Current Adoption of Pseudonymized Data Does Not Meet GDPR Standard

by | Apr 8, 2020 | Press Release, Privacy | 0 comments

What supplants consent is not pseudonymization but a public purpose of further processing.

Scientific research should require publication and sharing of the results.

Re-identification keys and attributes data must be segregated at all times. 

On February 4, 2020, Personal Information Protection Act was amended with the clear intent to adopt GDPR’s provisions allowing “further processing(i.e., processing not consented to by data subjects)” for public interest archiving, scientific research, and statistics (“ARS”) without data subjects’ specific consent.  However, the following important points of protections for data subjects were amiss in the amendment.

Firstly, the definition of ‘scientific research’ does not elaborate on its public purpose. GDPR still defines pseudonymized data as personal data and therefore generally subjects it to the data subjects’ consent for further processing but makes exceptions only for ARS processing. What justifies such exception is an expectation that the results of the research will be shared with and therefore benefit the society at large.  Such expectation was anchored by Recital 159 of GDPR (see below) which requires ‘scientific research’ to be defined with a view to commitment to “European Research Area” in which knowledge is freely shared.  Korea’s PIPA does not have any textual anchor for such expectation.  Nothing in the law prevents data controllers from trying to justify non-consensual diversion of personal data for research benefitting only themselves, frustrating the balance between the non-consensual use and the public interest.

Secondly, GDPR and EU member countries’ data protection laws exempt data subjects’ consent for further processing on the basis of public purposes such as ARS and requires pseudonymization as added safety measures in such non-consensual processing. Korea’s PIPA also allows only pseudonymized data to be used for non-consensual ARS processing. However, in another provision, Korea’s PIPA derogates data subjects’ other rights such as right to inspection, rectification, erasure, and opt-out as long as the data are pseudonymized regardless of for what purpose data were pseudonymized. This opens a dangerous opportunity to data controllers to bypass data subjects’ rights for no ARS or other public purposes.  Although “further processing” will still require ARS purposes, whether such further processing is being adequately administered cannot be monitored or checked by data subjects because they do not have these ancillary rights such as inspection and opt-out.  It is for this reason that other civil society organizations are describing the PIPA amendment as authorizing ‘sale of personal data’.

Thirdly, Korea’s PIPA, unlike GDPR, puts a special type of further processing under public control:  linkage of two or more data bases.  Under the new law, such linkage can be administered by publicly licensed bodies. However, the law is not requiring the linking agency to forbear from holding re-identification keys. In other words, as to the linking agencies, personal data will not be pseudonymous since they can readily re-identify the otherwise pseudonymized data.  This is the reason why the prevailing European data linkage practices require segregation of the re-identification key holders and the holders of attribute data.  PIPA’s new enforcement decree of March 31 does not  solve this problem, either.

If the new law is to strike the right balance between privacy protection and use of personal data, using GDPR as the golden standard, we must solve these three (3) points.

Recital 159 of GDPR

Where personal data are processed for scientific research purposes, this Regulation should also apply to that processing. 2For the purposes of this Regulation, the processing of personal data for scientific research purposes should be interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research. 3In addition, it should take into account the Union’s objective under Article 179(1) TFEU of achieving a European Research Area. 4Scientific research purposes should also include studies conducted in the public interest in the area of public health. 5To meet the specificities of processing personal data for scientific research purposes, specific conditions should apply in particular as regards the publication or otherwise disclosure of personal data in the context of scientific research purposes. 6If the result of scientific research in particular in the health context gives reason for further measures in the interest of the data subject, the general rules of this Regulation should apply in view of those measures.

Section 1 in article 179 of the Treaty on the Functioning of the European Union states the following:

The Union shall have the objective of strengthening its scientific and technological bases by achieving a European research area in which researchers, scientific knowledge and technology circulate freely, and encouraging it to become more competitive, including in its industry, while promoting all the research activities deemed necessary by virtue of other Chapters of the Treaties.


Submit a Comment

Your email address will not be published. Required fields are marked *