[Personal Information] Revised Data 3 Act A to Z ① What is anonymous information?
Article posted in 2020-04-06 16:35:17 | VEAT
On January 9, the so-called “Data 3 Laws,” including the “Personal Information Protection Act,” “Act on Promotion of Information and Communication Networks and Protection of Information,” and “Act on the Use and Protection of Credit Information” were passed by the National Assembly. After being stalled in the National Assembly for over a year, these key bills were finally passed, leading relevant agencies such as the Ministry of Interior and Safety, the Broadcasting and Communications Committee, the Financial Services Commission, and the Financial Supervisory Service, along with the Personal Information Protection Committee, to conduct a public hearing from March 31st for 40 days through a public hearing.
Key Amendment Contents of the “Data 3 Laws”: “Pseudonymized Information”
One of the key aspects of the Data 3 Law amendment to carefully examine is the addition of the concept of “pseudonymized information,” which redefined the scope of personal information. Previously, the Data 3 Laws based the judgment of personal information on “identifiability,” resulting in criticism that the scope of “personal information” was excessively wide.
The Ministry of Interior and Safety, through the revised version of “Personal Information Protection Act Regulations and Guidelines Interpretation” (2016.12), introduced the concepts of “obtainability” and “linkability,” revealing its position that information obtained by illegal methods such as hacking will not be included. However, due to the fact that the interpretation document’s position was unclear in terms of legal basis and was inconsistent with existing precedents, it has continued to be subject to academic debates.
In this regard, the revised law, recognizing the global shift towards a data economy, adopted actively data utilization to establish opportunities for consumer-centric financial innovation (refer to the reasons for amendment), significantly revamped personal information governance, and added “pseudonymized information” to the classification of personal information, resulting in a major overhaul.
Accordingly, personal information is categorized into three: 1) Personal Information: data with personal information that can be identified as a specific individual (easily combinable if another information can be found, consideration of time, cost, and technology required to find a person); 2) Pseudonymized Information: information that cannot be identified as a specific individual even if additional information is not used or combined to restore the original state; 3) Anonymized Information: non-anonymized data that cannot be identified as a specific individual even if additional information is added.
As such, the Data 3 Law amendment is based on reducing the scope of “personal information” in the existing law to allow companies to utilize it if it cannot be identified as a specific individual without adding additional information.
While some are concerned about personal information abuse and security issues, companies are welcoming the move as the first step towards a big data society by utilizing diverse data to create new value.
In the next part, we will examine the main amendments to the Data 3 Law (Personal Information Protection Act, Act on Promotion of Information and Communication Networks and Protection of Information, Act on the Use and Protection of Credit Information).
Companies requiring consulting services regarding the Data 3 Law (Personal Information Protection Act, Act on Promotion of Information and Communication Networks and Protection of Information, Act on the Use and Protection of Credit Information) should contact Law Firm Veat.
Thank you.
Law Firm Veat Team.