On January 9, 2020, the National Assembly passed the amendments to the “Three Major Data Laws,” including the Personal Information Protection Act (“PIPA”), during the plenary session. We expect the Three Major Data Laws to become effective at the end of July 2020, or six months from the date of promulgation.
As strict regulations have been one of the biggest barriers to data-driven businesses in Korea, the deregulatory measures provided by the passage of the Three Major Data Laws raise hope for a significant change for companies and institutions that use personal information.
Details
Key implications of the amended Three Major Data Laws include the below.
Expectations: The revised bills focus on introducing the concept of pseudonymized data and on creating legal grounds for combining pseudonymized data, which would enable companies to utilize a broad pool of personal data for multiple purposes.
Use of Pseudonymized Data: Immediately after the Three Major Data Laws passed the plenary session of the National Assembly, the Ministry of the Interior & Safety (“MOIS”) stated in a press release that the introduction of pseudonymized infor mation has allowed for the handling of “safely processed data that cannot identify specific individuals” for industrial research purposes. This raises expectations and possibilities for new industrial activities, such as test beds, applied research, smart cities, and fintech for innovative technological development, while also protecting personal information (see MOIS press release on January 9, 2020).
- Further, the MOIS provided examples for personal data, pseudonymized data, and anonymized data as shown in the table below. Companies using pseudonymized data may wish to refer to this guideline for more detailed explanations.
- However, given that they are examples only, when using pseudonymized data in practice, each case must be individually and specifically reviewed for any legal issues that may be raised. In other words, in the introductory phase, legal risk assessments may be inaccurate due to lack of evaluation criteria. Hence, government guidelines, authoritative interpretations, and policy trends should be closely monitored and reviewed.
- Further, it should be noted that the laws on pseudonymized data include administrative penalties and criminal penalties for using pseudonymized data for reidentification purposes.
* Click the PDF download button to read more
