On February 16, 2024, the Personal Information Protection Commission (the “PIPC”) announced its Key Policy and Enforcement Plans for 2024. Under the slogan “AI era where life flourishes and personal information is safe,” the PIPC announced its three main policy goals for 2024: (i) improving the quality of life with responsible AI; (ii) building a society that secures personal information and guarantees safe everyday life; and (iii) creating a personal information system that sets global standards.
Further, the PIPC plans to focus on the following six key initiatives: (i) creating an environment for responsible AI growth; (ii) laying the foundation for the expansion of MyData; (iii) constructing a personal information protection system that guarantees safe everyday life; (iv) strengthening the rights of data subjects in the digital age; (v) building and developing an ecosystem that supports data economy; and (vi) driving the formation of global privacy standards.
Creating an Environment for Responsible AI Growth
The PIPC plans to publish within this year six guidelines for applying the Personal Information Protection Act (the “PIPA”) to the AI environment. These guidelines relate to the processing of public information, processing of unstructured data, processing of biometric data, processing of synthetic data, use of mobile visual data processing devices, and transparency.
To address public anxiety over the use of AI, the PIPC plans to specify the criteria for securing AI transparency by June this year and devise a risk assessment model for each type of privacy issue that could arise in using AI by September this year. In addition, the PIPC plans to support the growth of the AI sector by operating a pre-adequacy review system, which would allow businesses to consult the Government in developing ways to comply with the PIPA in the course of developing AI models and services and by allowing the use of the original image information in a regulatory sandbox.
Laying the Foundation for the Expansion of MyData
The PIPC is in the process of establishing detailed standards for exercising the right to request the transmission of personal information and for seamless transfers of data. In addition, with the aim of launching the full MyData services in 2025, the PIPC plans to lay down the basis for expanding MyData, such as developing and supporting MyData services in industries close to people’s everyday lives, such as medical services and telecommunication, starting in March this year.
Constructing a Personal Information Protection System that Guarantees Safe Everyday Life
The PIPC announced that it would designate (i) education/training services; (ii) food/beverage ordering services; and (iii) information/broadcasting/telecommunication services as the three areas closely related to the public where unsecure personal information processing could interfere with people’s everyday lives; and (i) smart cars; (ii) AI; and (iii) “super” apps (i.e., apps through which people can use various services without the need to install other apps) as the three new industries that require transparency in the processing of personal information, and conduct compliance inspections in these areas to check for potential vulnerabilities.
The PIPC also announced that it will establish a “mid-to-long-term investigation roadmap” that includes the direction of its future analysis and investigation of privacy infringement factors resulting from changes in the digital environment, e.g., dark patterns, personal identity threats and cybercrimes through profiling, as well as its plans to expand the number of investigative experts and technologies.
Strengthening the Rights of Data Subjects in the Digital Age
The PIPC plans to implement a privacy policy evaluation scheme from April this year to enhance the transparency of personal information processing and the rights of data subjects. This effort is based on Article 30-2 of the amended PIPA, which entered into force in September last year. If a privacy policy is found to need improvement following assessment, the PIPC can recommend the data controller to revise it as appropriate.
In addition, the PIPC noted that it intends to expand the dispute mediation system under the PIPA and that the obligation to guarantee compensation for damages arising from violation of the PIPA, e.g., by subscribing to insurance policies, will take effect from March this year.
Building and Developing an Ecosystem that Supports Data Economy
The PIPC said it will push for the enactment of the Personal Image Information Act (tentative title) to reflect the changes brought by new technologies and industries, such as autonomous vehicles, robots and drones, to set the standards for using image data. While using image data is currently governed by the PIPA, discussions for independent regulation are expected to take place.
In addition, the Enforcement Decree of the PIPA, which heightens the qualification requirements for Chief Privacy Officer by requiring a certain number of years of experience, will come into effect in March this year. The PIPC plans to support the formation and running of the Chief Privacy Officers Council to promote communication and cooperation among Chief Privacy Officers.
Driving the Formation of Global Privacy Standards
The PIPC said it will actively participate in discussions on reforming global digital standards in line with the development of AI, and will not only cooperate with regulators in countries such as the UK, France, Germany and Japan, but also cooperate with policy agencies such as the US Federal Trade Commission and UK Department for Science, Innovation and Technology.
Furthermore, as part of the regulation on overseas transfer of personal information under the amended PIPA that came into force September last year, the PIPC is expected to focus on selecting and reviewing countries that are deemed to provide a level of personal information protection that is equivalent to that under the PIPA, and promoting public-private governance, including the Special Committee for Overseas Transfer, which was launched in January this year.
This year, as the growth of AI is expected to accelerate, the PIPA is set to apply provisions that stipulate the rights of data subjects with regard to automated decisions and strengthen the requirements for Chief Privacy Officers. Discussions on the expansion of MyData services based on data subjects’ right to request transmission are also expected to materialize. In this light, demands to protect personal information and guarantee the rights of data subjects are expected to continue, and the PIPC has expressed its plans to provide guidelines and to conduct inspections and investigations in response to such demands. Therefore, clients are advised to pay more attention to compliance with relevant laws and regulations and to fully understand and prepare for policy directions in advance.
