[W Forum] The Passage of the 'Data 3 Act' and Remaining Challenges

Published 06 Mar.2020 11:32(KST)

Updated 06 Mar.2020 12:23(KST)

open/close

[W Forum] The Passage of the 'Data 3 Act' and Remaining Challenges

The Data Three Acts (Amendments to the Personal Information Protection Act, Credit Information Act, and Information and Communications Network Act), proposed in November 2018, passed the National Assembly last January after about 1 year and 2 months. Now, pseudonymized information, which cannot identify a specific individual without additional information, can be used without the consent of the data subject for statistical compilation, scientific research, and public interest record preservation. Furthermore, it is also possible to combine and use data across different sectors such as telecommunications, finance, and distribution. To ensure that the rights of data subjects are not violated in such data utilization, obligations for safety measures are imposed during pseudonymized information processing or data combination, acts of re-identifying individuals are prohibited, and in case of violations, fines or criminal penalties can be imposed along with surcharges amounting to 3% of total sales. The amendment is expected to spur the creation of diverse and innovative technologies, products, and services, and accelerate the enhancement of the nation's data competitiveness, which has lagged behind.

Nevertheless, we must not stop here. There are still some foothills and more important peaks ahead. First, from the perspective of companies and citizens who must comply with the law, the government must present detailed enforcement plans to avoid confusion in lawful data processing. For example, there is still confusion among citizens and companies about the extent, procedures, and methods of pseudonymization required to be considered lawful. Businesses and programs specializing in pseudonymization are already on the market, but it is questionable whether they meet the legal standards for pseudonymization. Both small and medium startups without adequate legal support and even large corporations urgently need concrete government guidelines on these unclear pseudonymization standards.

Next, improvement of the 'personal information cross-border transfer' regulations is necessary. The core of the EU General Data Protection Regulation (GDPR), which significantly influenced this data law amendment, is the tightening of 'personal information cross-border transfers.' The EU aims to protect data sovereignty by strictly limiting the transfer of EU citizens' personal information beyond EU borders to American IT giants like Google and Facebook. Therefore, Europe, in principle, only allows the transfer of European citizens' personal information to countries or overseas companies approved by the EU as having an equivalent level of personal information protection. However, if the country or company has not received an adequacy decision or appropriate safety measures from the EU, the risks to data subjects must be clearly notified in advance, and only if the data subject consents to bear such risks can the transfer proceed.

Unfortunately, in South Korea, personal information can be transferred overseas as long as the data subject 'consents.' Even without relying on the 2018 Personal Information Protection Status Survey, which found that 70% of data subjects do not check consent details and click unconsciously, very few citizens thoroughly understand the handling of their personal information when providing it to Facebook or Google. The current law leaves the cross-border leakage of citizens' personal information solely to formalized and hollowed-out personal 'prior consent,' effectively neglecting the issue. The recently passed amendment is no different. Therefore, the next amendment should require screening the level of personal information protection in the country to which the data is transferred at the national level and clearly informing data subjects of this.

Meanwhile, the strict prior consent and separate consent methods, which have already become hollowed-out ways to guarantee data subjects' rights, need reconsideration. As mentioned earlier, 'prior consent' has degenerated into unconscious and habitual 'clicking' and has become a means for personal information processors to exempt themselves from liability rather than protecting data subjects' rights. Moreover, while overseas companies like Google commonly use broad consent methods, domestic companies, due to strict government guidelines, obtain consent by distinguishing between mandatory and optional items. The 'consent' regulation, which shifts all responsibility to individual users and acts as a factor of reverse discrimination between domestic and foreign companies, should be reconsidered.

There remain numerous issues requiring repeated deliberation, such as unprecedented excessive penalties worldwide, securing legal system consistency with the transfer of the Information and Communications Network Act, and ensuring safety in data combination through specialized institutions. Having taken the first difficult step, we must pause, breathe, and proceed carefully to resolve these issues. The law is a living 'organism' that must continuously reflect the needs of the people and enhance public interest values. We look forward to the next amendment to improve the completeness of the Data Three Acts.