Gargantuan enforcement tasks force South Korean privacy chief Yoon to hit the ground running

Despite a 30-year career in South Korea’s public service, Yoon Jong-in had never imagined himself as the country’s top privacy officer, nor had he expected to be chosen to build a government agency from scratch and provide the groundwork for the country’s data-privacy rules.

Looking back, Yoon is happy to admit that the whirlwind experience that thrust him into the spotlight in 2020 was daunting.

The pressure was just overwhelming, Yoon told MLex in a recent interview. “I had to think about the expectations of the public as well as those of the president, prime minister and other relevant administrative bodies.”

The weight of expectations from the wider population and the challenge of taking on some of the biggest companies in the world were also part of the equation. The Personal Information Protection Commission, or PIPC, was established at a time when South Koreans were becoming increasingly aware of the dangers of their personal information being misused by Big Tech.

Yet, however daunting the task ahead, Yoon was confident about the path the country needed to take to protect individuals' privacy while boosting the use of data by businesses. It was this vision that led him to be chosen to lead the PIPC in the first place.

As for the specific goals, tasks and challenges facing the nascent agency, these involved countless hours of discussions and brainstorming sessions with stakeholders. The PIPC had an urgent priority to develop privacy tools in the Covid-19 pandemic, and an important task to build a blueprint for the agency.

Yet Yoon tells MLex that he feels a sense of accomplishment when looking back over the past 18 months of his agency’s operation.

“For me, it was definitely a challenging task, but at the same time, something that could bring a sense of personal achievement,” Yoon said, during an hour and a half-conversation in his office in the heart of Seoul’s business and cultural district.

Big tasks

The first big task Yoon faced was to build a blueprint for the agency.

“We started setting our goals in August 2020 and completed [the list] in November of the same year. Looking at the goals now, I think they came out fine. They're organized in a way that really sets the basis of our agenda,” he said.

The PIPC, initially established in 2011, had only served as an advisory body but became an independent data-protection authority in August 2020 with the reform of the Personal Information Protection Act. Creating an independent data-protection authority was also a key requirement to prove South Korea offers an equivalent level of data protection as the EU’s General Data Protection Regulation to win an adequacy decision from the EU on cross-border data flows.

He defined the role of the agency as a “control tower” that simultaneously safeguards the protection of personal data and encourages its use by businesses. Yoon said the assignment before him was particularly challenging because the role of the PIPC is to strike the right balance between the protection of the rights of citizens to their personal data and facilitating the use of data in the digital economy.

The Covid-19 pandemic became the first challenge to that balance.

“South Koreans’ attitude towards personal data is ambivalent. They admit that the government needed to collect their data to save lives in the pandemic, but concerns were there too as to whether their data was secured and properly protected,” said Yoon.

From the beginning of the pandemic, the PIPC took part in devising the contact-tracing scheme with the center for disease control to help manage the data safely and prevent misuse of data by the government. It also came up with ways and tools to prevent excessive data collection, such as eliminating the obligation to leave both names and phone numbers when entering a facility and replacing them with individually assigned random numbers.

Robust agency

Yoon envisions the PIPC as a small yet robust organization.

The agency has a staff of 160 and a budget of 50.2 billion won this year, which is about a fifth of the country's communications regulator's yearly budget of 256.1 billion won.

Despite being small in size and budget, the agency has been active in enforcements against companies such as Meta Platform's Facebook and local tech companies, including the controversial AI chatbot developer. From its inception until last year, the agency has announced a total of 324 sanction decisions, imposed 225 corrective orders and imposed fines valued at 16 billion won for violations of the privacy law.

The agency also issued the highest fine of 6.7 billion won on Facebook for illegally sharing data of South Korean users with third-party applications in a probe sparked by the Cambridge Analytica data-privacy scandal in 2018.

The agency's early days were also marked by a particularly challenging case — privacy breaches involving an AI chatbot. The PIPC may be the world’s first privacy watchdog to review such a case.

Yoon recalled the AI chatbot case as one of the most difficult cases he and his commissioners encountered. He said it took “a very careful review” and many rounds of discussions with privacy experts and commissioners because the case was unprecedented and there were concerns the agency’s sanction decision could somehow work in a way that could hamper future AI technology development.

Yoon has already established a reputation for his effective leadership of the nine-member commission.

The overall evaluation of the new privacy chief is that he is a good moderator who gathers the opinions of the commissioners and facilitates discussions to deliver the best results. Because of the makeup of the commission — three members appointed by an opposition party and two by the ruling party — it is destined to have different opinions with different political views.

Mission: Eradicate data abuse

In the face of soaring privacy breaches, the agency recently added 12  investigators to increase its investigative capabilities.

While coping with privacy concerns from evolving technologies, Yoon has also set himself another priority: to eradicate the misuse of citizens’ data by government agencies.

He told MLex he was alarmed by the way people’s data was handled by government officials in the days before a recent murder. A local district official was found to have leaked the home address of a woman to a stalking suspect, who is alleged to have killed her mother and seriously injured her younger brother after getting their address.

“This should not be considered an individual’s fault. We should build a system that could prevent such incidents in the first place,” said Yoon.

This led the PIPC to work on measures that could apply to all government agencies to prevent leaks and misuse of personal data by public agencies.

Going forward, he thinks the agency has an important role to play in realizing a user-centric government service platform that runs on Big Data and digital technologies, the so-called “digital platform government” initiative by president-elect Yoon Suk-yeol, who will take office in May.

“Data is the new oil in the digital economy and our role is to safely process data to be made into useful products,” said Yoon. “In this respect, the PIPC is a refinery in the digital economy.”