The Personal Information Protection Commission (the “Commission”) announced its plan for 2023 to conduct personal information protection investigations. The Commission’s headline for this year’s investigation goal is to “create a digital ecosystem that can be trusted by the public by conducting preemptive and preventive inspections on the protection of data subjects’ rights.” We provide below an overview of the key projects that the Commission plans to undertake pursuant to such initiative.
Inspection and Investigation of Seven Key Areas of Online Services
In order to create a reliable online service environment, the Commission stated that it will conduct preemptive and preventive inspections on the following seven key areas of the digital ecosystem:
1. Dark Pattern
As part of a preemptive and preventive inspection of dark patterns (deceptive or misleading design) that induce users to make unreasonable choices, the Commission plans to review over 100 popular online services, including online shopping malls, online reservation websites (e.g., accommodation, medical care, mobility), communication services (e.g., SNS, chat apps), and content services (e.g., games, music, videos, webtoons, web novels), during the (i) member registration stage, (ii) active member stage, and (iii) consent/membership cancellation stage, to identify cases of potential user right infringement.
To analyze the risk factors present in the adtech industry, which collects and uses online activity records of users to serve targeted advertisements, the Commission plans to identify the types of information shared during the real-time bidding (“RTB”) process and technologies related to and used during process, and analyze technologies that may serve as a substitute for third-party cookies. In addition, the Commission plans to conduct a survey of the behavioral data collected by targeted advertisement businesses and closely examine businesses that provide personal information to adtech companies for targeted advertising.
3. API Services
The Commission plans to review the processing of personal information by API services, which are widely used on online platforms and mobile devices, with a focus on third-party provision and encryption of personal information that occurs when linking systems among different data controllers. The Commission is currently reviewing integrated login APIs and will later broaden its scope of inspection to include other highly versatile services that utilize APIs, such as social login APIs and map/location information-related APIs.
4. Online Platform Services
The Commission plans to investigate whether online (contactless) platforms, which have grown rapidly during the COVID-19 pandemic, are in compliance with the requirements to obtain consent for the collection, use and third-party provision of personal information and to take appropriate security measures to safeguard personal information (e.g., encryption of information received or transmitted). The Commission’s review will start with online hospital/clinic reservation services, which process sensitive information (e.g., medical history information). This will be followed by reviewing online education platforms (e.g., online tutoring and lecture services) and video conferencing platforms.
5. Super Apps
The Commission will review so-called “super apps”, which provide a variety of services (e.g., messaging, social networking, games, payment services, shopping, gifting) through a single app. The Commission will check whether consent was duly obtained from the data subjects when adding new services, whether they collect personal information to the minimum extent necessary as required under the Personal Information Protection Act, and for other privacy compliance issues. The Commission will prioritize the super apps with a large number of subscribers and monthly active users.
6. Smart Devices
The Commission will check the processing of personal information by smart devices and conduct inspections on business operators that process large volumes of personal information and sensitive information. The Commission plans to examine the status of personal information transmitted to, and used by, smartphone and wearable devices (including devices, OSs, and telecommunications service providers) and review whether appropriate consent has been obtained from data subjects. With respect to smart TV and other home appliance manufacturers, the Commission will review the status of collection and use of behavioral data (e.g., TV viewing records, product usage patterns) and the legality of service integration.
7. Large Data Processors and Solution Providers
The Commission plans to conduct a full-fledged review of large-scale data processors and solution providers that receive and process personal information outsourced by a large number of data controllers. Specifically, the Commission plans to review the personal information management practices of large data processors (e.g., customer service centers), their security measures (e.g., access control), and the scope of personal information protection liability between the data controllers and data processors. The Commission will also evaluate whether solution providers, such as shopping malls and electronic medical record system providers, implement security measures as required under the PIPA and whether they are exposed to any security risks.
Inspection and Survey of More Vulnerable Processing Activities
The Commission also announced a plan to conduct inspections regarding children’s personal information, personal information transferred overseas, and the operation of domestic agents.
1. Children’s Content Providers
To protect children whose ability to exercise their personal information rights is limited, the Commission plans to examine whether domestic and foreign businesses that provide children’s content services, websites and apps for children under the age of 14 obtain proper consent from the legal guardian of their users and provide easily understandable notices to the users (as required under the Personal Information Protection Act).
2. Personal Information Transferred Overseas
In order to ensure secure management of personal information transferred overseas, the Commission plans to conduct an intensive review of the top 5,000 apps by number of users are complying with the legal requirements for transferring personal information overseas, including obtaining consent for third party provision, and how the personal information transferred overseas are managed.
3. Domestic Agents
In response to comments that the current domestic agent system is operated in a perfunctory and formalistic manner contrary to the purpose of its adoption, the Commission plans to examine the status of domestic agents of global service providers and implement improvement measures to address issues that are identified through such examination.
As seen from the above, the Commission plans to conduct a variety of in-depth inspections and investigations. The activities of the Commission should be closely monitored for further developments.