South Korean Personal Information Protection Commission Announces Three-Year Data Protection Policy Plan

by Jasmine Park

On November 24, 2020, the South Korean Personal Information Protection Commission (PIPC), the nation’s central administrative agency tasked with protecting the privacy rights of individuals by enforcing the country’s privacy laws, released its revised three-year “Personal Information Protection Master Plan” (‘21-‘23). A wide range of policies that balance both the protection and use of personal information will be implemented at the national level, such as improving the system for obtaining consent when collecting personal information, providing incentives for self-regulation, and reforming the system regulating the cross-border transfer of personal information. One innovative area where the PIPC will play a leading role is developing a comprehensive support system for the use of pseudonymized data. 

The plan includes three key strategies:

1. Confident protection of personal information;
2. Secure use of personal information that increases the value of data; and
3. A fair balance between protection and use of personal information as the control tower.

The first strategy aims to 1) reinforce data subjects’ rights and promote citizen’s privacy literacy, 2) create a business ecosystem of voluntary protection of personal information, and 3) advance personal information protection systems in public sectors. The second strategy will 1) support the safe use of personal information, 2) eliminate blind spots in the digital transformation environment, and 3) create a safer environment for personal information through research and development. The third strategy sets out to 1) take stern measures against and respond promptly to privacy violations, 2) build national governance for personal information protection, 3) strengthen global personal information cooperation, and 4) reinforce the PIPC’s leadership as a unified supervisory body.

PIPC Chairman Yoon Jong-in also presented a report on the plan to the State Council of South Korea on November 24, 2020. The plan revises the “4th Personal Information Protection Plan” which was announced earlier in February 2020, and lays out the driving strategy and direction of major policies for the next three years, including the government’s plan for personal information protection. A need to revise the “4th Personal Information Protection Plan” arose due to the establishment of the PIPC as a central administrative agency on August 8, 2020, under the “Amendments to the Three Data Privacy Laws”, and the socially distanced and digital society brought about by COVID-19. 

Therefore, the PIPC revised its plan after conducting an analysis of the environment, public surveys, and system research. Yoon Jong-in announced that the new plan will take effect in 2021 on the 10th anniversary of the enactment of PIPA, and encouragingly stated that “if the past decade was the time to lay the foundation for personal information protection in Korea, the next decade is the key to action. Built on trust in the data economy, we will do our best to implement the personal information protection plan so data can be used safely and well.”

The PIPC also aims to strengthen policies that confidently protect people’s personal information in the private and public sectors. It sets out to improve obtaining consent when collecting personal information, introduce new rights such as data portability, and effectively protect people’s control over their personal information in accordance with the changing times. In addition, the PIPC plans to enhance the self-protection of personal information by having people protect their own personal information taking into account the sensitivity of the data, providing incentives to businesses based on their performance voluntarily protecting personal information in a self-regulatory system, and developing professional expertise. 

The PIPC will also expand the existing standards for privacy impact assessments by considering emerging privacy risk factors from new technologies, and expand the data breach incident factors assessment standards to prevent data breaches in the public sector. The public sector itself will take the lead on strengthening the foundation of personal information management, raising the standard through on-site inspections.

Further, in an economy increasingly driven by data, the PIPC will activate a pseudonymized data system to ensure personal information is used securely, and develop personal information protection systems and technologies. South Korea’s data protection law, the Personal Information Protection Act (PIPA) was amended in January 2020, and centralizes the data regulatory functions of PIPC (established as an administrative agency in September 2011), the Ministry of the Interior and Safety (MOIS), and the Korea Communications Commission (KCC) under PIPC, elevating it to the central data privacy regulatory authority in South Korea. While the PIPA has laid the foundation for processing and using pseudonymized personal information, due to the need to continuously enhance protections, the PIPC will develop a comprehensive support system and operate a government council to this end. The system will allow the combination of pseudonymized information by including an application and guidelines for submitting, receiving, and combining pseudonymized information, generating combined key-linked information, and managing the status of combinations. 

The PIPC will also develop new protection standards for a digital society where new technologies such as artificial intelligence, cloud, and self-driving technologies have become widespread, and will actively review and seek to improve regulatory sandboxes that have been proven to require modification. 

Finally, as the nation’s personal information protection “control tower”, the PIPC aims to strengthen its role in personal information protection domestically and internationally, and lead public-private global governance in balancing the protection and use of personal information. The PIPC also announced that it will increase inspections of public institutions that have large-scale personal information, carry out strict investigations and enforcements, and convene a government joint response consulting body to respond to data breaches. While the PIPC serves as a one-stop-shop for obtaining advice related to personal information protection with addressing complaints as one of the most anticipated functions of the PIPC, it will also assess and improve the cross-border data transfer system in response to increasing overseas data transfers by reviewing the diversification of cross-border transfer requirements, such as non-consent standard contracts.

With thanks to Caroline Hopland for her contribution. 

***********************************************************