PIPC Issues Administrative Notice of Proposed Notification on “Standards for Data Controllers’ Measures on Automated Decision-Making” and the Draft Guide

On May 17, 2024, the Personal Information Protection Commission (the “PIPC”) issued an administrative notice of the Proposed Notification on the “Standards for Data Controllers’ Measures on Automated Decision-Making^[1] (the “Proposed Notification”). The public comment period was until June 7, 2024. Please refer to the official announcement here (available in Korean, Link).

Administrative Notice on “Standards for Data Controllers’ Measures on Automated Decision-Making”

The proposed Notification sets forth the criteria for measures to be taken by data controllers in response to data subjects’ request for refusal, explanation and review of an automated decision-making. The key details are as follows:

Considerations for determining automated decision-making

The Proposed Notification provides guidance on determining (i) whether a decision constitutes “automated decision-making,” (ii) whether the automated decision-making has a “material impact” on the rights or obligations of the data subject, and (iii) whether there are justifications to restrict the data subjects’ rights to refuse the automated decision-making.

Issues	Key Considerations
Whether a Decision Constitutes “Automated Decision-Making”	Whether the decision was made solely by an automated system with no meaningful human intervention from someone with legitimate authority. Whether the automated system extracts meaningful information through individual processing, such as analyzing and processing personal information of the data subject in question. Whether the decision is the final decision on the data subject, regardless of the stage at which it is made.
Whether Automated Decision-Making Has a “Material Impact” on the Rights or Obligations of the Data Subject	Whether the data subject’s rights or obligations are linked to the safety of human life or body. Whether there are continuous restrictions on the rights or obligations of the data subject. Whether it is possible to restore the data subject’s prior condition or avoid any impact.
Whether There Are Justifications to Restrict the Data Subjects’ Rights to Refuse the Automated Decision-Making	Consent: Whether the data subject was informed and gave consent regarding the fact that an automated decision is made in the process of collecting and using personal information. Regulations: Whether there are any specific legal provisions that apply to automated decisions or if such decisions are necessary to fulfill legal obligations. Execution and Performance of Agreements: In the process of performing or executing an agreement with a data subject, whether an automated decision is made to fulfill requests from the data subject, and whether the data subject is clearly informed of such automated decision in this process.

Grounds for Refusing a Data Subject’s Request

The Proposed Notification specifies the key considerations to be considered when determining whether a data controller has “justifiable grounds” to refuse a data subject’s request for refusal, explanation and review of an automated decision-making. The notion of “justifiable grounds”‘ is determined by carefully evaluating and balancing the potential disadvantages that can be experienced by the data subjects and the interests of the data controller or any relevant third party.

Data Subject’s Request	Key Considerations in Determining “Justifiable Grounds” for Data Controller’s Refusal of Data Subject’s Request
Request for Refusal	Whether the measures taken in response to the data subject’s request for refusal are likely to harm another person’s life or body or unfairly infringe on another person’s property and other interests. Whether the measures taken in response to the data subject’s request for refusal are likely to unfairly infringe upon the property and other interests of the data controller and take precedence over the data subject’s right to an automated decision. Whether it is difficult for the data controller to perform the agreement, (for example, by not being able to provide the services agreed with the data subject) unless the relevant automated decision is applied, and the data subject has not clearly expressed his/her intention to terminate the agreement, etc.
Request for Explanation	Whether the explanation of an automated decision-making is likely to cause harm to another person’s life or body, or unfairly infringes on another person’s property and other interests. Whether the explanation of an automated decision-making is likely to unfairly infringe the property and other interests of the data controller and takes precedence over the data subject’s right to the automated decision. Whether the matter that a data subject requested for explanation on the automated decision-making is sufficiently foreseeable by the data subject or is not true.
Request for Review	Whether the opinions submitted by the data subject have already been reflected in the automated decision-making process or whether the data subject has already made the repetitive requests for review of the same matter.

Measures to be taken in response to data subject’s requests

The Proposed Notification specifies the key measures that need to be taken by the data controller in response to data subjects’ requests on automated decision-making.

Data Subject’s Request	Key Measures
Request for Refusal	A data controller must (i) refrain from engaging in automated decision-making that materially impacts the rights and obligations of the data subjects, and (ii) notify the data subjects of the results. However, if the decision is re-processed through human intervention and the revised result is notified to the data subject, the data controller is allowed to continue using automated decision-making without suspension.
Request for Explanation	A data controller must choose meaningful information for individual data subjects, and provide a clear and concise explanation in a manner that is easy to understand. However, if an automated decision does not have a significant impact, the data controller may briefly notify to data subjects major types of personal information used for automated decision-making, along with the relationship between such information and automated decision-making.
Request for Review	In case the data subject’s requested review is taken into account in the automated decision-making, the data controller must notify the data subject of the result.

Period of Measures to be Taken

A data controller must take necessary measures within 30 days of receiving a request, which can be extended by up to 30 additional days (up to two times) if there are justifiable grounds. The Proposed Notification provides more details on the “justifiable grounds” for extending the period.

Moreover, if a data controller refuses the data subject’s request, the data controller must notify the data subject of the grounds for refusal and provide details on how to submit an objection within ten days of receiving the request.

Release of the Draft Guide on the Rights of Data Subjects to Automated Decisions

The PIPC has prepared a draft guide aimed at ensuring the stable implementation of the automated decision-making system and facilitating understanding among involved parties (the “Draft Guide”). The PIPC plans to gather feedback and insights from various stakeholders (until June 21).

The Draft Guide provides detailed information on specific examples of the scope of automated decisions, actions to be taken by data controllers in response to data subjects exercising their rights, and disclosure of the standards and procedures related to automated decision-making. Moreover, the Draft Guide provides information on a self-diagnosis table that can be utilized as a practical reference for each item, including examples of explanation, as well as the utilization of explainable artificial intelligence (“XAI”) tools.

	Key Areas
Examples of Automated Decision-Making	In cases of sequential decision-making process, where automated decisions are made during the initial stages of document screening and aptitude tests, and human intervention is introduced during the interview stage, the outcome of the document review will have a lasting impact on individuals who are hired. In cases where a data controller relies on the analysis of personal information using the AI Fraud Detection System to make decisions regarding permanent penalties such as account suspension, contract termination, etc.
Examples That Are Not Automated Decisions	In cases of the hiring process, where a decision is made on whether a person is suitable by considering not only the AI’s score but also additional data, such as application documents and AI interview results. In cases of personalized ads or news recommendations, where a data controller makes suggestions but the individuals have the right to make their own choices. Therefore, the decision-making process would not impact the rights or obligations of the individuals. In situations where an account is temporarily blocked using the AI Misconduct Detection System, but a final decision is made through human intervention after the individual explains the relevant actions taken.

Key topics included in the Draft Guide are:

Purpose of the introduction of rights
Subject of automated decision-making
Measures to be taken by the data controllers
Disclosure of standards, procedures, and processing methods
Procedures and methods for request by data subjects
Sanctions Regulations

Meanwhile, the Draft Guide provides specific criteria for cases where the data subjects’ rights may be restricted or the data controller may refuse the data subject’s request, where a prime example would be when a data subject already consented to automated decision-making. Regarding the method of obtaining consent from data subjects, the Draft Guide provides that data controllers must (i) inform data subjects of (a) the details and purpose of the tasks for which an automated decision is made, and (b) the types of specific personal information processed in the automated decision-making process; and (ii) thereafter obtain the data subject’s consent. Data controllers should be mindful that the foregoing items (a) and (b) must be disclosed separately from the disclosure requirement for the general collection and use of personal information.

As the Draft Guide is expected to serve as a summary of the PIPC’s position on the interpretation and enforcement of the PIPA concerning automated decision-making, it would be advisable for business operators using automated decision-making through personal information processing to carefully consider the Draft Guide and stay informed on subsequent enforcement trends.

Furthermore, the PIPC has announced its plan to incorporate additional Q&A and cases to the Draft Guide after gathering input from various stakeholders, including academia, civic groups, and businesses, to account for the evolving AI technology. Therefore, it would be advisable to continuously monitor the updated version of the Draft Guide.

^[1] An “automated decision-making” refers to a decision made by a completely automated system (including systems utilizing artificial intelligence technology) through the processing of personal information. This definition does not include any automatic dispositions made by administrative agencies under Article 20 of the Framework Act on Administrative Affairs. (Article 37-2 (1) of the PIPA).

[Korean Version]

Share

Professionals

Professionals