The Personal Information Protection Commission (“PIPC”) has announced its work plan for 2023. Under the slogan “leading the era of digital transformation based on public trust”, the PIPC introduced three policy guidelines and six key initiatives.
The three guidelines that will shape the PIPC’s policies this year are: (i) developing data economy based on MyData (right to data portability); (ii) leading global trends in data privacy regulation; and (iii) fostering trust in society through fair and strict enforcement.
The PIPC plans to focus on the following six key initiatives: (i) making MyData available for everyone; (ii) reinforcing the infrastructure for using personal information for new technologies and businesses; (iii) securing a leading role in the face of a data-led reorganization of global order; (iv) establishing a swift response system ranging from preventive measures to damage relief; (v) building a thorough protection system for digital personal information; and (6) updating personal information regulations to accelerate digital transformation. We highlight the key tasks for each initiative below.
1. Making MyData Available for Everyone
The PIPC plans to establish a “Korea MyData Roadmap” that includes a strategy to expand MyData, which has been limited to the financial and public sectors, to all areas during the first half of the year. The plan also involves setting the conditions for the right to data portability and laying down the basis for expert institutions that will manage personal information.
The PIPC will introduce guidelines on secure transfers within MyData, as well as transmitting data between different industries, and launch a “MyData Support Platform” project. The latter will allow individuals to exercise their right to data portability as well as check and manage their data portability requests.
2. Reinforcing the Infrastructure for Using Personal Information for New Technologies and Businesses
The PIPC plans to form a “Public-Private Joint Personal Information Regulation Innovation Group” to strengthen the private sector’s ability to use personal information by removing similar and overlapping regulations between the PIPA and related laws, as well as providing a one-stop shop for handling corporate grievances. To encourage the use of pseudonymized data, the PIPC plans to establish standards for pseudonymizing atypical data, operate support platforms, and reform the Pseudonymized Data Use Support Center to a Personal Information Use Support Center.
In the second half of 2023, the PIPC plans to recruit and support start-ups and projects that use pseudonymized data in specialized industries in each region. For AI research and development of autonomous driving, the PIPC will introduce a “Personal Information Safe Zone” to enable unrestricted analysis and use of personal information in an environment where security is guaranteed.
3. Securing a Leading Role in the Face of Data-Led Reorganization of Global Order
The PIPC intends to foster relationships with international institutions, such as the OECD, by building information sharing systems, including data hubs for investigation. The PIPC further intends to strengthen its cooperation with major supervisory bodies, such as those of the US, EU, and UK. As the PIPC may continue to investigate global businesses in cooperation with foreign regulators, clients are advised to monitor overseas regulatory trends.
In addition, the PIPC intends to inspect the international data transfers of 5,000 popular apps and impose strict sanctions, such as suspension orders, if such transfers are found to cause damage to users. Clients are therefore advised to conduct a preliminary inspection of their process for transferring personal information to overseas.
Furthermore, as the PIPC plans to reform the local privacy agent system and require foreign companies to designate their Korean entity as the local privacy agent, foreign clients are advised to monitor the progress of the reform.
4. Establishing a Swift Response System Ranging from Preventive Measures to Damage Relief
The PIPC announced that it would conduct a preventative inspection on seven key areas of the digital ecosystem to create an online service environment that people can trust.
The seven core areas of the digital ecosystem are: (i) dark patterns; (ii) ad-tech; (iii) API providers (e.g., integrated login, social login, map/location information API); (iv) non-face-to-face platforms (e.g., educational platforms, video conferencing, collaboration tools); (v) superapps (providing multiple services within one app); (vi) smart devices (e.g., smartphones, wearables, smart TVs), and (vii) large service providers/solution providers (e.g., customer centers, shopping mall solutions, electronic medical record systems).
The PIPC plans to impose strict sanctions on violators, but it will provide guidelines for areas where the law is unclear.
5. Building a Thorough Protection System for Digital Personal Information
To protect the rights of children and adolescents who use digital services, the PIPC will inspect both domestic and foreign providers of children’s content, such as IPTV and OTT service providers.
The PIPC will amend the “Guidelines for Protection of Personal Information in Targeted Advertising” in the first half of the year to improve the methods of obtaining consent for behavioral data, such as online activities, and guarantee a right to opt out. In the second half of the year, the PIPC will test-run the “Privacy by Design Certification System” for digital devices that collect personal information such as AI speakers and IP cameras, and prepare regulatory framework for such devices.
As part of the plan to strengthen data subjects’ rights, the PIPC will introduce measures on a right to opt out or right to request explanation regarding automated decisions based on AI, focusing on key areas, such as hiring employees and selecting welfare recipients. As the proposed amendments to the PIPA also include this right, we expect detailed guidelines to be announced once the amendments are adopted.
6. Updating Personal Information Regulations to Accelerate Digital Transformation
According to the PIPC, amending the PIPA will: (i) reorganize and consolidate the standards for security measures for online and offline environments; and (ii) abolish regulations that cause inconvenience to individuals and businesses, such as the current requirement to destroy or segregate dormant user data. In addition, the requirement to inform data subjects on the history of use and disclosure of personal information will be extended to all data controllers, but data controllers will now be allowed to provide this information via a digital system that data subjects can access.
In the online platform sector, the PIPC plans to expand the scope of self-regulation frameworks set up by the private sector and approved by the government. This year, a code of conduct for self-regulation will be established in five areas (delivery, job search, real estate, online accommodation reservation, and hospital/clinic reservation), and the PIPC will examine whether the code of conduct has been implemented and provide incentives, such as reduction of fines and penalties.
The PIPC will also draft guidelines on metaverse and cloud, and plans to newly enact a “Personal Video Information Act” tailored to data collection by mobile imaging devices, such as self-driving cars and drones, for which it is difficult to obtain prior consent.
As several significant changes in the laws and policies related to personal information are expected in 2023, clients are advised to closely monitor these developments.
This content is also available in Kim & Chang’s Korea Legal Insight 2023(link), where you can find out more updates and outlooks on Korea’s legal developments in 2023.