[Asking the Way to the Data Economy - Opinion] Easing Requirements for 'Additional Use and Provision of Personal Information' Is Key

We have truly entered the data era, and it is undeniable that data is the foundation of new innovations and opportunities. By its nature, data has no value if left unused, but it can create infinite value through combination. However, among data, 'personal information' is closely related to privacy protection and must be handled very carefully. The Personal Information Protection Act, passed by the National Assembly on January 9 this year, introduced the concept of 'pseudonymized information.' In other words, if personal information is processed in a way that deletes or replaces some parts so that a specific individual cannot be identified without additional information, it can be utilized without the consent of the data subject.

Another major change is that, unlike the previous law which required the consent of the data subject for uses other than the original purpose of collecting personal information, the revised law allows the use of personal information without consent within the 'reasonably related scope' to the original collection purpose (Article 15, Paragraph 3 and Article 17, Paragraph 4 of the amended law). For example, if Company A uses customer relationship management (CRM) data for marketing its new products, this can be considered an additional use of personal information within a reasonable scope.

However, in the above case, if the CRM data is provided to another company to support their marketing, it would be considered beyond the reasonable scope and require separate consent. It is difficult to recognize reasonable relevance when a governor uses personal information collected during their term for their election campaign after leaving office.

The draft enforcement decree requires all of the following to be met: ① significant relevance between the additional processing purpose and the original collection purpose, ② predictability based on the circumstances of collection and processing practices, ③ the additional use does not unjustly infringe on the interests of the data subject or third parties, and ④ if the additional use purpose can be achieved through pseudonymization, pseudonymization must be applied. These standards are considered more stringent and strict compared to Japan’s information protection law guidelines and the European Union (EU) GDPR, and criticism has been raised that they may undermine the purpose of the amended law, which was established after long struggles to promote data utilization.

In the EU, the compatibility between the original purpose and the additional purpose is not actively required; rather, it is only stipulated that additional use should not be incompatible with the original purpose (GDPR 5.1). This so-called negative regulation approach secures flexibility in application. Furthermore, five criteria to judge the relevance to the original purpose are presented (GDPR 6.4), and these are to be comprehensively considered.

Recently, the Ministry of the Interior and Safety, reflecting industry opinions, decided to consider deleting 'significant' from the first requirement regarding the relevance between the additional processing purpose and the collection purpose, and to revise the second requirement from 'circumstances of collection and processing practices' to 'circumstances of collection or processing practices.' Although this feedback process is evaluated as appropriate, it still feels insufficient. The types and reasons for additional data processing can vary widely in the field, but requiring all four conditions to be met makes flexible application of 'reasonable relevance' difficult and risks undermining the original intent of the amended law.

Additionally, the amended law includes a fourth requirement concerning pseudonymization alongside safety measures for personal information. Safety measures can include various actions such as encryption and pseudonymization, but if pseudonymization is mandated as a requirement, it imposes an additional burden to apply pseudonymization even when safety has already been ensured through other measures.

In my view, 'additional use and provision of personal information' is a core issue in data utilization, and it is reasonable to apply a method that assesses reasonable relevance by substantially comparing the original and additional purposes and comprehensively considering multiple factors on a case-by-case basis, as seen in legislative examples from the EU and Japan.

Seungwoo Son, Professor, Department of Industrial Security, Chung-Ang University