SEOUL, July 1 (Korea Bizwire) – The Korean government is allowing some personal information to be used without an individual’s consent in ICT fields including big data, IoT (Internet of Things), and fintech (financial technology), as long as the information does not reveal the person’s identity.
The Ministry of the Interior (MOI) announced on Thursday, June 30, that it has published “Action Guidelines for Non-identifying Personal Information” and an “Integrated Manual for Privacy Protection Legislation” in cooperation with the Korean Communications Commission (KCC), Financial Supervisory Commission, Ministry of Science, ICT, and Future Planning, Ministry of Health and Welfare, Office for Government Policy Coordination. The two new regulations will take effect starting July 1.
The government decided to assume that any information with personal identification elements removed could be classified as non-private.
Current legislation requires the consent of an individual prior to using personal information for any purpose; however the specified non-identifying information is not considered personal and will not be included in the clause.
The new guidelines suggest that personal identification elements be removed by using a false name, deleting data, and data masking, or a combination of these methods. However, if only a false name is used, it will still be considered as personal information.
Under the terms of the guidelines, measures will also be taken to evaluate if relevant institutions are following the recommendations through the formation of a ‘non-identifying action adequacy evaluation group’.
Data will be provided to a third party only if personal information has been processed that does not reveal the person’s identity, based on a big data analysis. Providing any data other than public data to unspecified individuals will be strictly prohibited.
If the data somehow becomes re-identifiable, it must be disposed of.
Furthermore, if anyone intentionally uses or provides ‘non-identifying’ information by making it re-identifiable, they will be subject to up to five years in prison or a 50 million won ($43,000) fine. If ‘re-identified’ information is not destroyed immediately, the perpetrator will also be subject to a penalty of up to 50 million won.
Each government department will offer guidelines and consultation services to start-up and small businesses on how to use big data through public institutions including the Korea Internet & Security Agency, Korea Credit Information Service, National Information Society Agency, and Social Security Information Service.
“Publishing new guidelines and an integrated manual will be a turning point for the big data industry which has been growing rapidly at 30 percent every year. I expect this action to also create more job opportunities in ICT fields such as advanced data analysis,” said a government official.
The industry can use customers’ ‘non-identifiable’ personal information, without consent, for market research, new product development, and marketing strategy planning, and can provide it to third parties as well. Yet, customized or personalized services will not be available since the customer’s identity is not identifiable.
On the other hand, controversy may arise as NGOs have criticized the government for focusing on the deregulation of privacy laws for the big data industry, saying this could be interpreted as infringement of constitutional rights to self-determination with regards to personal information.
The Constitutional Court declared on May 2005 that, “The right of self-determination with regards to personal information allows a person to decide to whom and to what extent his or her privacy be disclosed.”
“Non-identifiable information is not a person’s privacy, so it does not fall under the category of self-determination right of the constitution. Opting out is not an option even if a person refuses to partake,” said Jang Han, director of Privacy Protection Policy at the MOI.
With the new guidelines published, the “Privacy Protection Guidelines for Public Information Disclosure and Sharing” which were previously published in 2013 by the MOI, and “Big Data Privacy Protection Guidelines” published by the KCC in 2014 will be discarded as of June 30.
By Nonnie Kim (firstname.lastname@example.org)