(1) Reasons for Proposal
As the amended Personal Information Protection Act came into force on August 5, 2020, matters related to personal information in the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc., were transferred to this Act, laying the foundation to boost data economy with the introduction of pseudonymous data. However, matters to empower the rights of data subjects in line with a new technological environment such as the rights to transfer personal information, which is introduced in advanced countries around the world, has not been introduced in the amended Act, failing to resolve redundant regulation on online and offline matters and causing unnecessary confusion and burden to law-abiding persons.
In this regard, some say it is necessary to strengthen people’s information rights, which may be weakened in the digital environment, consolidate special cases in this Act into general provisions, and resolve confusion over the Act’s applicability and a burden due to redundancy. In addition, this Act aims to prepare reasonable standards to process image information to preemptively respond to new technological changes and update a provision to transfer abroad in a way that is consistent with international standards. Furthermore, this Act aims to strengthen law-abiding persons’ compliance with obligations and increase the effectiveness of penalties by shifting the focus from criminal punishment to financial penalties. By doing so, this Act aims to resolve shortcomings not reflected in the previous legislative process while propping up to the trust-based data economy with a balance between the protection and use of personal information.
(2) Major Provisions
A. Update provisions related to other applicable laws (Article 6)
Require compliance with the principles of personal information protection when other laws are established or amended and prevent confusion over any conflict with other laws.
B. Boost self-regulation (Articles 13-2 and 13-3)
Since there is a limitation with government-led regulation alone in the digital era where the use of personal information increases rapidly, establish self-regulation protection governance by designating self-regulation organizations and prepared the basis to support them.
C. Prepare operating standards for movable visual data processing devices (Article 25-2)
As the current Act only regulates fixed visual data processing devices such as CCTV and has a limitation in presenting standards for movable visual data processing devices such as drones and autonomous vehicles, prepare reasonable standards and procedures to ensure the safe operation of movable visual data processing devices.
D. Update special cases for pseudonymous data processing (Articles 28-2, 28-7, and 60)
Prepare a safe pseudonymous data processing environment by including pseudonymous data in information subject to destruction and newly inserting confidentiality for work combining pseudonymous data.
E. Diversify overseas transfer methods and newly insert the rights to order suspension (Articles 28-8 and 28-9)
Considering a changing environment where cross-border personal information transfer is increasing due to growing online e-commerce, diversify the overseas transfer requirements for personal information to be in line with international standards and provide the rights to order business suspension for a violation to safely protect people’s personal information.
F. Review guidelines on personal information processing (Article 30-2)
Introduce a review system for personal information processing guidelines to allow for reviewing whether personal information processing guidelines are appropriate with the ex officio authority of the Personal Information Protection Commission or at the request of non-profit non-governmental organizations related to personal information protection.
G. Introduce the rights to request the transmission of personal information (Article 35-2)
To ensure people’s rights to control their personal information, introduce the rights that allow data subjects to request the personal information controller to transmit their personal information to them, other personal information controllers, or specialized personal information control institution.
H. Introduce the rights to be excluded from automatic decision-making (Article 37-2)
Introduce the rights to reject, object to, and request an explanation for automatic decision-making, which has a serious impact on people’s life, physical body, and property as new technologies such as artificial intelligence are increasingly used.
I. Update special cases for information and communications service providers (Articles 39-3 through 39-15 deleted)
Since the current Act has provisions divided for online and offline obligations and causes confusion and redundant burdens for legal applicability to personal information controllers, turn special cases for information and communications service providers into general provisions to apply the principles of “the same act – the same regulation” to all personal information processors.
J. Make the personal information dispute mediation system practical (Articles 40, 43, and 45)
Since it is needed to promote a quick and economic means of dispute resolution in the case of an infringement of rights to personal information, expand those who are obligated to respond to dispute mediation to cover personal information controllers, and provide fact-finding investigation rights to the Dispute Mediation Commission.
K. Update a provision for exemption from applicability (Article 58)
Update an exemption provision to ensure compliance with personal information protection measures and obligations to destroy personal information even if required for public safety and well-being such as an infectious disease crisis.
L. Strengthen personal information infringement investigation and penalty functions (Articles 59, 64, and 66)
Reasonably adjust too strict requirements to impose a corrective order under the current Act, prepare the legal basis for an announced order, and put in place the basis to punish the use of personal information by personal information handlers for personal purposes.
M. Shift the focus of penalties from criminal punishment to financial penalty (Articles 64-2, 71, 72, 73, and 75)
Consolidate penalty provisions, which are divided into general provisions and special cases for information and communications service providers, to impose the same punishment for violations of the same obligations and shift from excessive criminal punishment to financial penalties.
