Eliminating Personal Data Infringement While Preserving the AI Ecosystem... The First Step in AI Data Standards
Personal Information Protection Commission Announces 'Personal Information Utilization Policy Direction'
Proposes AI Stage-by-Stage Personal Information Processing Principles
Introduces 'AI Privacy Team and Prior Adequacy Review System'
Since the emergence of ChatGPT, the artificial intelligence (AI) industry has been rapidly growing. However, the privacy policies regarding the data collected for AI development and services remain unclear. Companies worry about falling behind in the AI competition, while users of these services are concerned about potential privacy infringements. To address these issues, the government has initiated the establishment of AI data regulations.
On the 3rd, the Personal Information Protection Commission (PIPC) held a briefing at the Government Seoul Office and announced the "Policy Directions for Safe Use of Personal Information in the AI Era." The policy direction was established to minimize privacy infringement risks while safely utilizing data essential for the development of an AI innovation ecosystem. In particular, it presented guidelines on how the current "Personal Information Protection Act" can be interpreted and applied in the AI environment, while emphasizing a blueprint for the government and private sector to collaboratively design a regulatory framework for detailed matters in the future.
Establishment of 'AI Privacy Team' to Resolve Uncertainties for Private Companies
The PIPC will establish a one-stop contact point dedicated to AI-related matters, tentatively named the 'AI Privacy Team,' by October. This team will serve as a communication channel with businesses developing and providing AI models and services, actively supporting legal interpretations regarding the legality and safety of personal information processing on a case-by-case basis, and reviewing the application of regulatory sandboxes. The regulatory sandbox is a system that exempts or defers regulations under certain conditions (time, place, scale) to allow trials of new technologies and industries despite existing regulations.
Additionally, a "Preliminary Adequacy Review System" (tentative name) will be introduced within this year. Upon a business operator's request, the system will analyze the business environment and jointly establish application methods to comply with the "Personal Information Protection Act." For cases where the PIPC deems the operator's implementation results adequate, no administrative sanctions will be imposed. The process from the submission of the application to notification of the application method will, in principle, be completed within 60 days to swiftly reduce legal risks.
'Key Initiatives for Safe Personal Information Utilization Policy in the Age of Artificial Intelligence.'
View original imageSpecification of Personal Information Processing Standards by AI Development and Service Stages
There were no separate standards on how to handle personal information when collecting and using data for AI development and services. Accordingly, the PIPC compiled past interpretations, resolutions, and precedents within the current "Personal Information Protection Act" framework. Based on this, it specified as concretely as possible the principles and standards for handling personal information at each stage, including AI development and service planning, data collection, AI training, and service provision.
At the planning stage, the principle of privacy-by-design is reflected. When collecting data, the principles for processing personal information are divided into general personal information, publicly available information, video information, and biometric information. In cases of developing large-scale language models, situations may arise where 'publicly available information' must be partially used; the conditions under which processing of publicly available information is permissible have been systematized. Subsequently, at the service stage, guidelines will be prepared after thorough review regarding specific disclosure scopes, methods, and rights exercise measures considering AI characteristics.
The announced policy directions represent basic standards and principles at this point in time. Based on this, the PIPC plans to collaborate with the private sector to further specify detailed areas for practical application in the field. An 'AI Privacy Public-Private Policy Council,' where AI companies, developers, academia, legal experts, and civic groups can jointly discuss, will be formed by October. According to the implementation plan, data processing standards in AI environments by sector will be jointly developed and announced.
To promote the activation of Privacy-Enhancing Technologies (PET), R&D will be expanded and related guidelines prepared. Furthermore, when PET application is ambiguous or requires verification, technology development and demonstration will be enabled in 'Personal Information Safe Zones' that ensure security and safety.
An 'AI Risk Assessment Model' will also be developed to allow differentiated regulatory design according to AI risk levels by concretely assessing risks. Since building such a risk assessment system requires various experiments and trials, the 'regulatory sandbox' will be utilized. The system to identify and evaluate risks will be continuously established by 2025.
Strengthening International Cooperation Framework
A global cooperation system will be established to form international digital norms regarding AI. Since AI development and service provision often occur in a transnational manner, individual national regulations have limitations, making international cooperation essential.
The PIPC plans to strengthen cooperation for establishing international norms in AI personal information fields based on the 'Paris Initiative,' which declared the establishment of a new dimension of digital order. Starting with the 'AI and Data Privacy International Conference' held in Seoul in June, the PIPC will share laws, policies, and enforcement cases with major countries' personal information supervisory authorities and ensure rapid response to privacy infringement issues caused by AI.
In 2025, the PIPC will host the 'Global Privacy Assembly (GPA),' the largest international forum in the personal information field, to discuss emerging privacy issues in the deepening digital era centered on AI. Communication with global AI operators such as OpenAI, Google, Meta, and domestic AI operators will also be activated.
Hot Picks Today
"Most Americans Didn't Want This"... Americans Lose 60 Trillion Won to Soaring Fuel Costs
- As Samsung Falters, Chinese DRAM Surges: CXMT Returns to Profit in Just One Year
- Tragedy Strikes on Part-time Job Commute... Man in His 30s Arrested for Drunk Driving Death of Freshman College Student
- "Striking Will Lead to Regret": Hyundai-Kia Employees Speak Out... Uneasy Stares Toward Samsung Union
- "Why Make Things Like This?" Foreign Media Highlights Bizarre Phenomenon Spreading in Korea
Ko Hak-soo, Chairperson of the PIPC, stated, "As AI serves as a foundational technology across all industries worldwide, it is time to establish a new digital order on how data can be safely utilized. Rather than pursuing unconditional 'zero risk,' it is more important to make practical efforts to minimize privacy infringements. Under this recognition, we will establish an AI personal information regulatory framework that can lead global norms."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
