South Korean Data Protection Outlook:
The Yoon Government's New Approach to South Korea's Data Regulations for Digital Services and Technology
President Yoon's victory in South Korea's presidential election on 9 March 2022 meant sweeping changes to the direction that the Korean government would follow across a number of sectors and industries. The technology, media and telecommunications sector is no exception and within the ambit of this ever evolving sector, data protection and the regulations surrounding this section of the tech industry are also to be amended and tweaked to be in line with the policy statements of President Yoon.
President Yoon's policy statements highlighted the need to support and bolster innovation and R&D in the sectors of AI, digital infrastructure, cyber security, robotics and mobility. One of the key differences of the Yoon government from its predecessor is receptiveness to free market-orientated proposals and arguments for new directions in regulation, policy and enforcement. This opened up the potential for a shift in the regulatory framework for the ever changing digital services, data regulation and technology sectors. This is in line with one of the campaign promises from President Yoon which included a push for deregulation to ease the way for cutting edge technology and business models.
The Ministry of Science, ICT and Future Planning stated in June this year that the government will establish a task force comprised of government officials and private companies to draw up strategies to beef up the digital platform industry and create self-regulation guidelines related to emerging technologies such as data management and artificial intelligence. The Minister of Science, ICT and Future Planning stated, "We will form a pan-government policy consultative body, implement a self-regulation policy and help companies improve their innovation capabilities."
On the crypto exchanges front, the leading crypto exchanges have created plans that could see them form a self-regulating body that could be empowered to take cross-platform decisions on matters like delisting and the suspension of transactions. Although this is still in discussion stage, which includes governmental ministers and regulators from the Financial Services Commission and the Financial Supervisory Service, it does indicate that the government is following through on its policy statements and moving in the direction of self-regulation.
In addition, The Personal Information Protection Commission ("PIPC") announced on 13 July 2022, that ten online shopping platforms have signed public-private partnership agreements for the safe use of personal information. In particular, the PIPC highlighted that it is the first case of self-regulation of public-private cooperation by online platforms, with the relevant platforms representing around 80% of the domestic online shopping market share.
More specifically, the PIPC outlined that the agreements include a requirement by platforms to have a secure authentication method for access by users. Further, the PIPC provided that the agreements include data retention rules, namely that the personal information of users will be masked immediately and, after up to 90 days, the seller will not be able to download purchasers' personal information. In addition, the PIPC noted that the agreements detail that platforms must provide a function to disclose sellers' personal information processing policy, including an obligation to notify users of the duty to destroy and ensure separate storage of personal information of users.
Finally, the PIPC stated that the self-regulatory agreements are effective from the notification of the Korea Online Shopping Association by the PIPC's decision, and apply for two years.
First Session for "Public-Private Cooperated Self-Regulation"
On 29 June 2022, PIPC held the first meeting in regards to its proposal to adopt "Public-Private Cooperated Self-Regulation" for 7 online platform industries, including the following online platforms: open market, delivery, mobility, job searching, hospital appointment, real estate and hotels.
The adoption of this new regulatory scheme is to put a precautionary regulation in place as the existing laws are not able to keep up with the fast-changing and diverse business models of online platforms and business. The direction and intention that PIPC appears to be working towards is that current laws and regulations will still apply, and, added to this, the self-regulation of the businesses taking part in this proposed project will reflect the needs of the participants of the private working group. As this new proposed scheme is at a very early stage, this space will need to be observed to see how this proposal progresses. A summary with regard to this new proposed scheme and the initial take away points from the introductory meeting were as follows:
- According to PIPC, all companies are welcome to join the private working group. The working group will be able to set the detailed self-regulation that will apply to themselves in addition to the existing laws. The self-regulation will be effective after PIPC approval.
- Although participation is voluntary, PIPC may reach out to the bigger players in the market and ask if they want to participate (although this seems to be a request for voluntary participation this could also be interpreted as a directive as it would not be easy for Korean companies to reject such request).
- All the participants are expected to cooperate with PIPC and let them know how their private information is processed and managed internally and what other parties may engage/have access to the information in their business processes.
- For the promotion of this new scheme, as an incentive, PIPC said (1) it will not penalize the participants for any breaches of privacy laws even if they were to find any violation of privacy laws while learning about and collecting information about their business models. In addition, (2) as the participants can reflect their opinions on the self-regulation, it will reduce the risk of ambiguity in applying the privacy law to the participants' business models.
- However, there were concerns expressed that, (1) providing relevant information to PIPC may be demanding and costly; (2) although self-regulation is intended, it may just be an additional regulation, and (3) considering that PIPC is looking forward to applying this new scheme in the second quarter of 2023, the timeline might be pressing and not realistic.
Other areas that we are seeing similar proposals and early indicators of change and a move in the direction of more self-regulation would be in the area of rating requirements for gaming, music videos and movies.
Current Difficulties That Would be Eased with Self-Regulation – Using Rating Requirements as an Example:
With regard to the provision of music video services, for example, by online music service providers, the Music Industry Promotion Act applies, mutatis mutandis, several provisions of the Promotion of the Motion Pictures and Video Products Act ("Movie and Video Act") (Music Industry Promotion Act Article 17(2)) to music videos. According to Article 50(1) of the Movie and Video Act, music videos provided by online music service providers are subject to rating by the Korea Media Rating Board ("KMRB"). Also, Article 53(1), subparagraph 1 of the Movie and Video Act stipulates that no one should provide videos that have not been rated for the viewers. Therefore, by statute, online music providers are obligated to have the music videos rated when it provides those videos to the users, including its rest of world labels.As is blatantly obvious, in practice, it is almost impossible to have every music video rated by the KMRB, not to mention the huge amount of time and resource this would place on the KMRB. In short, this is a prime example of how self-regulation would be a win-win for all involved.
As the current government appears to be backing up its "words" with "actions" and, from the current developments, seems to support the theme of "less regulation", this trend is very encouraging in the digital services, data regulation and technology sectors. As highlighted in the example above, music video rating is a good example and a representative case of unnecessary regulation that cannot keep up with the speed of technological trends, and thus, the Ministry of Culture, Sports and Tourism ("MCST") considerations to change and follow a more self-regulated approach in these sectors is very promising.
Although there is still a long way to go to see exactly how these proposals by the government will be implemented and effected, it is a step in the right direction to breach the gap between regulation that is not in tune or in line with the developments that occur particularly in the sectors where there are constant advancements and technology jumps. For now, however, it is excellent news and a feather in the cap of the new government to be approaching issues in a practical and reasonable manner.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.