New era of data prosperity heralded by South Korea's amended privacy law

In today’s data-driven economy, Big Tech companies have an edge over startups and new players because of the vast troves of user data at their disposal.

Breaking their data-walled gardens has been a long-held ambition of South Korea’s privacy regulator, as it tries to foster data use by companies while safeguarding the privacy of individuals.

That ambition could soon become a reality with the recent passage of legislation that delivers major updates to the country’s privacy regime.

The legislation, when implemented later this year, will bring about a sea change, including a rise in the privacy fine cap, but the most notable change will be the introduction of a new right for individuals to request transmission of their personal information to themselves or third-party data controllers.

It's now just a matter of time until the concept of data portability sweeps over every sector in South Korea, and the explosion of innovation it may spark could be a boon to the country's economy.

For this to go off without a hitch, however, it is imperative that the Personal Information Protection Commission, or PIPC, lays the right foundation.

My data

Data portability, or the right to move data from one platform or service to another, is nothing new. It’s been around for a while in several different places, including the EU and the state of California in the US.

Similarly, in South Korea, the so-called MyData service has been available since January last year, but only in financial and public sectors, enabling companies and institutions to centralize personal data that had previously been spread over several platforms. Recent amendments to the Credit Information Usage and Protection Act and the Electronic Government Act included a data-portability provision that made this feasible.

The approval of the bill earlier this week that laid down the data portability right in the Personal Information Protection Act will soon pave the way for the PIPC to finally extend the service to businesses of all sizes and to all industries.

The purpose of this new right, as often said by the privacy regulator, is to empower data subjects and give them more control over their personal data, with the benefit of a wide range of tailored services that may become available.

More discreetly stated, though, is the goal to disrupt Big Tech’s monopolistic control of data.

The introduction of MyData across all sectors will create fissures in the data stronghold of digital titans, opening the door for a plethora of upstart companies to compete on the strength of their own innovative ideas, said PIPC Chairman Ko Hak-soo during a recent interview with a local media outlet.

That was mostly a reiteration of what his predecessor ,Yoon Jong-in, had said before him, who had cautioned during an interview with MLex that “monopolizing data makes them monopolize the market”.

The big blur

When the legislation goes into effect in the second half of this year, personal data collected by one service can be used in another — with the consent of data subjects — and this will likely enable the development of valuable third-party services.

What this means is, for example, medical exam results, fitness tracker data such as step counts, exercise time, sleep quality and length, data indicating diet such as order histories from food delivery apps and ecommerce sites can all be aggregated on a single platform to provide personalized health services or make recommendations for dietary supplements.

Companies, both large and small, are currently jumping on the data portability bandwagon, forging partnerships with those in different sectors to create groundbreaking new products and services. Still, banks, financial investment businesses, card companies, savings banks and fin tech companies, which got a head start on the MyData service, seem to be at the forefront of these alliances.

Things to consider

Data portability, however, comes with an important caveat: that data breaches will become more likely as the ease of data sharing increases. If a breach were to happen, not only would the PIPC's intention to bolster the rights of data subjects be jeopardized, but so too would be privacy.

Many industry observers have expressed doubt that individuals would fully comprehend the risks associated with data portability before giving consent to data controllers. They have also pointed out there has to be some thought given to whose fault it is if data is compromised during transmission from company A to company B.

Additionally, there are the issues that have dogged the financial sector since the MyData service was introduced, which could also beset the PIPC as it tries to roll out the service to all other industries.

It's not only that there's been debate about the scope of data that can be shared. Some have also complained that mandating a standardized application programming interface for all businesses would impose an undue financial burden on them, on top of the expenses involved with transferring data.

Incentivizing individuals to take part has also been a crucial task, since none of this would be possible without their consent.

'MyData coordinator'

Against this backdrop, the PIPC's role as MyData coordinator, as described by the PIPC chairman, is critical.

The agency has already shifted into high gear with follow-up measures, including the enactment and revision of enforcement ordinances and administrative notices, which will outline, among other things, the scope, methods, procedures of data transfers, and the designation of data-management intermediaries and their specific tasks.

Work has also been underway since last year to develop technical standards that assure seamless and secure data transfers across different industries, with an initial emphasis on five sectors including communication, education, commerce, transportation and tourism.

The regulator has also been building a platform that helps data subjects to track the transmission of their personal data, withdraw consent to further transmission if desired, and more.

In the midst of all this, negotiations are also happening about how to divide the expenses incurred during data transfers.

“MyData covers all sorts of data from all sorts of industries,” Ko said. “The committee will serve as a coordinator among companies with potentially conflicting interests, and one of our tasks is to establish technical standards. I believe that a large part of the government's role lies in clearing up the murky areas so that companies can comfortably create new services while strengthening individuals’ rights.”