[Asking the Way to the Data Economy - Opinion] "Dataset Integration Should Allow Flexible Approaches in Practice"

Efforts to rediscover the driving force of our economy based on data?such as the 4th Industrial Revolution, data economy, big data, artificial intelligence (AI), and data trading?are underway from various perspectives. The so-called combination of information aggregates (datasets) has been a primary means of creating new services and products and improving service quality, but it has also sparked significant controversy during the amendment process of the three data-related laws due to the increased risk of privacy infringement.

The combination of datasets involves pseudonymizing data managed separately by different personal information processors so that individuals cannot be identified without additional information, and then combining the data in its pseudonymized state to create new datasets. Of course, certain safeguards must be devised to prevent re-identification.

From the standpoint of privacy protection, there is a re-identification scenario where data analysts independently use their background knowledge or investigate other publicly available information to unintentionally identify the data subject. Since actual research papers mention cases where such re-identification is possible, there is concern that the risk of privacy infringement could significantly increase. On the other hand, businesses considering new service development through large-scale data analysis using AI and the combination of tens of millions of datasets view these analog re-identification scenarios as unrealistic and worry that such concerns might stifle the data industry. The never-ending debate between privacy advocates and data utilization proponents seems to stem from assuming these different scenarios.

As a compromise, the amended Personal Information Protection Act and Credit Information Act’s data combination system was established after long and difficult discussions and compromises among various interest groups and experts, settling on pseudonymization-based combination and proceeding in its current form. However, by choosing a unique combination system unprecedented worldwide, it faces many uncertainties as its implementation approaches.

It cannot be denied that the foreign legislation most frequently referenced regarding pseudonymization is the European Union’s General Data Protection Regulation (GDPR). However, while the GDPR fundamentally adopts a risk-based approach, our legislation takes a rule-based approach. In other words, the difference lies between an approach that requires appropriate regulation and supplementary measures according to the degree of risk posed to privacy by a personal information processing act, and an approach that emphasizes compliance with clearly stipulated legal provisions rather than the actual presence or degree of risk.

Furthermore, unlike the GDPR, which does not regard pseudonymization as a type of security measure to be considered alongside encryption in personal information processing, the amended law approaches pseudonymization as a requirement to exempt the obligation of obtaining consent from the data subject. Therefore, the GDPR judges whether appropriate security measures have been taken by considering pseudonymization together with other security measures, rather than focusing solely on the completeness of pseudonymization itself. In contrast, our legislation views pseudonymization as a prerequisite for consent exemption, so the appropriateness of pseudonymization becomes an issue of whether the use or provision of pseudonymized information without consent is permitted, fundamentally changing its nature. Since inappropriate pseudonymization can even lead to criminal liability, it becomes difficult to consider supplementary security measures, actual risk, or other relevant factors in judging its appropriateness.

Among the many types of personal information processing, the government has chosen a unique regulatory system that allows only designated specialized institutions to combine datasets, raising concerns that inflexible practices overly focused on formality, requirements, and procedures might develop. Given that the data combination system was introduced with great difficulty, it is hoped that at least in practice, a more flexible approach will be permitted.

Park Kwang-bae, Attorney at Law, Law Firm Kwangjang