PIPA’s misguided derogation on pseudonymized data puts privacy at risk

Open Net Korea urgently demands that the recently amended data protection law of the country the Personal Information Protection Act (PIPA) be amended again especially in Article 28-7 which derogates data subjects’ rights on pseudonymized data without any justification.

The purpose of the recent amendment in February 2020 was to benchmark GDPR in allowing non-consensual use of personal data for public purposes such as public interest arching, scientific research, and statistics (“ARS” hereinafter) as enshrined in Article 28-2 (see below). Now, GDPR allows derogation of data subjects’ other rights such as rights to inspection, rectification, restricted processing, op-out, etc., in Article 89 Para. 2 for the purpose of the ARS processing lest data subjects’ exercise of those rights may frustrate ARS purposes that justify the non-consensual use.  However, Korea’s February amendment derogates a broad spectrum of the data subject’s ancillary rights as follows as soon as the data are pseudonymized regardless for what purpose it has been pseudonymized:

• Rights to receive notification of processing on third-party-collected data (Article 20)
• Right to destruction of unnecessary data (Article 21)
• Right to object to transfer due to business transfer (Article 27)
• Right to receive data breach notification (Article 34)
• Right to inspect personal data (Article 35)
• Right to rectification or erasure (Article 36)
• Right to suspension of processing(Article 37 )
• Enhanced right to breach notification for ICT data controllers (Article 39-4: “24 hours”)
• Enhanced right to destruction of unnecessary data by ICT data controllers (Article 39-6: “within 1 year”)
• Right to withdraw consent from ICT data controllers (Article 39-7)
• Right to periodic notice of use history from ICT data controllers(Article 39-8 ) (See below the texts of all the provisions.)

All these rights can be suppressed by simply pseudonymizing the data even without any ARS purpose that would have justified derogation of the rights in the GDPR context.  In other words, a telco can reject all the requests of the customers to exercise these rights by can simply storing all the personal data of its customers in pseudonymized form and entrusting the re-identification keys with a third party.

What is ironic, the government, after sensing the aforementioned risk to data subjects, instead of amending the law, chose to restrict pseudonymization severely through extra-statutory means by mandating various prerequisites to pseudonymization. These restrictions contrast to GDPR, which recommends and strongly encourages pseudoymization to all data controllers of all personal data as methods to protect data subjects’ privacy and abate the possible damage in event of data breach (Article 32, Article 40).  In the same spirit, Korea’s own data protection regulation requires National Identification Numbers to be stored in encrypted (and therefore pseudonymized) form (Article 7 of Korea’s Standard of Measures to Procure Safety of Personal Data).

In the end, data controllers are discouraged from pseudonymizing, leaving much personal data vulnerable in event of breach, and once personal data is pseudonymized, data subjects’ rights are severely restricted even when their data are not used for any public purpose such as ARS.  At all times, data protection rights suffer without any justification.

Back in April 2020, Open Net Korea demanded that the newly amended PIPA be amended in 3 ways to live up to its promise of instituting GDPR’s golden standard: (1) amendment of Article 28-7 so that derogation of ancillary rights takes place only in event of ARS processing; (2) segregation between the holder of re-identification keys and the holder of attribute data throughout the process of combining two databases; and (3) adding requirement of “publication” to the definition of “scientific processing”.  The government has answered positively to point (2) of the demand through the September 1, 2020 announcement of Personal Information Protection Commission’s Rule on Combination of Pseudonymized Data.  It is now time for the government to answer on the remaining two points.

Article 28-7 (Scope of Application)

Articles 20, 21, 27, 34 (1), 35 through 37, 39-3, 39-4, 39-6 through 39-8 shall not apply to the pseudonymized information.

[This Article Newly Inserted by Act No. 16930, Feb. 4, 2020]

Article 20 (Notification on Sources, etc. of Personal Information Collected from Third Parties)

(1)	When a personal information controller processes personal information collected from third parties, the personal information controller shall immediately notify the data subject of the following matters at the request of such data subject:

1.	The source of collected personal information;

2.	The purpose of processing personal information;

3.	The fact that the data subject is entitled to demand suspension of processing of personal information, as prescribed in Article 37.

(2)

Notwithstanding paragraph (1), when a personal information controller satisfying the criteria prescribed by Presidential Decree taking into account the types and amount of processed personal information, number of employees, amount of sales, etc., collects personal information from third parties and processes the same pursuant to Article 17 (1) 1, the personal information controller shall notify the data subject of the matters referred to in paragraph (1): Provided, That this shall not apply where the information collected by the personal information controller does not contain any personal information, such as contact information, through which notification can be given to the data subject.<Newly Inserted by Act No. 14107, Mar. 29, 2016; Act No 16930, February. 4, 2020>

(3)	Necessary matters in relation to the time, method, and procedure of giving notification to the data subject pursuant to the main sentence of paragraph (2), shall be prescribed by Presidential Decree.<Newly Inserted by Act No. 14107, Mar. 29, 2016>

(4)	Paragraph (1) and the main clause of paragraph (2) shall not apply to any of the following circumstances: Provided, That this shall be the case only where it is manifestly superior to the rights of data subjects under this Act:<Amended by Act No. 14107, Mar. 29, 2016>

1.	Where personal information, which is subject to a notification request, is included in the personal information files referred to in any of the subparagraphs of Article 32 (2);

2.	Where such notification is likely to cause harm to the life or body of any other person, or unfairly damages the property and other interests of any other person.

 

Article 21 (Destruction of Personal Information)

(1)

A personal information controller shall destroy personal information without delay when the personal information becomes unnecessary owing to the expiry of the retention period, attainment of the purpose of processing the personal information, etc.: Provided, That this shall not apply where the retention of such personal information is mandatory by other statutes.

(2)	When a personal information controller destroys personal information pursuant to paragraph (1), necessary measures to prevent recovery and revival shall be taken.

(3)	Where a personal information controller is obliged to retain, rather than destroy, personal information pursuant to the proviso to paragraph (1), the relevant personal information or personal information files shall be stored and managed separately from other personal information.

(4)	Other necessary matters, such as the methods to destroy personal information and its destruction process, shall be prescribed by Presidential Decree.

Article 27 (Limitation to Transfer of Personal Information following Business Transfer, etc.)

(1)	A personal information controller shall notify in advance the data subjects of the following matters in the manner prescribed by Presidential Decree in the case of transfer of personal information to a third party owing to the transfer of some or all of his or her business, a merger, etc.:

1.	The fact that the personal information will be transferred;

2.	The name (referring to the company name in case of a legal person), address, telephone number and other contact information of the recipient of the personal information (hereinafter referred to as “business transferee, etc.”);

3.	The method and procedure for withdrawing consent if the data subject does not wish his or her personal information to be transferred.

(2)

Upon receiving personal information, the business transferee, etc. shall, without delay, notify data subjects of the fact in the manner prescribed by Presidential Decree: Provided, That this shall not apply where the personal information controller has already notified the data subjects of the fact of such transfer pursuant to paragraph (1).

(3)

Upon receiving personal information owing to business transferee, etc., a merger, etc., the business transferee may use, or provide a third party with, the personal information only for the initial purposes dating to the time of the transfer. In such cases, the business transferee shall be deemed the personal information controller.

Article 34 (Data Breach Notification) (1)

A personal information controller shall notify data subjects of the following matters without delay when the personal information controller becomes aware their personal information has been divulged:

1.	Particulars of the personal information divulged;

2.	When and how personal information has been divulged;

3.	Any information about how the data subjects can minimize the risk of damage from divulgence, etc.;

4.	Countermeasures taken by the personal information controller and remedial procedure;

5.	Help desk and contact points for the data subjects to report damage.

 

Article 35 (Access to Personal Information)

(1)	A data subject may request access to his or her own personal information, which is processed by a personal information controller, from the personal information controller.

(2)

Notwithstanding paragraph (1), where a data subject intends to request access to his or her own personal information from a public institution, the data subject may request such access directly from the said public institution, or indirectly via the Protection Commission, as prescribed by Presidential Decree.<Amended by Act No. 11690, Mar. 23, 2013; Act No. 12844, Nov. 19, 2014; Act No. 14839, Jul. 26, 2017; Act No 16930, February. 4, 2020>

(3)

Upon receipt of a request for access filed under paragraphs (1) and (2), a personal information controller shall grant the data subject access to his or her own personal information within the period prescribed by Presidential Decree. In such cases, if there is any justifiable ground not to permit access during such period, the personal information controller may postpone access after notifying the relevant data subject of the said ground. If the said ground ceases to exist, the data subject shall be permitted to access the personal information without delay.

(4)	In any of the following cases, a personal information controller may limit or deny access after it notifies a data subject of the cause:

1.	Where access is prohibited or limited by Acts;

2.	Where access may cause damage to the life or body of a third party, or unjustified infringement of property and other interests of any other person;

3.	Where a public institution has grave difficulties in performing any of the following duties:

(a)	Imposition, collection or refund of taxes;

(b)

Evaluation of academic achievements or admission affairs at the schools of each level established under the Elementary and Secondary Education Act and the Higher Education Act, lifelong educational facilities established under the Lifelong Education Act, and other higher educational institutions established under other Acts;

(c)	Testing and qualification examination regarding academic competence, technical capability and employment;

(d)	Ongoing evaluation or decision-making in relation to compensation or grant assessment;

(e)	Ongoing audit and examination under other Acts.

(5)	Necessary matters in relation to the methods and procedures to file access requests, to limit access, to give notification, etc. pursuant to paragraphs (1) through (4) shall be prescribed by Presidential Decree.

Article 36 (Rectification or Erasure of Personal Information)

(1)

A data subject who has accessed his or her personal information pursuant to Article 35 may request a correction or erasure of such personal information from the relevant personal information controller: Provided, That the erasure is not permitted where the said personal information shall be collected by other statutes.

(2)

Upon receipt of a request by a data subject pursuant to paragraph (1), the personal information controller shall investigate the personal information in question without delay; shall take necessary measures to correct or erase as requested by the data subject unless otherwise specifically provided by other statutes in relation to correction or erasure; and shall notify such data subject of the result.

(3)	The personal information controller shall take measures not to recover or revive the personal information in case of erasure pursuant to paragraph (2).

(4)	Where the request of a data subject falls under the proviso to paragraph (1), a personal information controller shall notify the data subject of the details thereof without delay.

(5)	While investigating the personal information in question pursuant to paragraph (2), the personal information controller may, if necessary, request from the relevant data subject the evidence necessary to confirm a correction or erasure of the personal information.

(6)	Necessary matters in relation to the request of correction and erasure, notification method and procedure, etc. pursuant to paragraphs (1), (2) and (4) shall be prescribed by Presidential Decree.

Article 37 (Suspension of Processing of Personal Information)

(1)

A data subject may request the relevant personal information controller to suspend the processing of his or her personal information. In such cases, if the personal information controller is a public institution, the data subject may request the suspension of processing of only the personal information contained in the personal information files to be registered pursuant to Article 32.

(2)

Upon receipt of the request under paragraph (1), the personal information controller shall, without delay, suspend processing of some or all of the personal information as requested by the data subject: Provided, That, where any of the following is applicable, the personal information controller may deny the request of such data subject:

1.	Where special provisions in other laws so require or it is inevitable to observe legal obligations;

2.	Where access may cause damage to the life or body of a third party, or unjustified infringement of property and other interests of any other person;

3.	Where the public institution cannot perform its work as prescribed by any Act without processing the personal information in question;

4.	Where it is impracticable to perform a contract such as the provision of services as agreed upon with the said data subject without processing the personal information in question, and the data subject has not clearly expressed the desire to terminate the agreement.

(3)	When denying the request pursuant to the proviso to paragraph (2), the personal information controller shall notify the data subject of the reason without delay.

(4)	The personal information controller shall, without delay, take necessary measures including destruction of the relevant personal information when suspending the processing of personal information as requested by data subjects.

(5)	Necessary matters in relation to the methods and procedures to request the suspension of processing, to deny such request, and to give notification, etc. pursuant to paragraphs (1) through (3) shall be prescribed by Presidential Decree.

 

Article 39-3 (Special Provisions on Consent to the Collection and Use of Personal Information)

(1)	Notwithstanding Article 15 (1), an information and communications service provider who intends to collect and use personal information of users shall notify users of the following matters and obtain consent therefor. The same shall apply when changes are made for the following matters:

1.	The purpose of the collection and use of personal information;

2.	Particulars of personal information to be collected;

3.	The period for retaining and using personal information.

(2)	An information and communications service provider may collect and use personal information of users without their consent under paragraph (1) in any of the following cases:

1.

Where the information is necessary in implementing a contract for provision of information and communications services (referring to the information and communications services defined in Article 2 (1) 2 of the Act on Promotion of Information and Communications Network Utilization and Information Protection; hereinafter the same shall apply), but it is clearly difficult to obtain ordinary consent for economic and technical reasons;

2.	Where the information is necessary to calculate fees for the provision of information and communications services;

3.	Where special provisions in other laws so require.

(3)

No information and communications service provider shall reject the provision of services for the reason that a user does not provide his/her personal information beyond the minimum personal information required. The minimum personal information refers to information that is necessary for the performance of the fundamental functions of the services.

(4)

An information and communications provider who intends to obtain consent from children aged under 14 for the collection, use and provision of personal information shall obtain such consent from his/her legal representative and confirm whether the legal representative has granted consent as prescribed by the Presidential Decree.

(5)	An information and communications provider shall, when notifying children aged under 14 of matters relating to the processing of personal information, use understandable forms and plain and readily comprehensible language.

(6)	The Protection Commission shall take measures to protect the personal information of children aged under 14 who may not clearly understand matters such as the risks and results of personal information processing and users’ rights.

[This Article Newly Inserted by Act No. 16930, Feb. 4, 2020]

Article 39-4 (Special Cases on the Notification and Reporting on the Divulgence of Personal Information)

(1)

Notwithstanding Article 34 (1) and (3), information and communications service provider and a person who receives personal information of users therefrom pursuant to Article 17 (1) (hereinafter referred to as “information and communications service provider, etc.”) shall notify the relevant users of the following matters without delay upon becoming aware that their personal information has been lost, stolen or divulged (hereinafter referred to as “divulgence, etc.”), report such case to a specialized institution prescribed by the Protection Commission or Presidential Decree, and shall notify the users or report that matter not later than 24 hours since he or she became aware of such fact, without a justifiable reason: Provided, That if there is a justifiable reason such as users’ contact number being unknown, other measures may be taken in lieu of notification as prescribed by Presidential Decree:

1.	Particulars of the personal information divulged, etc.;

2.	The time when the personal information has been divulged, etc.;

3.	Any measure that users can take;

4.	Countermeasures to be taken by of the information and communications service provider, etc.;

5.	Department and contact points to which the user can apply for consultation.

(2)	A specialized institution prescribed by Presidential Decree which receives a report pursuant to paragraph (1) shall notify the Protection Commission of the case without delay.

(3)	An information and communications service provider, etc. shall explain any justifiable reason pursuant to paragraph (1) to the Protection Commission.

(4)	Necessary matters in relation to the methods and procedures of notification and reporting under paragraph (1) shall be prescribed by the Presidential Decree.

[This Article Newly Inserted by Act No. 16930, Feb. 4, 2020]

Article 39-6 (Special Cases on the Destruction of Personal Information)

(1)

Information and communications service provider, etc. shall take necessary measures as prescribed by Presidential Decree such as destruction to protect the personal information of users who have not used information and communications services for one year: Provided, That, if the period is designated otherwise by other statutes or at the request of the user, the designated period shall apply.

(2)

Information and communications service provider, etc. shall notify users of matters prescribed by Presidential Decree such as the fact that their personal information will be destroyed, the expiration date, and the particulars of personal information to be destroyed by a method prescribed by Presidential Decree such as e-mail, at least 30 days prior to the expiration of the above designated period.

[This Article Newly Inserted by Act No. 16930, Feb. 4, 2020]

Article 39-7 (Special Cases on Users’ Rights)

(1)	Users may withdraw consent to the collection, use and provision of personal information at any time from information and communications service provider, etc.

(2)	Information and communications service providers, etc. must make it easier for users to request to withdraw their consent under paragrah (1), to access their information under Article 35, and to rectify under Article 36 than to give consent to the collection of their personal information.

(3)	Once a user withdraws his or her consent pursuant to paragraph (1), the information and communications service provider, etc. shall take necessary measures without delay such as destroying the information to such an extent that it is not recoverable or revivable.

[This Article Newly Inserted by Act No. 16930, Feb. 4, 2020]

Article 39-8 (Notification of the Use History of Personal Information)

(1)

Information and communications service provider, etc. meeting standards prescribed by President Decree shall notify users of the use history of their personal information collected pursuant to Articles 23 and 39-3 (including provision pursuant to Article 17) on a regular basis: Provided, That this shall not apply where the collected information does not include a contact number, etc. that enables notification to users,

(2)	The type of information to be notified to users under paragraph (1), the types of information to be notified, the frequency and method of notification, and other matters necessary for the notification of the details shall be determined by Presidential Decree.

[This Article Newly Inserted by Act No. 16930, Feb. 4, 2020]