[Asia Economy Reporter Kim Heung-soon] The government has decided to revise some of the 'toxic clauses' in the enforcement decree of the Data 3 Act (Personal Information Protection Act, Information and Communications Network Act, Credit Information Act). This move comes ahead of the implementation of the Data 3 Act on August 5, in response to ongoing concerns raised by academia and the legal community. However, as controversies remain over the excessive criminal penalties, there are calls for further regulatory relaxation.
On the 21st, Lee Seong-yeop, president of the Korea Data Law Policy Association and professor at Korea University Graduate School of Technology Management, stated, "Since the criminal penalty provisions specified in the law are excessive, additional review by the National Assembly is necessary." Lawyer Lee Ji-eun of Kim & Chang law firm also said, "If data is not acquired with malicious intent for improper use, criminal penalties should be eased to civil remedies, fines, or administrative sanctions such as corrective measures."
The problematic clause is Article 29, Paragraph 5 of the amended enforcement decree of the Personal Information Protection Act, which contains 'safety measures for pseudonymized information.' It stipulates that if safety measures to prevent loss or leakage are not secured while processing pseudonymized information, or if recording and storage obligations are neglected resulting in loss, theft, leakage, forgery, or alteration, a penalty of imprisonment for up to two years or a fine of 10 million to 30 million KRW may be imposed.
There is also a penalty clause imposing imprisonment of up to five years or a fine of up to 50 million KRW, along with a surcharge of up to 3% of the company's average annual sales over the past three years, if pseudonymized information is processed for the purpose of identifying specific individuals.
Experts point out that this conflicts with the purpose of the Data 3 Act, which aims to maximize data utilization and revitalize the data economy. The problem lies in the Personal Information Protection Act explicitly specifying criminal penalties, which forces the enforcement decree to impose stringent regulations.
Lawyer Lee pointed out, "It is most desirable to ease the criminal penalty provisions through legal amendments," but added, "Since legal amendments are not easy, it is necessary to more clearly define administrative sanctions in the enforcement decree and reduce surcharges."
Earlier, the Ministry of the Interior and Safety reflected industry concerns that sub-legislation was strengthening regulations contrary to the intent of the Data 3 Act, and announced a legislative notice for partial amendments to the enforcement decree of the Personal Information Protection Act, collecting opinions from individuals, organizations, and institutions until the 20th.
For example, the existing Article 14, Paragraph 2 of the enforcement decree, which stipulated that all four conditions must be met, was relaxed to "each item should be considered" following criticism that it was excessively strict. Some controversial phrases will also be deleted or rephrased.
President Lee emphasized, "To resolve uncertainties within the enforcement decree, clear guidelines and explanatory documents are necessary," adding, "A draft should be prepared before the law takes effect, and additional opinions from stakeholders should be collected."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
