[Asia Economy Reporter Seulgina Jo] With less than two months remaining until the enforcement of the Data 3 Laws (Personal Information Protection Act, Information and Communications Network Act, Credit Information Act), it is difficult to find companies preparing related businesses. The enthusiasm seen when the laws passed the National Assembly earlier this year has completely disappeared, and instead, businesses that were under consideration are being put on hold. This indicates that the enforcement decree fails to reflect the intent of the law amendments at all. The Data 3 Laws, which aim to pave the way for the use of pseudonymized information and foster the big data industry, are being hampered by the subordinate legislation, the enforcement decree.
◆ "Difficult to Utilize Information" Examining the Problematic Provisions = The most controversial issue ahead of the Ministry of the Interior and Safety’s planned announcement of the revised enforcement decree of the Personal Information Protection Act this week is 'Article 14, Paragraph 2.' To use personal information additionally, there must be a 'substantial relevance' to the original collection purpose, and it must not infringe on the 'interests of third parties.' At the same time, the additional use must be predictable based on 'processing practices.' Moreover, the decree mandates pseudonymization even in cases where it is not necessary, requiring all four conditions to be met, leading to criticism that there is hardly any information that can be practically utilized.
This is much stricter than the European Union’s General Data Protection Regulation (GDPR), which is recognized as a global standard. Especially, ambiguous terms such as 'substantial relevance,' 'based on practices,' and 'interests of third parties' are used extensively in the enforcement decree, causing further confusion among companies. Since failure to legally prove 'substantial relevance' and 'based on practices' can lead to criminal penalties, there is an outcry that businesses must wait for court precedents before proceeding. This has led to criticism that the provisions are "like earrings when hung on the ear, nose rings when hung on the nose," meaning they are arbitrarily interpreted.
Kim Jaehwan, Policy Director at the Korea Internet Corporations Association, pointed out, "Requiring all four conditions to be met makes practical application difficult," and called it "excessively rigid." Attorney Jang Junyoung from Sejong Law Firm also attended a recent seminar on the topic and noted, "It is stricter than the EU GDPR," adding, "Whether information can be used varies by individual cases, and there are many gray zones."
There is also criticism that limiting the physical space where data combination can occur, as stipulated in the pseudonymized information combination procedure (Article 29), is an outdated idea. Unlike the Credit Information Act, which requires going through only a data combination specialized institution, the Personal Information Protection Act complicates the process by requiring two institutions.
◆ Will It End Up as a 'Bitter Pill'? Industry Pushback = The problem is that despite repeated criticism, the current revision may be pushed through as is. The Ministry of the Interior and Safety is proceeding with the legislative notice of the enforcement decree and announcement without clear responses to opinions submitted by the industry during the revision process. It is reported that the joint online forum held late last month by the Ministry of the Interior and Safety, the Korea Communications Commission, and the Financial Services Commission?the main ministries responsible for the Data 3 Laws?did not sufficiently gather opinions.
An official who attended the forum expressed concern, saying, "Many experts from academia and industry proposed numerous amendments, but the relevant ministries have remained silent," adding, "We are confused as we cannot even know the progress." If pushed through as is, it is pointed out that the confusion in the industry will worsen and the law will run counter to the social atmosphere, including the Korean-style Digital New Deal. A Korea Communications Commission official said, "These are all commonly pointed out issues," but refrained from commenting on the possibility of revising the problematic provisions.
According to market research firm IDC, the data-related market size is expected to grow from $166 billion in 2018 to $260 billion in 2022. While a data trading market worth 200 trillion won has been activated mainly in the private sector in the United States, Korea, which claims to be an ICT powerhouse, is criticized for being hampered by potential violations of personal information laws and unable to carry out proper activities. In the 'World Digital Competitiveness Ranking 2019' released by the Swiss International Institute for Management Development (IMD), Korea ranked high overall but was 40th out of 64 countries in the 'big data utilization and analysis' category. The data industry is especially considered a sector that must be activated for Korea to become an AI powerhouse, as emphasized by the government.
Experts raise their voices that the enforcement decree must reflect the intent of the parent law, as the Data 3 Laws could be the core of the Korean-style New Deal and digital infrastructure construction that the government is currently promoting. Kim said, "Excessive regulations and infringements on legislative authority must be revised in line with the purpose of the Data 3 Laws."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
!["The Woman Who Threw Herself into the Water Clutching a Stolen Dior Bag"...A Grotesque Success Story That Shakes the Korean Psyche [Slate]](https://cwcontent.asiae.co.kr/asiaresize/183/2026021902243444107_1771435474.jpg)
