Resolution Passed on Preliminary Inspection of Super App Practices
The Personal Information Protection Commission has recommended that five super applications (apps) offering a variety of services, including KakaoTalk and Naver, reduce unnecessary consent practices.
This is because requiring mandatory consent for the collection and use of personal information that can be handled without the data subject's consent is an unnecessary procedure, and having too many consent items can impair users' judgment.
On July 23, the Commission held a plenary meeting and deliberated and resolved the results of a preliminary fact-finding inspection on major super app services, including KakaoTalk, Naver, Coupang, Baemin, and Danggeun. The preliminary fact-finding inspection is a system designed to proactively identify vulnerabilities in personal information protection and prevent infringement risks in advance.
Super apps provide a range of services, such as search, shopping, finance, and payment, and involve multiple business operators, resulting in active processing of personal information. Users may find it difficult to fully understand how their personal information is handled, and there are calls for safe management because data within the app can be used for artificial intelligence (AI) training.
First, the Commission recommended that these app services reduce the number of "mandatory consent" items related to the collection, use, and provision of personal information. Personal information that is strictly necessary to provide a service can be collected and used without consent, but these apps are still requesting consent for such information. For example, addresses or contact details required for product delivery fall into this category.
The Commission explained, "Obtaining consent for personal information that is strictly necessary for users to receive services under a contract is in effect an unnecessary procedure," and added, "If there are too many consent items, users may fail to properly check the items that actually require their consent." The Commission advised that essential items, such as those necessary for contract fulfillment at the time of service subscription, should be notified through the privacy policy, and only items that require users' consent should be processed based on their agreement.
The Commission also recommended improvements to strengthen data management in application programming interfaces (APIs) and data warehouses (DWs) used during the transfer and sharing of customer personal information in super apps. It called for enhanced internal controls so that important matters related to APIs and DWs are decided with the participation of the personal information protection department, and ordered that access logs for DWs be maintained and reviewed for two years.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
