On June 30, 2016 the South Korean government announced the Guidelines on Personal Data De-identification Measures and the Comprehensive Guide to Data Protection and Privacy Laws and Regulations (collectively, the “Guidelines”). Prior to the announcement of these Guidelines, the use and transfer of personal data for purposes other than those consented to by the data subject was considered to be nearly impossible due to rigid and complex data protection laws in South Korea and the general ambiguity associated with the concept of personal data.
By specifying the criteria, procedures, and methods of de-identification measures and the criteria for determining what qualifies as personal information, the Guidelines seek to facilitate the utilisation of de-identified personal data under the data protection laws in South Korea.
Key provisions of the guidelines
In this section, we examine the key provisions of the new guidelines which serves to assist organizations in understanding and establishing proper methods for protecting and using personal information under the data protection laws in South Korea.
 Establishment of clear criteria for personal data de-identification measures
The Guidelines classify personal data de-identification measures into four stages – e.g., “‘pre-evaluation,” “de-identification measures,” “adequacy assessment,” and “ex post facto management” and provide detailed guidance on the recommended measures and considerations to be made for each stage.
- 1st Stage: Pre-evaluation
This stage determines whether the subject data can be classified as personal information. If it is clear that the subject data is not personal information, then the information may be used without having to take any additional measures.
- 2nd Stage: De-identification measures
Once the subject data is determined to constitute personal information, certain measures that delete or substitute all or parts of the personally identifiable elements within the personal data must be implemented, so that a specific individual can no longer be identified from the de-identified information. Such measures include pseudonymisation, aggregation, data reduction, data suppression and data masking.
- 3rd Stage: Adequacy assessment
In this stage, an assessment is made as to whether the subject data which has passed through the first two stages can still be easily combined with other information to identify a specific individual. The Guidelines prescribe detailed rules on the persons to perform the assessment, and the methods and standards for the assessment, and the highlights of these rules and standards are as follows:
- The adequacy assessment must be performed by a “Task Force to Assess the Adequacy of De-Identification Measures” (the “Assessment TF”). The Assessment TF will be comprised of at least three members with the relevant expertise (the majority of whom must be from outside the data controller, and will be recommended and appointed by the privacy officer of the data controller).
- The Assessment TF will assess the adequacy of the de-identification measures by examining various information provided by the Data Handler, such as a description of the subject data, the implementation status of de-identification measures, and the management proficiency of the Data Handler. The k-anonymity privacy protection model will be primarily used when assessing the adequacy of de-identification measures.
- 4th Stage: Ex post facto management
The Guidelines prescribe detailed ex post facto management measures designed to ensure that the de-identified information does not become re-identifiable during the course of subsequent data processing. Such measures include (i) the implementation of technical and managerial safeguards for the secure management of the de-identified information, (ii) regular monitoring that can detect changes in the possibility of re-identification, and (iii) the inclusion of contractual provisions on re-identification risk management when entering into agreements with a third party for the provision of the de-identified information or outsourcing of the processing of the de-identified information.
 Operation of specialised agencies to support personal data de-identification measures
Personal data De-identification Support Center (Korea Internet & Security Agency, “KISA”): The Personal data De-identification Support Center is responsible for establishing guidelines for the operation of specialised agencies for each sector and monitoring compliance therewith, managing and training the pool of Assessment TF candidates for each sector, and updating and supporting the implementation of the Guidelines.
Specialised agencies for each sector (each relevant government agency): Each relevant government agency designate, announce, and operate one or more of the following organisations as a specialised agency for the sector(s) the agency is responsible for: KISA, Korea Credit Information Services, Financial Security Institute, Social Security Information Service, and National Information Society Agency. Specialised agencies also support the combination of databases from different Data Handlers in the respective sectors through the use of temporary surrogate keys.
 Sanctions for re-identifying de-identified information
The Guidelines explicitly state that the re-identification of previously de-identified information and its further use/provision to third parties will be deemed as the use/provision of personal data for a purpose other than for which consent was granted (“Data Use/Provision Beyond Consented Purposes”), and that the failure to immediately destroy re-identified information is punishable in the same manner as the collection of personal data without obtaining the data subject’s proper consent.
Generally, Data Use/Provision Beyond Consented Purposes may result in imprisonment of up to five (5) years or a criminal fine of up to KRW 50 million (approximately USD 42,000). Meanwhile, the collection of personal data without obtaining consent may result in an administrative fine of up to KRW 50 million (approximately USD 42,000). Please note that in case some sector specific laws apply, the applicable sanction might vary.
 Establishment of clear criteria for what qualifies as personal data
The Guidelines also set forth the specific criteria for determining what qualifies as personal data. Under the data protection laws in South Korea, personal data is defined as data that can identify a specific individual and data that can be easily combined with other data to identify a specific individual. Regarding the meaning of “information that can identify a specific individual,” the Guidelines explain that the “subject data shall be deemed to be personal data if the specific individual can be identified when considering the methods that are reasonably likely to be utilised by the data controller.” As such, the viewpoint of the data controller is expressly stated as the applicable standard when determining if the subject data is personal data. In addition, regarding the meaning of “easily combined with other data to identify a specific individual,” the Guidelines explain that the information that can be used for such combination is limited to legally obtainable information. Further, if unreasonable levels of cost and efforts are required to combine such information, then it will not be deemed to be “the information that can be easily combined with other information to identify a specific individual.”
Future outlook and implications for data protection laws in South Korea
Now that the concepts of de-identified information and personal data have been clarified in terms of data protection laws in South Korea, business activities will likely increase significantly in South Korea’s big data market. However, how to convince the Assessment TF, in particular external expert members, of the adequacy of the de-identification measures will be a major challenge for the companies who wish to apply the de-identification measures as set forth in the Guidelines.