[Personal Information] Revised Data 3 Law A to Z ② What parts of each law are changing?

Article posted in 2020-04-27 14:34:32 | VEAT

In the previous installment, we examined the introduction of ‘anonymized information’ as a result of amendments to the Data 3 Act. We addressed provisions to allow businesses to utilize them by reducing the scope of ‘personal information’ in existing laws and not adding further information when it cannot be identified as a specific individual.

This installment will examine the key provisions of the amended Data 3 Act.


1. Key Provisions of the Amended Personal Information Protection Act

· Clearly defined the concept of personal information by establishing a framework of personal information, anonymized information, and anonymized information, and permitted processing of anonymized information for purposes such as statistical compilation, research, and public interest record preservation.

· Businesses could combine data held by different companies through a specialized institution equipped with security facilities, as determined by presidential decree, and subject to approval from the agency, with the option to export the data after approval.

· However, in the event of processing anonymized information or combining information aggregates, measures to ensure safety, as determined by presidential decree, such as preparing and maintaining records, were required; and prohibited specific individual identification attempts (with penalties for violation including criminal prosecution and fines).

· The role of the Personal Information Protection Committee, previously divided among the Ministry of Public Safety and Security, the Broadcasting and Communications Committee, and the Financial Services Committee, was unified to strengthen its function as a control tower for personal information protection.

2. Key Provisions of the Amended Telecommunications Network Act

· Revised similar and redundant provisions in numerous personal information-related laws, and established measures to improve governance for personal information protection.

· Provisions pertaining to personal information protection within the Telecommunications Network Act were transferred to the Personal Information Protection Act, and the subject of regulatory and supervisory oversight was changed from the Broadcasting and Communications Committee to the Personal Information Protection Committee, with regard to online personal information protection.

3. Key Provisions of the Amended Credit Information Act

· Introduced the concept of anonymized information to establish clear legal grounds for the legal basis for big data analysis and utilization.

· Anonymized information could be utilized or provided without the consent of a credit information subject for purposes such as statistical compilation, research, and public interest record preservation.

· Introduced provisions such as information consent grade, profiling response rights, personal credit information mobility rights, and strengthened information subject’s self-determination rights.

· Expanded the penalty for unfair trade practices for personal credit information leakage from a punitive fine of 3 to 5 times to strengthen corporate responsibility.

· Introduced numerous provisions related to big data activation, including the establishment of data-specialized institutions, data combination through data-specialized institutions, mandatory security measures for safe utilization of anonymized information, and strict post-release penalties for profit and improper re-identification.

· Strengthened the position and function of the Personal Information Protection Committee and revised similar and redundant provisions in the Personal Information Protection Act and the Credit Information Act.

· Introduced provisions related to regulation of credit information industries, MyData (MyData) industry introduction in the financial sector, etc.


The public notice period for the revised enforcement regulations is from March 31st to May 11th. Due to coordination with relevant institutions, regulatory and legal review, and National Committee review, it is scheduled to be promulgated and implemented on August 5th. In addition, detailed procedures and specialized institution designation requirements for anonymized information combination, which are not included in the Personal Information Protection Act Enforcement Regulations, are scheduled to be announced for public notice in May.

· The full text of the revised enforcement regulations can be viewed on the websites of the Ministry of Public Safety and Security, the Broadcasting and Communications Committee, and the Financial Services Committee: ‘Policy Materials/Legal Regulations/Public Notice’.

· Thank you.

Veat Law Firm.