[In-Depth Look] The Path to Accelerating the Era of Credit Data Innovation

Published 19 Aug.2020 12:09(KST)

Choi Kyung-jin, Professor of Law, Gachon University

At the tail end of the 20th National Assembly, the passage of the “Three Data Laws” (Personal Information Protection Act, Information and Communications Network Act, and Credit Information Act) marked the first step toward establishing competitiveness in the era of the data economy through innovation.

Since then, through various follow-up efforts such as the enactment of subordinate statutes and related guidelines, the amended Credit Information Act, a core law, finally came into effect on the 5th of this month. This amendment laid the groundwork for the use of pseudonymized information, established an institutional basis for data linkage, and introduced the MyData system in the financial sector. In particular, the MyData system has expanded opportunities to utilize big data in the financial field.

Measures to prevent risks that may arise from data utilization have also been put in place. To protect credit information subjects, obligations such as prohibiting re-identification of pseudonymized information, securing safety measures, and strengthening liability for damages have been stipulated. This appears to be an effort to catch “two rabbits” at once: the safe use and protection of personal credit information.

Nevertheless, at the time of the law’s passage, privacy advocates referred to the Three Data Laws as the so-called “Personal Information Thief Laws,” expressing concerns about excessive use. On the other hand, proponents of utilization expressed expectations that the full-fledged data economy could finally be opened.

And now, about six months after the law’s enforcement, what is the situation? While there are concerns that data utilization may not be as easy as initially expected, there are also hopes that the utilization will not be excessive as anticipated, showing a mixed outlook.

Can true data innovation be achieved through the amendment of the Three Data Laws? Although the first step has been taken, where should we go from here? If the first step (the enforcement of the Three Data Laws) indicated the direction to take, the second step reveals how accurately and clearly we are moving in that direction. If the second step is taken incorrectly, we may lose balance and fall or go in the wrong direction.

Therefore, we need to return to our original intention. The amended Credit Information Act states the legislative purpose as “to accommodate the global environmental change toward a data economy transition, to create opportunities for consumer-centered financial innovation and expansion of financial inclusion through active data utilization, and to enhance public trust in the protection of financial information.” This legislative purpose must never be forgotten in the process of interpreting and applying the law. No matter how much the law is amended, if it is misinterpreted or misapplied, the original intent will be undermined. The “linkage of pseudonymized information,” expected to aid data utilization, includes various safeguards such as linkage by specialized institutions, safety measures, and adequacy assessments. These are natural measures for the “safe use” of data. However, if excessive caution or unreasonable judgments are made during practical processing, the situation may end up being not much different from before the amendment of the Three Data Laws. Although the law has changed, it would be nothing more than “false hope.”

Therefore, the second step toward the data economy must be a step of practice and trust. Interpretation and application practices must follow to ensure that the changed legal provisions are applied rationally. Businesses seeking to utilize financial data must faithfully implement the safety measures required by law and do their utmost to protect personal credit information, thereby building trust in “safe use.” Discussions surrounding personal credit information should not remain only at the level of abstract ideological conflicts or macro-level debates but should also include detailed discussions based on analysis of individual cases and contexts. We must look directly at the data and examine whether the rights of personal credit information subjects were truly infringed in individual cases and contexts. If data is safely utilized through a harmonious process of macro perspectives and detailed approaches, unnecessary disputes over responsibility should be avoided. We must open an era where we all can enjoy the value of data through practice and trust.