Second Amendment Draft Enforcement Decree of the Property Management Act This Month: Public Notice and Legislative Proposal
The Korea Internet & Security Agency (KISA) plans to announce personal information protection measures in the first half of the year to prepare for the era of generative artificial intelligence (AI) such as ChatGPT, in cooperation with the Personal Information Protection Commission. Additionally, ahead of the enforcement of the second amendment to the Personal Information Protection Act scheduled for September, KISA plans to issue a legislative notice for the enforcement decree within this month.
Cha Yun-ho, Head of KISA's Personal Information Investigation Division, stated, "The risk of personal information infringement due to ChatGPT and similar technologies has become clearly visible, so we plan to establish and announce countermeasures for each stage of personal information processing within the first half of the year."
Last year, among the personal information protection obligation violations reported to KISA by companies, violations of safety measures accounted for the largest portion at 66%. This was followed by breach notification (16%), failure to destroy information (10%), consent issues (9%), and access rights (2%). Among the types of safety measure violations, many cases involved insufficient encryption during storage and transmission. Key issues during incidents included violations of measures to prevent disclosure and leakage, safe connection and authentication methods, and the installation and operation of access blocking detection systems.
When incidents such as hacking occur, courts determine corporate responsibility by considering factors such as the generally known level of information security technology, the industry and business scale, the company's security measures, the cost and effectiveness of necessary information security, the possibility of avoiding damage based on the level of hacking and security technologies, and the content of the collected personal information. For example, companies must take measures to ensure that personal information being processed is not leaked to unauthorized persons by securing personal information processing systems and the computers and mobile devices of personal information handlers. They must restrict access rights to personal information processing systems by IP address or other means to prevent unauthorized access and install and operate systems that include functions to detect illegal attempts to leak personal information by reanalyzing IP addresses, etc. However, as long as attacks can be countered at a reasonably expected level, whether the system is paid or authenticated is not a criterion for judgment. Cha said, "This sets the minimum standards to ensure the safety of personal information," adding, "Technological protection measures that are reasonably expected according to social norms should be implemented."
The second amendment to the Personal Information Protection Act will be fully enforced starting September 15. KISA is currently carrying out related preparations. The amendment includes ▲strengthening the rights of data subjects ▲ensuring consistency with global regulations ▲restructuring the digital-centered legal system ▲and fostering a personal information protection ecosystem. Lee Jung-hyun, Head of KISA's Personal Information System Team, said, "The enforcement decree has been largely drafted," and added, "The draft enforcement decree and legislative notice will be released in early May."
The second amendment newly establishes the right to request personal information transfer to enable data subjects to autonomously distribute and utilize their information. Lee said, "With the establishment of the transfer request right, MyData will gain more momentum." In response to AI development, automated decision-making in areas such as credit evaluation and recruitment will be utilized, and the right to respond to automated decisions will also be introduced. The methods for cross-border transfer of personal information will be diversified, and a suspension order will be newly established. Notably, responsibility for personal information infringement will shift from a punishment-centered approach focused on individuals to an economic sanction-centered approach targeting companies with actual responsibility. The maximum fine will be raised from 3% of related sales to 3% of total sales. The cap on punitive damages will increase from three times to five times. Operational standards will be established not only for fixed-type video devices (CCTV) but also for drones and autonomous vehicles. Lee said, "Improving companies' personal information processing policies will also have a significant impact," adding, "Looking at the processing policies of companies like Google, they are often lengthy and difficult to understand due to translation style. There will be increasing demands to improve them so that the general public can understand."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
