope for data processing, of PI in general as well as credit-related PI. (At the same time, in introducing fairly rigorous penalties in case of re-identification or other misuse of data, the amended statutes would call for careful internal monitoring for compliance.)
The bills would also institute important elements for a “MyData” regime of data portability and more tailored financial advisory services. A number of issues, however, including the likely need for standardization in the processes surrounding data portability, would remain to be further determined.
The amendments appear likely to reach passage (largely as is) within a few months, possibly with effect as early as 3Q 2019. If passed, and while various sub-rules and requirements remain to be settled in detail, certainly the new rules will have a major impact on the landscape of personal information regulation in Korea.