The Personal Information Protection Commission Finalizes Evaluation Plan for Privacy Policies
Forty-nine companies, including Naver and Kakao, will be evaluated on their privacy policies starting this year. A privacy policy is a document that a personal information handler establishes on their own regarding standards and safety measures related to the processing of personal information, such as collection, use, provision, and consignment of information.
On the 13th, the Personal Information Protection Commission announced that it had finalized the 2024 privacy policy evaluation plan through the 10th plenary meeting.
The privacy policy is intended to verify what personal information is processed by the personal information handler, for what purpose, and how it is processed. The Personal Information Protection Act (Article 30) imposes an obligation on personal information handlers to establish and disclose privacy policies to enhance accountability and transparency in personal information processing. However, there have been criticisms that the content of privacy policies is difficult to understand and merely lists text, limiting the practical protection of data subjects' rights. In response, the Commission amended the law last year to introduce a privacy policy evaluation system. The first full-scale evaluation will be conducted this year. The evaluation will begin in July and the results will be released by the end of the year.
Personal Information Processing Policy Evaluation Procedure [Table=Personal Information Protection Commission]
This year's evaluation fields are seven sectors closely related to daily life: ▲Big Tech ▲Online Shopping ▲Online Platforms (Ordering/Delivery, Accommodation/Travel) ▲Hospitals/Medical Centers ▲Online Video Services (OTT) ▲Entertainment (Games, Webtoons) ▲AI Recruitment. Forty-nine companies, including Naver, Kakao, Google, Meta, and Coupang, are subject to this evaluation.
The evaluation criteria, based on Article 30-2 of the Personal Information Protection Act, cover three areas: ▲whether the privacy policy appropriately defines the matters to be included (appropriateness), ▲whether the privacy policy is written in an easy-to-understand manner (readability), and ▲whether the privacy policy is disclosed in a way that data subjects can easily access it (accessibility). A total of 26 items and 42 indicators are used to assess compliance with legal obligations and the efforts of personal information handlers.
For personal information handlers whose privacy policies are evaluated as excellent, incentives such as reductions in fines and penalties under the Personal Information Protection Act will be provided. For areas requiring improvement, measures such as recommendations for improvement will be implemented.
Yang Cheong-sam, Director of the Personal Information Policy Bureau at the Commission, stated, "Since the privacy policy evaluation system is being implemented for the first time this year, we will focus on discovering and sharing exemplary cases rather than operating in a way that burdens personal information handlers. If there are concerns about violations, we will promote improvements accordingly."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
