On the Bar is a regular column written by attorneys at Yoon & Yang LLC on various laws and regulations that affect running a business in Korea. The content provided here is general legal information. -- Ed.

Since the EU General Data Protection Regulation took effect in May, Korea has promoted the use of personal data, which is a major asset in the “fourth industrial revolution,” while amending or preparing to amend the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. (ICNA) and Credit Information Use and Protection Act, which include responses to GDPR.

The ICNA was amended on June 12, 2018 and Sept. 18, 2018, and these amendments aim to strengthen national control over data subjects’ personal data and establish the legal foundation for personal data protection, etc., especially vis-a-vis abroad or foreign enterprisers. 

The main details of the amended ICNA can be summarized as follows: (i) established damages provision in case information and communications services providers, etc. violate their personal data protection obligations (Article 32-3); (ii) adopted provisions (a) enabling Koreans to actually exercise their decision-making rights vis-a-vis global enterprisers for consent withdrawal regarding the personal data collection, use and provision, etc. and request for access to and correction of personal data; (b) requiring global enterprisers to promptly submit materials to Korea Communications Commission for determining personal data infringement; (c) requiring certain enterprisers satisfying GDPR or other to designate a Korean representative with a local address (Article 32-5); (iii) prepared the legal basis to regulate the retransfer of subjects’ personal data to a third country after the initial data transfer overseas (Article 63(5)); and (iv) adopted the reciprocity provision regarding overseas transfer of personal data (Article 63-2).

Meanwhile, for credit information, the Financial Services Commission announced a consolidated plan on March 15, 2018, aiming to invigorate big data use in the financial sector, implement proper deidentification measures, reinforce consent for personal data for substantive data protection and introduce data subjects’ decision-making rights (such as rights to profiling and personal credit information portability). Further, FSC announced its plan on July 17, 2018 to concurrently support the systematic management of subjects’ credit information by introducing MyData Industry into financial fields (i.e., personal management of credit information), which is distinct from common credit bureaus and provide personal credit/asset management services through consumer pattern analysis, etc. Further, FSC decided to adopt the “right to portability of personal credit information” (akin to the newly adopted data portability right in GDPR) to safeguard data subject rights.

Moreover, for health information (i.e., sensitive information), the Ministry of Trade, Industry and Energy announced on Feb. 9 to establish a comprehensive database, which consolidates substantial medical data from hospitals and creates a standard platform for data use. MOTIE aims to build and use medical big data system as well as resolve the challenge concerning the mutual use of medical information due to different existing forms of electronic medical records (EMR) and protect personal data through proper deidentification measures. Further, MOTIE plans to establish the big data platform by converting medical data retained by 40 or more hospitals and the National Health Insurance Service, etc. to a common data model, among others to resolve data protection issues.

The main distinction between GDPR and Personal Information Protection Act are regarding whether the concept of deidentified information exists, details of data subject rights and managerial measures regarding data protection officer (note that PIPA contains a more specific provision about technical measures than GDPR). PIPA does not define deidentified information and contains relatively weak protection for data subject rights, whereas GDPR insures numerous data subject rights. Thus, if domestic legislations were to accommodate GDPR, we believe that it would likely prioritize defining deidentified information and adopting details of data subject rights that would ultimately follow in line with GDPR.

As the global trend is to ensure the proper personal data protection and use, it would thus be advisable for domestic legislations, including ICNA, to appropriately reference GDPR in amending or setting the direction for such legislations. We believe that proper compliance with the domestic legislations would ultimately have the effect of complying with the main terms of GDPR.

By Lee Keun-woo, Kim Yoon-sun

Lee Keun-woo is an attorney and partner at law firm Yoon & Yang LLC, with a special interest in intellectual property and data protection.

Kim Yoon-sun is a US-licensed attorney at law firm Yoon & Yang LLC, with a special interest in intellectual property and data protection.