The Fourth Industrial Revolution involves upgrading the former digitalization of information to an artificial intelligence-based system, and the success of such process depends largely on how advanced AI technologies are. In recent years, artificial intelligence has been rapidly developing with the help of big data, which is both an outcome of and impetus behind the Fourth Industrial Revolution.

The exponential growth of the big data industry can be indicated by the fact that five out of the world’s top ten companies by market capitalization, namely Alphabet (Google), Amazon, Tencent, Facebook, and Alibaba, are data-related enterprises. However, Korea’s big data market was only worth 454.7 billion won last year, which accounts for a mere 0.1% of gross production in ICT. Korea may consider itself an ICT leader, but its utilization rate of data, which is referred to as the crude oil for the 21st century, is extremely low.

Domestic enterprises wish to utilize data held by various institutions, but the reality is that current laws and systems make it difficult to make use of personal information held by another institution, and most of the information that is disclosed is too poor in quality to be utilized.

As a result, the growing perception is that industries should look beyond the currently regulation-oriented policies on personal information and instead seek ways to utilize personal information in a safe manner, thereby achieving a balance between new industrial developments and protection of personal information.

Accordingly, the Amendment clarifies the currently vague definition of personal information and regulations on the use of personal information. It simplifies the procedure for granting consent for the use of personal information, prescribes legal grounds on the use of de-identification measures and de-identified information specified in the current guideline, and otherwise aims to facilitate the protection and safe use of personal information.

The Amendment also modifies penal provisions concerning de-identification measures and safety assurance in the use of personal information, thereby aiming to minimize any damage caused by the relaxation of personal information regulations.

Details

A. Prescribe that any information that does not identify a specific person, but allows the individual handling the information to identify the person by combining it with other information he or she handles, shall be construed as personal information (Article 2, subparagraph 1)

B. Clarify the meaning of the “use” of personal information, etc., by stating “combining, analyzing, processing, and other use” (Article 15, paragraph 1)

C. Prescribe that where a data subject has already disclosed personal information either directly or through a third party, the data subject's consent may be construed as having been obtained after considering such factors as the nature of the information concerned, form of disclosure, and relevance to the data subject’s intention and purpose of the disclosure; and require personal information controllers to disclose the classification standards, management standards, purpose of use, etc., of the information concerned through the Privacy Policy (Article 22-2 newly inserted)

D. Allow de-identified information to be used and provided without the data subject's consent after a de-identification quality assessment if there is no risk of unjustly violating the interests of the data subject and third parties (Article 22-3 newly inserted)

E. Prescribe grounds to issue a recommendation of correction before a correction order to any person who has violated this Act (Article 63-2 newly inserted)

F. Prescribe grounds to punish any person who has failed to disclose in his or her Privacy Policy matters concerning exemption from consent for personal information processing, any person who has failed to organize and operate a quality assessment team for the de-identification of personal information, etc. (Article 75, paragraph 1, subparagraphs 2-2 and 2-4 newly inserted)

Prescribe that where a data subject has already disclosed personal information either directly or through a third party, the data subject's consent may be construed as having been obtained after considering such factors as the nature of the information concerned, form of disclosure, and relevance to the data subject’s intention and purpose of the disclosure; and require personal information controllers to disclose the classification standards, management standards, purpose of use, etc., of the information concerned through the Privacy Policy (Article 22-2 newly inserted)

Allow de-identified information to be used and provided without the data subject's consent after a de-identification quality assessment if there is no risk of unjustly violating the interests of the data subject and third parties (Article 22-3 newly inserted)