Approval of the Amendment to the Enforcement Decree Establishing Additional Criteria for the Use of Personal Information at the Cabinet Meeting
Prime Minister Chung Sye-kyun is attending the Cabinet meeting held at the Government Seoul Office in Jongno-gu, Seoul on the 28th, striking the gavel. Photo by Jang Jin-hyung aymsdream@
[Asia Economy Reporter Kim Heung-soon] Ahead of the implementation of the Data 3 Act (Personal Information Protection Act, Information and Communications Network Act, Credit Information Act) on August 5, some toxic provisions in the enforcement decree of the Personal Information Protection Act, which were considered obstacles to data utilization, have been removed.
The Ministry of the Interior and Safety and the Korea Communications Commission announced on the 28th that the enforcement decree amendment of the Personal Information Protection Act, which includes ▲criteria for additional use and provision of personal information without the consent of the data subject ▲procedures for pseudonymized information combination and designation of specialized combination institutions, was approved at the Cabinet meeting.
◆ Shift in the weight of personal information from 'protection' to 'utilization' = A representative change among the existing enforcement decree amendments of the Personal Information Protection Act is Article 14, Paragraph 2, which was criticized by academia and the legal community as being excessively stringent. This provision, which deals with criteria for additional use and provision of personal information, originally stipulated that all four requirements must be 'fully met' for additional use of personal information to be possible: ▲the additional use must be substantially related to the original collection purpose, ▲it must be predictable based on the circumstances of collection and processing practices that additional use is possible, ▲the additional use must not unjustly infringe on the interests of the data subject or third parties, and ▲if the additional use purpose can be achieved through pseudonymization, pseudonymization must be mandatory.
The related industry argued that "it is difficult to apply in actual work if all four requirements must be met" and that "overemphasizing personal information protection raises concerns about numerous legal disputes." The government accepted these opinions and lowered the standard in the revised amendment from 'all must be met' to 'each item should be considered.' Specifically, the word 'substantial' was removed from 'substantial relation,' 'circumstances of collection and processing practices' was changed to 'circumstances of collection or processing practices,' and the ambiguous term 'third party' in the phrase concerning infringement of interests of the data subject or third parties was removed. The fourth requirement was relaxed to 'whether pseudonymization or encryption and other necessary measures to ensure safety have been taken.'
Additionally, the clause in Article 29, Paragraph 5 of the enforcement decree amendment of the Personal Information Protection Act, which stated that 'pseudonymized information must be destroyed when the processing purpose is achieved or the retention period has elapsed,' was also deleted. This provision had been criticized as excessive, given that there are already penalties such as imprisonment for up to five years or fines up to 50 million won for processing pseudonymized information with the intent to identify specific individuals, yet it separately mandated the destruction of carefully analyzed information.
◆ Addition of sensitive information on race and ethnicity = Article 18 of the enforcement decree amendment included biometric information and race/ethnicity information as 'sensitive information' to strengthen protection measures. This reflects the consideration that biometric information such as fingerprints, iris, and facial recognition used for identifying individuals can cause irreversible damage if leaked as unique personal information. The inclusion of race and ethnicity information reflects the increased risk of privacy infringement as our society transitions into a multicultural society.
At the Cabinet meeting, the amendment to the 'Enforcement Decree of the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc.' was also approved. As the personal information protection provisions of the Information and Communications Network Act have been transferred to the Personal Information Protection Act, related provisions such as 'notification of personal information usage,' 'guarantee of liability for damages,' and 'designation of domestic agents for overseas businesses,' which were stipulated in the enforcement decree of the Information and Communications Network Act, were deleted and transferred to the amended enforcement decree of the Personal Information Protection Act.
Yoon Jong-in, Vice Minister of the Ministry of the Interior and Safety, said, "This enforcement decree amendment has established a legal foundation for the safe utilization of data," and added, "We will ensure that the Personal Information Protection Act and its subordinate laws and enforcement decrees are implemented smoothly on August 5."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
