On June 30, 2016, various South Korean government agencies including the Korea Communications Commission, the Financial Services Commission, the Ministry of the Interior, the Ministry of Health and Welfare, and the Ministry of Science, ICT and Future Planning promulgated the Guidelines for De-Identification of Personal Information (the "Guidelines"). The Guidelines are effective as of July 1, 2016, and are expected to impact various industries, not limited solely to the IT sector.
With these Guidelines, the relevant government agencies have made their position clear that de-identified data does not fall within the legal scope of "Personal Information" defined under the current personal-information protection laws. The Guidelines are expected to positively impact the use of big data by various industries including the IT, finance (fintech), and medical industries, as the use of de-identified personal information is now clearly allowed without any consent.
The Guidelines set out standards and procedures for the proper de-identification of personal information, particularly in order to reduce any uncertainties involved in the utilization of big data. More specifically, the Guidelines divide the de-identification process into four steps as follows;
- Pre-Review of the Data: First, it should be determined whether the data in question falls within the legal definition of "Personal Information" or not. If it does not, such data may be utilized without de-identification.
- De-Identification Process: If the data in question is determined to be "Personal Information," various de-identification methods can be used to remove "Personal Information Identifiers" from the data. De-identification methods may include pseudonymization, aggregation, data reduction, data suppression, data masking and more.
- Appropriateness Evaluation: An outside evaluator should objectively evaluate whether such de-identification has been appropriately completed or not, based on the "K-anonymity" model. Upon a positive evaluation, the de-identified data can be used for big-data purposes and provided to other parties.
- Follow-up Actions: It should be ensured that the de-identified data is not abused or misused, and is securely protected with proper managerial and technical security measures.
As there have been concerns in connection with the processing and utilization of big data due to the absence of specific guidance on the appropriate de-identification process, these Guidelines are expected to promote further development of the big-data industry in Korea—which is already rapidly growing—by dispelling legal uncertainties.
However, it is important to comply with the Guidelines and to take proper managerial and technical security measures, as a breach of the Guidelines—especially re-identification of de-identified data and provision of such data to others—may constitute a violation of the relevant personal-information protection laws which may result in up to 5 years in jail and a maximum fine of KRW 50 million. Also, although the Guidelines seem to loosen the regulations affecting big data, it is still crucial for all business entities in South Korea to comply with the relevant laws and take all necessary steps to securely protect personal information obtained in the course of their business, particularly as the general tendency of personal-information protection laws in South Korea is to get stricter every year.
Originally published in ICT Legal Update 2016.07
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.