K.S. Park spoke on November 21, 2025 on the flash points of the tension between open data and privacy and a strategy to move forward toward democracy. He described 3 different flash points:

1. Oppressive “data ownership” laws in South Korea – “right to be forgotten”

High government officials are invoking unique data protection law provisions of the country to criminalize journalists and whistleblowers simply for the reason that they are nonconsensually using the personal data of the officials being reported upon. This was made possible by Korea’s unique DPA provisions that restrict data usage without the usual saving provisions of the otherwise GDPR-like main body of the law. To be specific, ‘legitimate interest’ and ‘public interest’ are not the valid bases for data processing under the Korean data protection law. Also, Korean law has an unprecedented extra provision Article 59 which criminalizes all data transfers without referring to the lawful bases for data processing, which means that any non-consensual mentioning of names risks data protection law prosecution.

Even without the country’s uniquely oppressive provision, mechanistic application of the ordinary data protection law can stamp out open data in other countries, as you can see below in FOIA denials and court judgment database non-disclosure cases of South Korea. “Right to be forgotten” should not be applied to the data that was made publicly available through lawful methods. The trend of “data ownership”, i.e., “I own data about myself and therefore can control any speech about me”, has fanned such mechanistic application but such concept was only a metaphor to emphasize control that data subjects should be given back, as evidenced by several non-consensual bases for lawful data processing recognized in GDPR.

2. FOIA denials on basis of data protection law

In Korea, 30% of FOIA requests are denied on the basis of data protection law even when the data are part of the government records. Data protection laws including Korean DPA recognize statutory permission as one of the lawful bases of data processing. FOIA constitutes such statutory permission. When there are no specific statutory provisions protecting confidentiality, FOIA requests should be accepted unless there is a special need for such confidentiality. However, many FOIA requests are denied simply for having identifiable personal data on it.

3. Court judgment database and over-protective pseudonymization rules

The pathway out of the open data-privacy tension is anonymization but if the over-protectiveness on anonymization can be oppressive. The Korean Supreme Court has refused to lift court judgment database out of the paywall of KRW 1,000 (about USD 0.7 with FX 2025) per simply viewing (not downloading or copying) each case, forcing people to pay hundreds of dollars looking for even a single precedent. The Supreme Court has justified the paywall for defraying the cost of anonymization and has not accepted nearly free instantaneous AI anonymization due to the error rate but such over-protectiveness is not consistent with the balanced nature of data protection law.

Such overprotectiveness over anonymization has backfired against privacy. Korea’s DPA absolutely bans re-identification of pseudonymized data without any exception and therefore has made it impossible for data controllers to afford data subjects’ other rights such as right to access and right to halt processing because they cannot lift personal data out of the already pseudonymized data pool without re-identification.