[Asking the Path to the Data Economy] No Utilization, Only Layers of Regulation... Even the Enforcement Decree Is Tangled

[Asia Economy reporters Seulgina Jo and Heungsun Kim] "Contrary to the purpose of the law, the contents of the enforcement decree give a strong impression of excessive distrust toward private companies and stakeholders."

"It might only be possible to combine and actually use the data by the end of this year. There are many requirements to prepare and apply it on-site, but progress is too slow."

With about a month left until the enforcement of the Data 3 Act (Personal Information Protection Act, Information and Communications Network Act, Credit Information Act) on August 5, concerns from academia and industry are growing. Despite the legislative intent to promote the smooth use of data in the data economy era, where 'data creates value,' the subordinate laws are instead strengthening regulations. In response to industry backlash, the government has announced plans to delete or revise some provisions of the subordinate laws, but criticism continues that the focus is still more on 'protection' than 'utilization' of data. On the 2nd, Asia Economy examined the problems and improvement directions of the enforcement decree of the Data 3 Act based on experts' opinions.

The common point raised by experts is Article 14, Paragraph 2 of the amended enforcement decree of the Personal Information Protection Act, which deals with additional use and provision criteria of personal information. It specifies four conditions: ▲additional use of personal information must be substantially related to the original collection purpose, ▲it must be predictable based on the circumstances of collection and processing practices that additional use is possible, ▲additional use must not unjustly infringe on the interests of the data subject or third parties, and ▲pseudonymization must be mandatory if the additional use purpose can be achieved through pseudonymization. The enforcement decree stipulates that all these conditions must be 'fully met' for additional use of personal information to be allowed.

An anonymous legal expert said, "The enforcement decree emphasizes personal information protection and even reflects opinions from civic and social groups concerned about human rights violations, resulting in provisions not stipulated in the law, causing inconsistencies," adding, "The clause requiring all conditions to be met is excessively strict, so it would be preferable to revise it to 'comprehensively consider' the conditions." Jaehwan Kim, Policy Director of the Korea Internet Corporations Association, also pointed out, "Meeting all four conditions makes it difficult to apply in actual work," and warned, "It could lead to numerous legal disputes."

The Korea Chamber of Commerce and Industry also expressed at a meeting last month regarding the enforcement decree that the meaning of 'substantial relation' is unclear and that requiring predictability of additional use based on collection circumstances and processing practices is excessively strict. The Ministry of the Interior and Safety stated it would consider deleting the word 'substantial' from 'substantial relation' and revising 'collection circumstances and processing practices' to 'collection circumstances or processing practices.' The controversial phrase regarding 'infringement of third-party interests' will undergo further consultation. However, the mandatory pseudonymization even when not necessary was not included in the review.

There are also criticisms that the government arbitrarily modifying the scope of subordinate laws violates the legal system. Seongyeop Lee, President of the Korea Data Law Policy Association (Professor at Korea University Graduate School of Technology Management), emphasized, "Regardless of the practical issues of data protection or utilization, the legal system must be considered," and added, "The executive branch should not enact subordinate laws beyond the scope of laws enacted by the National Assembly." He pointed out as a problem that while the law considers only the interests of the data subject, the enforcement decree extends the scope infinitely by including third-party interests.

A notable part of the Data 3 Act is the introduction of the concept of 'pseudonymized information.' Pseudonymized information refers to data where some personal information is deleted or replaced so that individuals cannot be identified without additional information. Utilizing this allows additional use or provision of personal information without the data subject's consent, expected to aid various services and technology development. However, the conditions are strict. According to Articles 29, Paragraphs 2, 3, and 4 of the amended enforcement decree of the Personal Information Protection Act related to pseudonymized information combination, the requesting institution must follow a two-step procedure.

For example, Company A and Company B submit a combination application to a specialized institution designated by the Chairperson of the Personal Information Protection Commission or the head of the relevant central administrative agency, receive approval, and analyze the combined information in a secure analysis space within the specialized institution. Prior to this, identifiers are encrypted through a linkage information generation (combination key management) institution such as the Korea Internet & Security Agency. To export combined information externally, safety evaluation and approval from the specialized institution are also required.

Legal scholars argue that this procedure is an excessive regulation compared to the Credit Information Act. According to Article 22, Paragraph 4 of the amended enforcement decree of the Credit Information Act, when a financial company wants to combine data, it applies to a specialized institution designated by the Financial Services Commission and, after sufficient safety measures such as pseudonymization, anonymization, and appropriateness evaluation, can provide data to the requesting institution. Compared to the Personal Information Protection Act, there is no restriction on the analysis location of pseudonymized information, and conditions for external export are simpler.

A legal expert said, "Ultimately, this can be interpreted as a signal of distrust toward private companies that want to utilize data. Having police does not make thieves disappear; the emphasis on data protection makes the amendment overly cautious," and argued, "It should be unified to the level of the Credit Information Act." The Ministry of the Interior and Safety explained, "Unlike the Credit Information Act, which only passes through the specialized institution, the two-step process involving the combination key management institution and the specialized institution is to prepare against hacking attacks from outside."

Additionally, experts pointed out the need to revise Article 29, Paragraph 5 of the amended enforcement decree of the Personal Information Protection Act, which mandates destruction of pseudonymized information once the processing purpose is achieved or the retention period has elapsed. Despite penal provisions such as imprisonment up to five years or fines up to 50 million KRW for processing pseudonymized information to identify specific individuals, separately mandating destruction of carefully analyzed information is considered excessive. President Lee said, "The law exempts the obligation to destroy de-identified pseudonymized information, so reflecting this clause in the enforcement decree is inconsistent with the legal system," suggesting the need for deletion.

Academia and industry voices call for urgent clear guidelines on pseudonymized information to resolve uncertainties within the enforcement decree, but it is known that discussions are proceeding only among some officials and sharing with the field is slow. Gwangwon Jo, President of the Korea Data Industry Association and operator of a big data company, emphasized, "Instead of creating guidelines in a black-box manner, a draft should be disclosed and additional opinions from stakeholders collected before finalization."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.