Privacy Policies to Become Simpler and More Specific in Response to AI and New Technologies

The Personal Information Protection Commission announced on April 24 that it has revised and released the guidelines for drafting privacy policies in response to the spread of generative artificial intelligence (AI) services and new technologies such as on-device processing.

A privacy policy is a document published by a data controller that details the personal information collected, the purpose of collection, and the methods of processing. According to the Commission, this revision aims to alleviate the administrative burden on data controllers while ensuring the practical protection of individuals’ right to self-determination over their personal information.

Personal Information Protection Commission logo. Personal Information Protection Commission

원본보기 아이콘

First, if the recipients or processors of personal information are large in number or frequently change, they may be categorized by type, such as "taxi drivers" or "delivery workers." However, the policy must also provide a specific method for individuals to directly verify the actual recipients or processors of their personal information.

The method of notifying changes to the privacy policy has also been made more rational. For matters that have a significant impact on individuals' rights, notice must be given either before or immediately upon revision. For matters that pose a low risk of infringing on rights, information on several changes may be compiled and provided together after a certain period.

The criteria for on-device processing have also been clarified. If any personal information is stored on a server, a privacy policy must be drafted even if there are some on-device functions. However, if personal information is processed only within the device and is not transmitted to an external server, it is recommended that this fact and the criteria for deletion be communicated to users.

The standards for drafting privacy policies by processors have also been specified to focus on matters directly related to the protection of individuals' rights. The guidelines for drafting privacy policies regarding behavioral information and simplified privacy policies have also been updated, enabling data controllers to more easily and accurately document content that matches their processing practices.

This revision also introduces a separate appendix specifically for generative AI services. The appendix recommends that the intended use of AI be clearly stated, and if information directly entered by users (such as text, voice, or attachments) or results generated during service use are collected or stored, these must be listed as items to be processed.

In addition, the guidelines instruct that cautionary notes about entering sensitive information or unique identification information be provided. Privacy policies must also include whether user-provided information is used for AI model training, the procedure for refusing such use (opt-out), and methods for reporting or challenging inappropriate responses.

Yang Cheongsam, Secretary General of the Personal Information Protection Commission, stated, "In new technological environments such as generative AI and on-device processing, it is more important than ever to transparently inform the public about the purposes and methods of personal information processing so that citizens can easily understand them." He added, "We hope that this revision to the drafting guidelines will provide clearer standards for practitioners and enable the public to more easily confirm how their personal information is being processed."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.