K.S. Park spoke at the launch event of a book covering seven Asian countries on data innovation and data protection on November 22 as follows:
Friction between privacy and innovation is often deemed obvious. Data is good, and data is enabler. Data is not just the next new oil but better than that because its supply is not limited. Use of too much data threatens privacy and data protection law has been proposed and implemented as solution, which puts many hindrances on use of personal data.
However, many tend to forget the original purpose of data protection, which is privacy. Mechanistic understanding of data protection law often percolates as the concept of data ownership. If its coverage is tailored to the purpose of privacy,
data protection does not have to be data ownership and a balance between privacy and data protection can be struck.
For the Korea chapter of this report, we looked at two examples of such balance: pseudonymized data and COVID contact tracing
Korea adopted the GDPR concept of pseudonymized data, which is based on the assumption that people are willing to share data about themselves for publicly beneficial purposes as long as data are not traced to them. So, pseudonymized data itself embodies a lesson that data protection does not need be data ownership. It is a good experiment.
However, the legislative process of introducing it into Korea suffered much from a bitter dispute between civil society and the legislature, and ended up with a non-sensical law burdened with a flat ban on reidentification of pseudonymized data. The problem was that the data thus permanently un-identifiable were indistinguishable from anonymous data, and the data controllers could not protect other data subjects’ rights such as right to access, right to deletion, right to object to data processing, etc, that apply post-collection. At the expense of these rights, the law policed too strictly on re-identification. One may say that the law sacrificed post-collection rights in favor of pre-collection rights, the focus of which seems to originate from the concept of data ownership.
COVID contact tracing in Korea is the only country that implemented non-consensual. People are willing to give up control over their data for the purpose of public interest, e.g., COVID mitigation., just as they are willing to give up control for scientific research, historical research, etc.
The fundamental question here is: How should privacy be protected against governmental intrusion outside the context of criminal investigation? Should it be subject to the ordinary requirements of due process? Due process requires pre-restriction hearings, which have been simplified to warrant hearings in criminal investigation purposes. How about for administrative purposes?
The overall takeaway is the need to engage in nuanced debates over various contexts instead of committing to ownership-like control on hand and the focus on data innovation on the other.