With the advent of the Fourth Industrial Revolution, the development of new industries through active usage of data, which is a core resource, is largely becoming a national challenge. In particular, to nurture such new industries, it is imperative to utilize data with new technologies such as AI, cloud, and IoT, direly calling for an established social norm that will ensure safe data usage.

However, the current Act has been exposing certain limitations such as an ambiguous concept of personal information, leading to confusion of the people. Additionally, the supervising function on personal information protection is divided amongst the Ministry of Public Administration and Security/Korea Communications Commission/Personal Information Protection Commission, while related law is divided between the current Act and the Act on Promotion of Information and Communications Network and Information Protection, etc. As such, various fields have raised the need for a systematic improvement in the supervising authority as well as relevant law for personal information protection.

Therefore, this proposal seeks to redress the current law to enhance the protection of personal information while also seeking harmonious development in competitiveness of the related industries. The proposal seeks to achieve this objective by providing for the following: reduce the people’s confusion by clarifying the concept of personal information; newly establish methods and standards, etc., on how to safely use data and allow the use of pseudonymous information for the purposes of scientific research that include industrial objectives such as development of new data-based technology/product/service, statistics with commercial objectives such as market research, and public record keeping; establish systematic means through which personal information will be safely protected by imposition of various obligations for enhanced accountability on personal information controller as well as stronger punishment including penalty surcharge for violation; unify the supervising functions on wrongful usage/abuse of personal information under the Personal Information Protection Commission; unify similar/overlapping provisions between related laws under Personal Information Protection Act.

Details

A. Clearly specify the concepts related to personal information into personal information/pseudonymous information and anonymous information; allow the processing of pseudonymous information for the purposes of statistics, research and public record keeping; require that a combination of information sets owned by different enterprises be conducted by specialized institutions with security facilities specified by Presidential Decree, and allow transfer of such combined information via approval from the specialized institution (Article 2, subparagraph 1. Amend Articles 15 and 17. Newly insert Articles 28-2, 28-3, and 58-2)

B. In cases where pseudonymous information is processed or information sets are combined, require safety measures as specified by Presidential Decree, such as making and keeping related records, etc.; prohibit conduct of looking up a specific individual and impose punishments such as criminal punishment/statutory overcharge fine when violated (Newly insert Articles 28-4, 28-5 and 28-6)

C. Elevate the Personal Information Protection Commission to be a central administrative agency under the Prime Minister; Transfer functions currently under the Ministry of Public Administration and Security to the Personal Information Protection Commission; Enhance the Personal Information Protection Commission’s function as a control tower for personal information protection by granting the authority to present its opinion to the heads of relevant central administrative agencies in regard to combined investigations and/or combined measures (Article 7, Article 7-2 ~ 7-14. Article 63)

D. Delete personal information protection provisions from the Act on Promotion of Information and Communications Network and Information Protection; specify provisions from said Act as special provisions, if they are different from this Act (such as regarding protection measures in cases of foreign transfer; foreign re-transfer; domestic agency; damages insurance, etc.) or are only found in the Act on Promotion of Information and Communications Network and Information Protection (Article 17. Article 18. Amend Article 30. Newly insert Articles 39-3 ~ 39-16)

Note

This proposal presumes the passage of Partial Amendment of Act on Promotion of Information and Communications Networks and Information Protection, etc., (Proposal No. 16622) as introduced by National Assembly Member Roh, Woong-rae. Therefore, if said Amendment proposal does not pass or passes in an amended form, adjustments need to be made accordingly.

Allow the processing of pseudonymous information for the purposes of statistics, research, and public record; Require a combination of information sets owned by different enterprises to be conducted through specialized institutions with security facilities as specified by Presidential Decree; Allow the transfer of such information through the approval of specialized institution; Require safety measures as specified by Presidential Decree such as making and keeping relevant records in cases where pseudonymous information is processed or information sets are combined; Prohibit conduct where certain individuals are identified and impose criminal penalties and/or statutory overcharge fine, etc. in case of violation (Newly insert Articles 28-2, 28-3, 28-4, 28-5)