By Chris H. Kang, Sun Hee Kim and Doil Son. Firm: Yulchon
Korea has adopted changes to its data privacy laws to streamline regulatory supervision and introduce the concept of ‘pseudonymised data’.
On 9 January 2020, the Korean National Assembly passed amendments (collectively, the ‘Amendments’) to three major data privacy laws: the Personal Information Protection Act (‘PIPA’), the Act on the Promotion of Information and Communications Network Utilization and Information Protection (‘Network Act’) and the Act on the Use and Protection of Credit Information (‘Credit Information Act’).
The Amendments largely aim to:
- minimise the burden of redundant regulatory activities and confusion among regulated persons stemming from previously overlapping data privacy regulations and multiple supervisory bodies; and
- develop a ‘data economy’ by introducing the concept of ‘pseudonymised data’ and a legal basis upon which data may be utilised more flexibly (to an extent reasonably related to the original purpose of collection).
The Amendments will become effective six months from promulgation by the President, except for certain provisions in the Credit Information Act, which will come into effect one to one and a half years after its promulgation (as further specified in the President Decree relating to it).
Please see below for a summary of key changes introduced by the Amendments. Specifics of the Amendments are yet to be finalised as the Enforcement Decrees and related official notices by governing bodies are not available at the time of writing.
Key Changes: PIPA
- Clarified concept of ‘personal data’:
Distinguished concepts of personal data, pseudonymised data and anonymised data (excluded anonymised data from the scope of personal data).
- Defined permissible scope of pseudonymised data processing:
Permitted processing of pseudonymised data for statistical, scientific research, or public interest record-keeping purposes.
Permitted combination of pseudonymised data of personal data controllers through specialised agencies.
- Imposed restrictions upon pseudonymised data processing.
- Permitted use and release of personal data without obtaining data subjects’ consent to an extent reasonably related to the original purpose of data collection.
- Elevated and strengthened the Personal Data Protection Commission (PDPC)’s status and powers.
- Added special provisions related to the deleted provisions of the previous Network Act.
- Effective date: six months after promulgation.
- Deleted provisions related to the protection of personal data under the previous Network Act (i.e. PIPA will govern matters related to protection of personal data).
- Provided an explicit legal basis for delegating part of the authority of the Korean Communications Commission (KCC) to the Korean Communications Office.
- Effective date: six months after promulgation.
Credit Information Act
- Clarified the legal basis for analysing and using big data in the finance sector.
- Streamlined legal framework by addressing provisions that duplicate or are similar to those under the PIPA.
- Improved regulatory framework for the credit information industry.
- Introduced MyData Industry (providing consolidated-basis personal information verification and credit information and/or asset management, and establishing the processes through which the integrity of personal information may be secured in connection with it).
- Strengthened the protection of personal data in the finance sector.
- Effective date: six months after promulgation, provided that certain provisions will become effective on a different date as further specified in the Enforcement Decree.
Reasonable use of ‘Personal Data’ without obtaining consent
Under the amended PIPA (Paragraph (3) of Article 15 and Paragraph (4) of Article 17), a personal data controller will be permitted to use and release personal data without obtaining the consent of the data subject in the manner prescribed by Presidential Decree: ‘within a scope that is reasonably related to the original purpose of collection’ and ‘after considering whether the data subject’s rights would be infringed upon and/or measures to secure the integrity of the personal information have been properly taken.’
Although we await the Enforcement Decree to guide us on the interpretation of the phrase ‘within a scope that is reasonably related to the original purpose of collection,’ an official notice issued by the Ministry of the Interior and Safety on 9 January 2020 mentions that matters such as the ‘circumstances under which personal data were collected,’ ‘level of sensitivity of the personal data at stake,’ ‘potential impact which may be imposed upon the data subjects’ and ‘whether proper safeguard measures are in place’ should be considered when determining whether the proposed use satisfies this ‘reasonableness’ test.
The Ministry’s position appears to be similar to that in Recital 50 of the European Union’s GDPR, which provides that:
‘[t]he processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected.’
Recital 50 of the GDPR stipulates that one should take into account, inter alia, ‘the context in which the personal data have been collected,’ ‘the reasonable expectations of data subjects […] as to their further use,’ ‘the nature of the personal data,’ ‘the consequences of the intended further processing for data subjects,’ and ‘the existence of appropriate safeguards in [… the] intended further processing operations’ in order to ascertain whether a purpose of further processing is compatible with the original purpose of collection.
Accordingly, we anticipate that organisations will probably need to establish justifiable grounds for use of personal information without obtaining the data subject’s consent by evaluating the ‘reasonable relevance’ of personal data that they intend to use and maintaining and preserving relevant records.
Facilitation of EU market access by responding to GDPR
Korea is yet to receive the adequacy decision from the European Commission because of its finding of a lack of independence on the part of PDPC, which has been the body with the authority to enforce and oversee personal data protection matters in Korea. Since the Amendments have transferred from other bodies certain authorities to the PDPC as previously mentioned, it is hopeful that Korea will be able to receive an adequacy decision from the European Commission.
Assuming that an adequacy decision will soon be received, we anticipate that Korean companies’ entry into the EU market may be facilitated, as transfer of personal data from EU member states to Korea will become easier. Companies will need to verify in advance whether they are subject to the GDPR and, if so, ensure compliance with the legal requirements set out under the GDPR to reduce legal risk.