If you cannot view this email correctly, please click here
|
 |
“Guidelines on De-identification Measures” and the “Comprehensive Guide to Data Protection Laws and Regulations” Newly Announced
|
On June 30, 2016, government authorities responsible for enforcing data protection and privacy laws and regulations, including the Ministry of the Interior, the Korea Communications Commission, the Financial Services Commission, the Ministry of Science, ICT and Future Planning, the Ministry of Health and Welfare, and the Office for Government Policy Coordination, jointly announced the “Guidelines on Personal Information De-identification Measures” (the “Guidelines”) and the “Comprehensive Guide to Data Protection and Privacy Laws and Regulations” (the “Comprehensive Guide”).
By specifying (i) the criteria, procedures, and methods of de-identification measures necessary for utilizing big data, and (ii) the criteria for determining what qualifies as personal information, the Guidelines and the Comprehensive Guide seek to reduce much of the existing ambiguity associated with the concepts of “personal information” and “de-identification,” and are laying the foundation for utilizing big data and promoting the security of personal information in Korea. Hence, companies with an interest in big data-related businesses should find the Guidelines and the Comprehensive Guide of interest. In addition, with the increased clarity provided by the Comprehensive Guide with respect to the previously-ambiguous concept of ‘personal information’, business entities involved in the handling of personal information now have a need to double check if the information they are handling indeed constitutes “personal information” under Korean law, and, if so, whether they are implementing necessary measures accordingly.
|
| 1. Key Provisions of the Guidelines
|
| (1) Consolidation of the criteria and procedures for de-identification measures
|
| To ensure their practical effectiveness, the Guidelines will apply uniformly across the board to various entities that are subject to Korea’s data protection and privacy laws such as the Personal Information Protection Act (“PIPA”), the Act on Promotion of Information and Communications Network Utilization and Information Protection (“Network Act”), the Utilization and Protection of Credit Information Act (“Credit Information Act”), and the Medical Service Act. Any prior government-sponsored publications on personal information de-identification measures such as manuals, guidebooks, and guidelines were all repealed on June 30, 2016 and were replaced by the Guidelines on July 1, 2016.
|
| (2) Establishment of clear criteria for personal information de-identification measures
|
| The Guidelines classify personal information de-identification measures into four stages -- e.g., “‘pre-evaluation,” “de-identification measures,” “adequacy assessment,” and “ex post facto management” -- and provide detailed guidance on the recommended measures and considerations to be made for each stage. |
 |
1st Stage: Pre-evaluation |
| |
This stage determines whether the subject data can be classified as personal information. If it is clear that the subject data is not personal information, then the information may be used without having to take any additional measures. |
|
2nd Stage: De-identification Measures |
| |
Once the subject data is determined to constitute personal information, certain measures that delete or substitute all or parts of the personally identifiable elements within the personal information must be implemented, so that the specific individual is no longer identifiable from the de-identified information. The Guidelines provide detailed explanations regarding the processing methods for identifiers/attribute values, the five (5) types of de-identification methods (pseudonymization, aggregation, data reduction, data suppression, data masking), and the seventeen (17) specific techniques for implementing the five (5) de-identification methods in practice. |
|
3rd Stage: Adequacy Assessment |
| |
In this stage, an assessment is made as to whether the subject data which has passed through the first two stages can still be easily combined with other information to identify a specific individual. The Guidelines prescribe detailed rules on the persons to perform the assessment, and the methods and standards for the assessment, and the highlights of these rules and standards are as follows: |
| |
- The adequacy assessment must be performed by a “Task Force to Assess the Adequacy of De-Identification Measures” (the “Assessment TF”). The Assessment TF will be comprised of at least three members with the relevant expertise (the majority of whom must be from outside the entity that handles the personal information (“Data Handler”)), and will be recommended and appointed by the privacy officer of the Data Handler.
|
| |
- The Assessment TF will assess the adequacy of the de-identification measures by examining various information provided by the Data Handler, such as a description of the subject data, the implementation status of de-identification measures, and the management proficiency of the Data Handler. Among all the privacy protection models, k-anonymity will be applied with priority as the assessment standard. |
|
4th Stage: Ex Post Facto Management |
| |
The Guidelines prescribe detailed ex post facto management measures designed to ensure that the de-identified information does not become re-identifiable during the course of follow-on data processing. Such measures include (i) the implementation of technical and managerial safeguards for the secure management of the de-identified information, (ii) regular monitoring that can detect changes in the possibility of re-identification due to changes in internal factors and the external environment, (iii) inclusion of provisions addressing issues regarding the re-identification risk management and the suspension of processing and destruction of the information in the event that the information becomes re-identifiable when entering into agreements with a third party for the provision of the de-identified information or outsourcing of the processing of the de-identified information. |
|
| (3) Regulations on the Handling of De-Identified Information
|
| Though any de-identified information which has passed the Adequacy Assessment stage (3rd stage of de-identification measures) is presumed not to be personal information any more, and any information that is presumed not to be personal information may be used and provided to third parties without obtaining the data subject’s further consent, the Data Handler must still implement certain safeguards in order to prevent re-identification. The foregoing presumption implies that, while such de-identified information will not initially be considered personal information, it will be viewed as personal information if any evidence is discovered to the contrary. |
| (4) Operation of Specialized Agencies to Support Personal Information De-identification Measures (such agencies to be established by August 2016)
|
|
Personal Information De-identification Support Center (Korea Internet & Security Agency, “KISA”): The Personal Information De-identification Support Center will be responsible for establishing guidelines for the operation of specialized agencies for each sector and monitoring compliance therewith, managing and training the pool of Assessment TF candidates for each sector, and updating and supporting the implementation of the Guidelines. |
|
Specialized agencies for each sector (each relevant government agency): Each relevant government agency will designate, announce, and operate one or more of the following organizations as a specialized agency for the sector(s) the agency is responsible for: KISA, Korea Credit Information Services, Financial Security Institute, Social Security Information Service, and National Information Society Agency. Specialized agencies are expected to support the combination of databases from different Data Handlers in the respective sectors through the use of temporary surrogate keys. |
| (5) Sanctions for Re-identifying De-identified Information
|
| The Guidelines explicitly state that the re-identification of previously de-identified information and its further use/provision to third parties will be deemed as the use/provision of personal information for a purpose other than for which consent was granted (“Data Use/Provision Beyond Consented Purposes”), and that the failure to immediately destroy re-identified information is punishable as the collection of personal information without obtaining the data subject’s proper consent.
|
|
※ Data Use/Provision Beyond Consented Purposes may result in imprisonment of up to five (5) years or a criminal fine of up to KRW 50 million (approximately USD 42,000) under the PIPA. If the Network Act is applicable, an additional penalty surcharge of up to 3% of the relevant annual turnover in Korea may also be imposed. Meanwhile, the collection of personal information without obtaining consent may result in an administrative fine of up to KRW 50 million (approximately USD 42,000) under the PIPA. If the Network Act is applicable, the violator may be subject to imprisonment of up to five (5) years or a criminal fine of up to KRW 50 million (approximately USD 42,000), plus an additional penalty surcharge of up to 3% of the relevant annual turnover in Korea.
|
|
|
| 2. Key Provisions of the Comprehensive Guide
|
The Comprehensive Guide explicitly states that the concepts of “personal information” and “de-identified information” set forth in the Comprehensive Guide are to be uniformly applied to all relevant data protection laws and regulations. In addition, because it is presumed that de-identified information does not constitute personal information under the PIPA, de-identified information will not be viewed under the Comprehensive Guide as “personal credit information” or “personally identifiable information,” each as defined under the Credit Information Act.
The Comprehensive Guide sets forth the specific criteria for determining what qualifies as personal information by listing several conceptual elements of personal information and enhances the clarity and predictability of the concept of personal information through the use of various examples. What is noteworthy is that the Comprehensive Guide clearly explains “information that can identify a specific individual” and “information that can be easily combined with other information to identify a specific individual.”
|
|
Regarding the meaning of “information that can identify a specific individual,” the Comprehensive Guide explains that the “subject data shall be deemed to be personal information if the specific individual can be identified when considering the methods that are reasonably likely to be utilized by the Data Handler.” As such, the viewpoint of the Data Handler is expressly stated as the applicable standard when determining if the subject data is personal information. In addition, regarding the meaning of “easily combined with other information to identify a specific individual,” the Comprehensive Guide explains that the information that can be used for such combination is limited to legally obtainable information. Further, if unreasonable levels of cost and efforts are required to combine such information, then it will not be deemed to be “the information that can be easily combined with other information to identify a specific individual.” |
| 3. Future Outlook and Implications |
A. Active Utilization of Big Data Expected
Now that the concepts of de-identified information and personal information have been clarified and it has become legally possible for companies to utilize their respective de-identified information, business activities will likely increase significantly in Korea’s big data market. In other words, the big data market in Korea is expected to pick up visibly as much of the regulatory uncertainty and restraints that burdened big data users has been lifted.
B. Advance Preparations Required Prior to Implementation of De-identification Measures
In order to implement the de-identification measures that have been specified in the Guidelines, it is essential to obtain a firm understanding of the methods and specific techniques of de-identification measure, and of the concept of personal information (which is provided in the Comprehensive Guide). Furthermore, because the Assessment TF must be provided with basic information on the nature/content of the subject data, the implementation status of de-identification measures, and the management proficiency of the Data Handler, an internal system must be established to ensure the timely and accurate preparation of the foregoing information in advance. Since personal information can now be used more freely and in more extensive ways than before, Data Handlers will find it necessary to commensurately strengthen their ability to control the processing of personal information, especially internally.
C. New Personal Information Compliance Framework Required
The Guidelines require Data Handlers to implement strict ex post facto safeguards in order to ensure that de-identified information does not become re-identifiable during the course of follow-on data processing. The Guidelines explicitly state that sanctions may be imposed on Data Handlers when the information becomes re-identifiable and used/processed by the data Hander, and that the sanctions will be as stringent as those applicable to cases involving collection of personal information without proper consent or Data Use/Provision Beyond Consented Purposes
As continuous monitoring is required to assess the possibility of re-identification, a more systematic and permanent monitoring and response system -- which can comprehensively take into account the individual characteristics of each item of information, and changes in both internal factors and the external environment that will affect the possibility of de-identification -- will likely be required. Such a system will stand in contrast to previous personal information compliance systems which focused on placing restraints on Data Use/Provision Beyond Consented Purposes, ensuring compliance with prescribed destruction deadlines, and establishing technical/managerial safeguards to prevent data leaks.
Introduction to Lee & Ko’s DPP team and contact information
Lee & Ko’s DPP (Data Protection and Privacy) team consists of the largest number of personal information protection specialists and data privacy professionals in Korea who provide a wide range of legal services in the areas of personal information protection by corporations, administrative investigations, proactive and ex post facto counteractions against hackings, and litigation. Recent additions to Lee & Ko’s DPP team include attorneys Jongsoo (Jay) Yoon, former head of Shin & Kim’s TMT team, and Sung Hee Chae, a renowned data privacy expert formerly of Samsung Electronics. For further information or questions regarding this newsletter, please contact Kwang Bae Park (kwangbae.park@leeko.com, +82-2-772-4343) or Sung Hee Chae (sunghee.chae@leeko.com, +82-2-6386-6622).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| For more information pertaining to this newsletter, please contact located on the right. |
|
The Lee&Ko Legal Newsletter is provided for general information purposes only and should not be considered as the considered as the rendering of legal advice for any specific matter. If you no longer wish to receive our newsletter service, please click here or reply to this email stating UNSUBSCRIBE in the subject line. The contects and opinions expressed in the Lee&Ko Legal Newsletter are protected by law against any unauthorized use.
|
|
