Deepfakes Are Considered 'Personal Information' If Individually Identifiable
Creators Are Outside Regulation...Cannot Be Subject to Obligations or Punishments
The Personal Information Protection Commission, which has begun revising the Personal Information Protection Act, is considering including deepfake crimes in the provisions for punishment. While the purpose of the Personal Information Protection Act has been more focused on protecting individual rights rather than punishment, it is recognized that the current law has limitations in punishing deepfake crimes, leading to plans to strengthen penalties through legal amendments.
According to the IT industry on the 16th, the Personal Information Protection Commission recently formed a task force (TF) with related ministries to discuss the direction of the amendment, including this matter.
Enacted in 2011, the Personal Information Protection Act aims to protect the dignity and rights of individuals by regulating the processing and protection of personal information. It stipulates the rights of data subjects and the obligations of personal information handlers. Since the main focus is on protecting rights rather than punishment, it only broadly defines prohibited acts, such as acquiring personal information by improper means or leaking and using it without authorization. The law also includes penalties such as imprisonment for up to five years or fines up to 50 million won for violations.
However, deepfake pornography, which has recently emerged as a social issue, falls outside these regulations. Even if deepfake pornography qualifies as personal information, individuals who create and distribute it cannot be considered personal information handlers.
The Personal Information Protection Act defines personal information handlers as "public institutions, corporations, organizations, or individuals who process personal information to operate personal information files for business purposes." Even individuals must have systematically organized files of personal information for business purposes, typically referring to individual business operators. However, when an ordinary person creates a deepfake video containing personal information for personal ownership or sharing with acquaintances, they do not fall under the category of personal information handlers.
A representative from the Personal Information Protection Commission said, "If we include ordinary individuals, even those who take photos or exchange business cards personally would be considered personal information handlers. While it depends on the case, generally it is difficult to regard individuals who create deepfakes as information handlers."
There are regulations concerning cases where artificial intelligence (AI) processes personal information, but these do not apply to deepfakes. Article 37, Paragraph 2 of the Personal Information Protection Act states that when AI or other automated systems process personal information to make decisions, data subjects have the right to request explanations or refuse the decisions. A typical example is when AI reviews resumes during recruitment to decide on acceptance. In contrast, deepfakes involve decisions made by individuals abusing AI, not automated AI decisions, so obligations cannot be imposed.
Currently, the only provisions that can punish deepfake crimes are the so-called N-bunbang Prevention Act (Special Act on the Punishment of Sexual Crimes) and the Public Official Election Act. However, these are difficult to enforce unless the intent to distribute the videos is proven or apply only in special cases such as election campaigns.
For this reason, the argument that a separate punishment basis related to deepfakes should be established rather than expanding the scope of information handlers is gaining traction. Kim Myung-joo, president of the International Association of Artificial Intelligence Ethics (IAAE), suggested, "It should be clearly stipulated in the law that when ordinary individuals use publicly available information to the detriment of data subjects, it constitutes a violation."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
