Ministry of the Interior and Safety, KCC, and FSC Announce Legislative Notice for Amendment to Data 3 Acts Enforcement Decree on 31st
De-identified Information Can Be Exported with Approval for Combination ... Financial Transaction Information Also Usable in MyData Industry
[Asia Economy Reporter Jo In-kyung] Starting from July, businesses handling personal information (personal information processors) will be able to utilize collected personal information without consent if certain conditions are met, such as not unfairly infringing on the interests of data subjects or third parties. Additionally, personal credit information such as financial transaction data can be provided to personal credit evaluation companies or the MyData industry for use.
The Ministry of the Interior and Safety, the Korea Communications Commission, and the Financial Services Commission announced on the 30th that from the 31st, they will publicly notify the amendment to the enforcement decree of the Data 3 Laws (Personal Information Protection Act, Information and Communications Network Act, Credit Information Act) reflecting these contents. This procedure regulates delegated matters necessary for the enforcement of the law following its passage in the National Assembly last January.
This enforcement decree includes standards under which personal information processors can additionally use or provide personal information without the consent of the data subject. It allows additional use and provision within the scope that does not infringe on the interests of the data subject or third parties, and permits the combination of pseudonymized information according to prescribed procedures and methods to prevent identification of specific individuals, while also enabling support for safe combination during this process.
Personal information processors wishing to combine and utilize pseudonymized information can submit a combination application to a specialized institution designated by the Chairperson of the Personal Information Protection Commission or the head of the relevant central administrative agency. The combined pseudonymized information can be exported outside the specialized institution after safety evaluation and approval by the specialized institution.
However, personal information processors who fail to comply with safety measures will generally be subject to fines of up to 30 million KRW. In cases where non-compliance leads to loss, theft, or leakage of personal information, imprisonment of up to 2 years or fines of up to 20 million KRW may be imposed.
Furthermore, if pseudonymized information is processed with the intent to re-identify the data subject, imprisonment of up to 5 years or fines of up to 50 million KRW, along with administrative fines up to 3% of total sales, may be imposed.
Biometric information and racial/ethnic information are included as sensitive information to ensure stronger protection. Processing of sensitive information is only allowed with separate consent or when permitted by law.
To systematically protect personal information, the number of members of the specialized committee has been increased from the original 10 to 20, improving the committee’s operational system.
In addition, credit information such as individual purchase history or bank account details can be processed as pseudonymized information and utilized by personal credit evaluation companies or the MyData industry. The right of data subjects to request transmission of their personal credit information has been introduced, allowing financial companies and others to provide financial transaction information they hold, public information such as national and local taxes, insurance premium payment information, and other major transaction details to the data subject themselves, financial companies, and personal credit evaluation companies.
Moreover, to ensure the safety of credit information businesses, they must meet specialized personnel requirements (2 to 10 people) according to capital requirements (500 million to 5 billion KRW) per license unit, and are allowed to engage in various data-related tasks using their data analysis expertise by obtaining licenses under other laws.
Financial companies and credit information businesses must check their compliance with the Credit Information Act at least once a year and submit the results to a self-regulatory organization.
This enforcement decree is expected to be applied from July, coinciding with the law’s enforcement date, after public notification, consultation with related agencies, and the Cabinet meeting.
Yoon Jong-in, Vice Minister of the Ministry of the Interior and Safety, stated, "Considering the high public interest in the Data 3 Laws, we will hold joint online public hearings with related ministries during the public notification period and actively reflect opinions from various sectors in the enforcement decree and notifications."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
