On August 5, 2020, the amendments to the “Three Major Data Privacy Laws” became effective – the Personal Information Protection Act (the “PIPA”), the Act on the Promotion of the Use of the Information Network and Information Protection (the “Network Act”), and the Credit Information Use and Protection Act (the “Credit Information Act”).
Among the key changes under the amended PIPA include the introduction of the concept of “pseudonymized data,” and through pseudonymization, allowing the use and transfer of data (previously not allowed without the data subject's consent). As such, there is now an increased potential for greater use of personally identifiable information (“PII” or “personal data” or “personal information”). Consequently, it is expected that businesses can create added value by combining pseudonymized data from various industries, including IT, financial, and medical sectors.
Another noteworthy change under the amended PIPA is the transformation of the Personal Information Protection Commission (the “PIPC”) into South Korea’s central data privacy regulatory authority under the Prime Minister’s Office. In such a capacity, the PIPC published its “Comprehensive Guidelines on Processing Pseudonymized Data” (the “Guidelines”) on September 24, 2020. In the Guidelines, the PIPC clarifies, among others: (i) how personal data may be anonymized or pseudonymized; (ii) how to combine pseudonymized data from different personal information procesors and issues arising from combining pseudonymized data; and (iii) security measures for the safe use of pseudonymised data. Also, theoretical and technical examples are used to clarify how the Guidelines should be followed by data controllers and processors (or “outsourcee”) when handling pseudonymized and anonymized data.
* Click the PDF download button to read more