1.

Administrative Notice of Proposed Notification on “Standards for Data Controller Measures on Automated Decisions”

The PIPC issued an administrative notice of the proposed notification on “Standards for Data Controller Measures on Automated Decisions” (the “Proposed Notification”) with a public comment period spanning from May 17, 2024 to June 7, 2024 (available in Korean, Link). Following the public comment period, the Proposed Notification is expected to be implemented after deliberation and resolution by the National Assembly.

The Proposed Notification specifies the details for determining whether a decision is automated and the detailed measures that data controllers must take in response to each type of data subject right (i.e., requests for refusal, explanation and review of an automated decision). The key details are as follows:
 

(1)

Criteria for Determining Whether There Are “Automated Decisions”

• The following non-exhaustive factors should be considered:

(i)

Whether the decision is made solely by an automated system with no practical or meaningful human intervention from someone with legitimate authority.

(ii)

Whether meaningful information is extracted through individual processing, such as analyzing and processing personal information of the data subject.

(iii)

Whether the decision is made by the data controller and has an impact on the rights or obligations of the data subject.

(iv)

Whether the decision is the final decision regarding the data subject, regardless of the stage at which it is made.
 

(2)

Measures to Be Taken by Data Controllers in Response to Data Subject Refusals or Requests

• Refusal: The data controller must take measures to suspend the application of the decision and prevent material impact on the rights and obligations of the data subject, and notify the data subject of the results.

• Request for explanation: The data controller must provide meaningful information for the individual data subjects, and provide a clear and concise explanation in a manner that is easy to understand.

• Request for review: The data controller must review whether to take into account the data subject’s submitted opinion, and if it is taken account, the data controller must notify the data subject of the results.
   

(3)

Considerations for Determining Whether an Automated Decision Has a Material Impact on the Rights or Obligations of Data Subjects

• Whether the rights or obligations are related to the safety of human life or body.

• Whether the data subject’s rights are forfeited or cannot be exercised.

• Whether the data subject’s obligations exceed what is reasonable.

• Whether there are ongoing restrictions on the rights or obligations.

• Whether it is possible to restore the data subject to the prior state or avoid any impact on rights and obligations.
   

(4)

Criteria for Determining Whether There Are “Justifiable Grounds” for Limiting the Right to Refuse

• Consent: Whether the data subject was clearly informed and gave consent regarding the fact that automated decisions are made during the process of collecting and using personal information.

• Other laws and regulations: Whether there are specific legal provisions that apply to automated decisions or if such decisions are necessary to fulfill legal obligations.

• Execution and performance of agreement: In cases where automated decisions are made to take measures requested by the data subject during the process of performing or executing an agreement with the data subject, whether the data subject is clearly informed of the fact that automated decisions are made.
   

(5)

Considerations for Determining Whether There Are Justifiable Grounds to Refuse a Data Subject’s Request – Balancing Potential Disadvantages to the Data Subject and Interests of the Data Controller or Other Relevant Third Party

• Whether an automated decision has a material impact on the rights or obligations of the data subject, and thus, there are obligations to take measures in response to the exercise of the right to refuse.

• Whether there are specific legal provisions that apply to automated decisions or if such decisions are necessary to fulfill legal obligations.

• Whether there are concerns that the measures taken may harm another person’s life or body or unfairly infringe upon another person’s property or other interests.

• Whether there are concerns that the measures taken may unfairly infringe upon the data controller’s property or other interests and such interests take precedence over the data subject’s right regarding automated decisions.

• Whether it is difficult to perform the agreement unless the automated decision is applied (for example, by not being able to provide the services agreed with the data subject) and the data subject has not clearly expressed an intention to terminate the agreement.
   

2.

Draft Guide on Data Subjects’ Rights Regarding Automated Decisions

The PIPC released a draft of the “Guide on Data Subjects’ Rights Regarding Automated Decisions” (the “Draft Guide”) on May 24, 2024 (available in Korean, Link).

The Draft Guide provides additional guidance, with specific cases and examples, on the scope of automated decisions, grounds for limiting the right to refuse, grounds for refusing data subject requests and actions to be taken by data controllers in response to data subjects’ requests. The Draft Guide also provides guidance on transparent disclosure of the standards and procedures on automated decisions and personal information processing practices, including the utilization of Explainable Artificial Intelligence (“XAI”) tools.