Personal Information Commission's 'Published Personal Information Processing Guide'
Data Collection Purpose and Necessity Must Be Met
Recommends Companies to Autonomously Implement Optimal Safety Measures
A guide on how to legally and safely utilize personal information disclosed on the internet, such as social networking services (SNS) and blogs, for artificial intelligence (AI) development has been released.
The Personal Information Protection Commission announced on the 17th that it has prepared the "Guide to Processing Disclosed Personal Information for AI Development and Services." Disclosed data refers to data that anyone on the internet can legally access. It is an essential raw material for training data used in developing generative AI such as ChatGPT. AI companies utilize disclosed data by automatically extracting it from sources like Common Crawl (a public data repository), Wikipedia, blogs, and websites.
However, such disclosed data may contain various personal information such as addresses, phone numbers, and credit card numbers, raising significant privacy concerns. The current Personal Information Protection Act (hereinafter referred to as the Protection Act) does not have clear standards applicable to the processing of such disclosed personal information. Although AI technology is advancing rapidly, there has been no established safe and lawful method for training with disclosed data, often causing confusion in the field.
Accordingly, the Personal Information Protection Commission clarified the legal standards for collecting and using disclosed personal information and prepared a guide that companies can refer to regarding appropriate safety measures. The process involved communication and gathering opinions from academia, industry, and civil society.
The guide specifies that three conditions must be met: ▲ legitimacy of the AI development purpose ▲ necessity of processing disclosed personal information ▲ specific balancing of interests. For example, using disclosed data for AI development aimed at cyberattacks, surveillance, or impersonation scams such as phishing or smishing does not meet the legitimacy requirement. Also, if developing AI to assist medical diagnosis, unrelated information such as an individual's income or assets should be excluded from training.
The guide explains technical and managerial safety measures that can be considered to process disclosed personal information and ways to guarantee the rights of data subjects.
However, considering rapid technological changes, detailed safety measures can be flexibly introduced and implemented. AI companies are not required to implement all safety measures mandatorily. They can select and implement the optimal combination of safety measures suitable for their characteristics by considering the benefits of various safety measures presented in the guide, as well as side effects such as AI performance degradation, bias, and technological maturity.
The guide emphasizes the roles of AI companies and Chief Privacy Officers (CPOs) regarding training data processing. It recommends autonomously establishing and operating an "AI Privacy Task Force (tentative name)" centered on the CPO and evaluating compliance with the guide’s standards, documenting and retaining the basis for such evaluations. It also advises regularly monitoring risk factors such as significant technical changes for AI performance improvement or concerns about personal information breaches, and preparing prompt remedies in case of privacy breaches such as personal information exposure.
The guide will be continuously updated considering future amendments to personal information-related laws, trends in AI technology development, and overseas regulatory developments. The legal grounds and standards for the lawful processing of users' personal information will be concretized through consultations with academia, industry, and civic groups.
Ko Hak-su, Chairperson of the Personal Information Protection Commission, stated, "Through this guide, we hope that companies will independently establish AI and data processing practices trusted by the public, and that the accumulated best practices will be continuously reflected in the guide."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
![Clutching a Stolen Dior Bag, Saying "I Hate Being Poor but Real"... The Grotesque Con of a "Human Knockoff" [Slate]](https://cwcontent.asiae.co.kr/asiaresize/183/2026021902243444107_1771435474.jpg)
