![[W Forum] Paradigm Shift in Personal Data Regulation](https://cphoto.asiae.co.kr/listimglink/1/2018070214231934773_1530508997.jpg)
Data utilization is essential in any situation referring to the current era, such as platform and data economy, and the Fourth Industrial Revolution. It is said that about 70-80% of the data needed in the industry is personal information. Nevertheless, current personal information regulations have focused more on strong ‘protection’ rather than ‘utilization.’
However, the root of protecting ‘personal information’ is not the personal information itself but the personality rights of the data subject based on the right to self-determination of personal information. Blind and indiscriminate protection of ‘personal information’ itself, unrelated to the rights of the data subject, should be avoided. From this perspective, the use of personal information with minimal possibility of infringing on the rights of the data subject needs to be allowed. A representative example is the use of personal information as data for artificial intelligence (AI) training. For AI to function properly, data-based learning is essential. Sufficient data is required.
However, according to our ‘Personal Information Protection Act,’ the only way is to obtain consent from the data subject one by one or to hire models to obtain consent and shoot. In this case, despite the minimal possibility of infringing on the rights of the data subject, acquiring sufficient quantitative and qualitative personal information is far from easy. Last year, Naver’s use of technology from the Chinese facial recognition AI company ‘SenseTime’ while servicing Line Messenger and Snow is not unrelated to our strict personal information protection regulations. Under the supervision of the Personal Information Protection Commission (PIPC), a method to utilize personal information as AI training data without the consent of the data subject is necessary.
Next is the rationalization of the scope of personal information processing that online platforms must bear. On the 8th, the Seoul Administrative Court ruled in favor of the plaintiffs in a lawsuit filed by Gmarket and Naver against the PIPC’s corrective order cancellation. Open market operators such as Gmarket and Naver have management and supervision obligations for personal information handlers such as affiliated employees under the ‘Personal Information Protection Act,’ but the PIPC regarded tenant businesses as personal information handlers like employees and imposed fines and corrective orders for failing to fulfill management and supervision obligations for them. However, tenant businesses are not employees subject to the management and supervision of open market operators. Therefore, Gmarket and Naver won the case with the judgment that there is no management and supervision obligation for them.
If open markets are required to process all personal information of transactions between tenant businesses or users, as in the PIPC’s corrective orders and the amendment to the Electronic Commerce Act, they would rather become the ‘Big Brother’ of the private sector. This is far from ‘protection’ of personal information and only increases the burden of transactions, harming both businesses and data subjects.
The sensitivity of our society to personal information protection is considerably increasing. In the early 2000s, the ‘Big Brother’ controversy led to the scrapping of the ‘electronic resident ID card’ and the ‘National Education Information System (NEIS).’ As seen in the recent ‘Iruda’ incident, companies that do not properly implement personal information protection measures cannot operate their business. Companies or government policies unfriendly to personal information protection are ignored by citizens or find it difficult to establish themselves in the market.
Now is the time to attempt self-regulation suitable for a healthy market and mature citizens rather than strong public regulation centered on ‘punishment.’ Recently, the PIPC prepared a public-private cooperative self-regulation agreement involving 10 online shopping intermediary platforms as the first outcome of ‘public-private cooperative self-regulation.’ However, in Korea, most ‘public-private cooperation’ has been led by the ‘government’ rather than ‘autonomy.’ Genuine ‘self-regulation’ that enhances market elasticity and substantially contributes to guaranteeing the rights of data subjects should be realized.
Hyunkyung Kim, Professor, Graduate School of IT Policy, Seoul National University of Science and Technology
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
