As mentioned in the previous post, the Personal Information Protection Act was implemented in South Korea in 2011.
In the age of the fourth industrial revolution, the promotion of new industries through the utilization of data as a crucial resource is becoming a national imperative. The need for establishing social norms for the safe use of data has become urgent.
However, the existing laws have divided the responsibility of overseeing personal information protection among various organizations, including the Ministry of the Interior and Safety, the Korea Communications Commission, and the Personal Information Protection Commission. Moreover, laws and regulations related to personal information protection are divided between the 「Personal Information Protection Act」 and the 「Act On Promotion Of Information And Communications Network Utilization And Information Protection」. This division of responsibility and laws has limited the protection of individuals' rights and the promotion of data utilization.
To address these issues, the Special Cases concerning Pseudonymous Data, also known as Article 28-2 through 7, were introduced.
SECTION 3 Special Cases concerning Pseudonymous Data
Article 28-2 (Processing of Pseudonymous Data)
(1) A personal information controller may process pseudonymized information without the consent of data subjects for statistical purposes, scientific research purposes, and archiving purposes in the public interest, etc.
(2) A personal information controller shall not include information that may be used to identify a certain individual when providing pseudonymized information to a third party according to paragraph (1).
Article 28-3 (Restriction on Combination of Pseudonymous Data)
(1) Notwithstanding Article 28-2, the combination of pseudonymized information processed by different personal information controllers for statistical purposes, scientific research and preservation of records for public interest, etc. shall be conducted by a specialized institution designated by the Protection Commission or the head of the related central administrative agency.
(2) A personal information controller who intends to release the combined information outside the organization that combined the information shall obtain approval from the head of the specialized institution after processing the information into pseudonymized information or the form referred to in Article 58-2.
(3) Necessary matters including the procedures and methods of combination pursuant to paragraph (1), standards and procedures to designate, or cancel the designation of, a specialized institution management and supervision, and standards and procedures of exporting and approval pursuant to paragraph (2) shall be prescribed by Presidential Decree.
Article 28-4 (Obligation to Take Safety Measures for Pseudonymous Data)
(1) When processing the pseudonymized information, a personal information controller shall take such technical, organizational and physical measures as separately storing and managing additional information needed for restoration to the original state, as may be necessary to ensure safety as prescribed by Presidential Decree so that the personal information may not be lost, stolen, divulged, forged, altered, or damaged.
(2) A personal information controller who intends to process the pseudonymized information shall prepare and keep records relating to matters prescribed by the Presidential Decree including the purpose of processing the pseudonymized information, and a third party recipient when pseudonymized information is provided, to manage the processing of pseudonymized information.
Article 28-5 (Prohibited Acts for the Processing of the Pseudonymized Information)
(1) No one shall process the pseudonymized information for the purpose of identifying a certain individual.
(2) When information identifying a certain individual is generated while the pseudonymized information is processed, the personal information controller shall cease the processing of the information, and retrieve and destroy the information immediately.
Article 28-6 (Imposition of Administrative Surcharges for the Processing of the Pseudonymized Information)
(1) The Commission may impose a fine equivalent to less than three-hundredths of total sales on data controller who has processed data for the purpose of identifying a specific individual in violation of Article 28-5 (1): Provided, That in case where there is no sales or difficulty in calculating the sales revenues, the data controller may be subject to a fine of not more than 400 million won or three-hundredths of the capital amount, whichever is greater.
(2) Article 34-2 (3) through (5) shall apply mutatis mutandis to matters necessary to impose and collect administrative surcharges.
Article 28-7 (Scope of Application)
Articles 20, 21, 27, 34 (1), 35 through 37, 39-3, 39-4, 39-6 through 39-8 shall not apply to the pseudonymized information.
These grounds allow for the use of pseudonymous information without the consent of data subjects for statistical purposes, scientific research purposes, and archiving purposes in the public interest, etc. Institutional measures have been taken to ensure the safe protection of personal information by strengthening the responsibility of personal information managers. Additionally, a mechanism has been put in place to allow for the additional use and provision of personal information within a reasonable scope related to the original purpose of collection.
In conclusion, the implementation of the Personal Information Protection Act and the introduction of the Special Cases concerning Pseudonymous Data are significant steps towards protecting individuals' rights and promoting the safe and responsible utilization of data. However, there are still concerns and challenges to be addressed, such as ensuring the effective implementation of the law and addressing potential gaps in protection. Nevertheless, it is expected that the establishment of social norms for safe data use and the strengthening of institutional measures for personal information protection will facilitate the development of new industries and contribute to the overall well-being of society.
No comments:
Post a Comment