![[The Editors' Verdict] One Year of Dedicated Effort by the Personal Information Protection Commission](https://cphoto.asiae.co.kr/listimglink/1/2021062213284790893_1624336127.jpg)
Seong-Yeop Lee, Professor at Korea University Graduate School of Technology Management and President of the Korean Data Law and Policy Association
August 5 marks the one-year anniversary of the enforcement of the Data 3 Act and the establishment of the Personal Information Protection Commission (PIPC) as a central administrative agency under the Prime Minister, which took over the personal information policy and regulatory functions from the Ministry of the Interior and Safety and the Korea Communications Commission. One year ago, upon the launch of the Commission, I emphasized the two critical tasks assigned to it: the utilization of data to enrich human life and the protection of privacy to uphold human dignity. To achieve these goals, I particularly called for strengthening communication with the private sector, activating authoritative interpretations of laws, enhancing supervision of the public sector, and reinforcing the appellate function in sanctions.
Over the past year, the Commission has actively listened to diverse opinions from stakeholders and experts through initiatives such as the Talk Talk Relay and the Personal Information Future Forum, reflecting them substantively in policies. It has also achieved results in preventing personal information infringements in the public sector, as seen in its feedback on amendments to laws like the Electronic Commerce Consumer Protection Act and the Electronic Financial Transactions Act. Additionally, there have been several accomplishments in terms of both data utilization and protection.
In terms of data utilization, notable achievements include pseudonymization, data linkage, and the European Union (EU) adequacy assessment. To ensure safe processing and use of pseudonymized information, the Commission has worked on subordinate legislation such as the Notice on Pseudonymized Information Linkage and Export, the Guidelines on Pseudonymized Information Processing, and the Notice on Pseudonymized Information Linkage and Export by Public Institutions. Furthermore, it identified and promoted pilot cases of pseudonymized information linkage in seven projects across five major sectors with significant national impact, and designated specialized linkage institutions to safely perform linkage tasks. In late March, Korea completed the initial EU adequacy decision, granting Korea a status equivalent to EU member states in personal information protection, thereby enabling free and secure data transfers from the EU to Korea.
On the data protection front, the Commission strengthened personal information protection related to COVID-19 prevention by removing names from handwritten logs, prohibiting the storage of personal images from thermal cameras, and introducing personal safety numbers. It also conducted investigations and sanctions against the AI service company Iruda, establishing personal information protection standards to prevent privacy infringements that may arise during the development and operation of AI services. Recently, the Commission has prepared amendments to the Personal Information Protection Act to enhance data subjects’ rights, including the right to data portability and the right to respond to automated decision-making, as well as diversifying cross-border data transfer methods beyond consent. These amendments are currently undergoing legislative procedures. In short, the Commission has worked tirelessly over the past year as both a leader in the data economy and a guardian of human dignity. Although it is a newly established organization facing shortages in personnel and budget, it is steadily building its capacity as a central administrative agency.
However, challenges remain. Regarding data utilization, cases of pseudonymization and data linkage are still minimal. This appears to be due to the time required for subordinate legislation, but it is necessary to review whether procedures such as linkage through third-party specialized institutions and the existence of linkage key management institutions are excessive, and whether procedures should vary according to the level of risk. The establishment of a separate organization responsible for data utilization policy is also needed. In particular, given that the Commission now oversees the MyData project, separate legislation for this initiative seems necessary. Moving forward, I hope the Personal Information Protection Commission will continue to grow into a trusted organization by the public and businesses alike, fulfilling its unique role as an independent regulatory agency for personal information protection and as a policy agency for data utilization and promotion.
Seong-Yeop Lee, Professor at Korea University Graduate School of Technology Management and President of the Korean Data Law and Policy Association
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
![Clutching a Stolen Dior Bag, Saying "I Hate Being Poor but Real"... The Grotesque Con of a "Human Knockoff" [Slate]](https://cwcontent.asiae.co.kr/asiaresize/183/2026021902243444107_1771435474.jpg)
