Regarding the ‘Three Data Bills (Personal Information Protection Act·Protection of Credit Information Act·Information and Communication Network Act)’ which passed the National Assembly’s plenary session on January 9, companies welcomed that “It will accelerate the development of domestic big data industry,” but “It is in the beginning stage”. In order for three data bills, which take effect in July this year, to be actually effective, it is important to clarify the utilization range of personal data and to make up for the matters not covered by law such as specifying the working procedures of relevant institutions.
Three data bills utilize ‘pseudonymized personal data’ which makes certain individuals unidentifiable, without getting permission from subject for commercial statistics, scientific studies and for public recordkeeping purposes.
The biggest concern of corporations and civic groups in relation to three data bills is the specific utilization range of pseudonymized personal data. Companies use pseudonymized personal data based on the ‘scientific studies’ purpose included in three data bills, but the problem is that the law itself is still vague about how and under what conditions companies can use pseudonymized personal data. On January 13, Korean Federation of Science and Technology Societies (KOFST) made a comment on three data bills, “We expect industrial growth and R&D to be invigorated,” on the other hand, “There is a need for follow-up measures, such as method of processing pseudonymized personal data is not specified,” they pointed out.
The amendment to Personal Information Protection Act defines scientific studies as ‘development and demonstration of technology, basic research, applied research, and private investment research.” However, from this definition, it is unclear to what extent companies may use pseudonymized personal data for commercial purposes and needs to be further refined during the enactment of enforcement ordinance. In addition, civic organizations have announced that they will file a lawsuit when the three data bills passed so, it will take some time for the Supreme Court and the Constitutional Court to take legal interpretations.
Another section that needs to be fleshed out is the feature of specialized institution responsible for the secondary use of pseudonymized personal data. Three data bills allow personal data to be processed and used as pseudonymized data, but restrict different users from extracting and combining this data. The exception of secondary use is that it can be used only when it has been verified by specially designated institution. Then, which institution will take charge of it, and standards and procedures for combining and taking it out should comply with the Presidential Decree.
An important task is the successful stabilization of Personal Information Protection Commission (PIPC), which will be in charge of control tower for big data industry. EU determines whether the offshore countries are protecting their personal data to the level of their requirements, so that the data can be used in the region only if they meet EU’s own GDPR (General Data Policy Regulation). However, Korea has not passed EU’s evaluation so far because of lack of PIPC’s authority or independence. So, each company had to be evaluated by GDPR.
The Presidential Committee, PIPC was founded in 2011 and was upgraded to a Central Administration Organization with the revision of three data bills. Management and supervision of personal data, which has been divided into three departments such as Ministry of the Interior and Safety, Korea Communications Commission and Financial Services Commission, will be integrated into PIPC. If the newly transformed PIPC is successfully stabilized through the revision of the bills, they will pass the EU’s GDPR evaluation without any problem.
Park Hyun-ik(2020.01.13) “데이터 3법은 주춧돌, 이제 시작”… 풀어야 할 숙제들
retrieved from https://biz.chosun.com/site/data/html_dir/2020/01/13/2020011302674.html