This site is the official e-Government website of the Republic of Korea.
Notice / Press Release
| Title | [Press Briefing] PIPC Announces Key Policy Tasks for 2024 | ||
|---|---|---|---|
| Department | Date | 2024.02.16 | |
| Attachment | [Press release] PIPC Announces Key Policy Tasks for 2024_FN.pdf | ||
| Page URL | https://www.pipc.go.kr/eng/user/ltn/new/noticeDetail.do?bbsId=BBSMSTR_000000000001&nttId=2434 | ||
| Contents |
PIPC Announces Key Policy Tasks for 2024 Remarks by Chairperson Haksoo Ko on the Year Ahead - Below is an excerpted unofficial translation of the remarks by Chairperson Haksoo Ko, delivered in the Korean language, on the occasion of a press briefing held on February 15, 2024. I. Policy direction and plans for 2024 The rapid advancements in generative artificial intelligence (AI) technology we have witnessed recently have served as a reminder of the importance of personal data. It is because the performance of an AI system is highly reliant on the quality of the data used for training the AI model, and a considerable portion of the training data would be personal data. In a full-blown digital age, we can easily expect that a country’s capability in the field of AI will significantly affect its competitiveness. AI is already becoming part of our daily lives, with an increasing influence over many aspects of individuals’ lives. In anticipation of the significant societal changes precipitated by AI, the Personal Information Protection Commission (PIPC) has set out its policy vision for 2024 as “The age of AI: enriching people’s lives, protecting people’s data.” To ensure the benefits of AI are enjoyed by everyone while its risk to privacy is mitigated at the same time, the PIPC will focus on the following objectives: 1. Enhancing the quality of life for everyday users with trustworthy AI 2. Creating a safe society where personal data is properly protected 3. Building an exemplary privacy ecosystem that aligns with global norms and gives Korea a leading edge II. Key achievements of 2023 Let me briefly take a look back on some of the achievements we made in 2023. First and foremost, the Personal Information Protection Act (PIPA), the data protection law of Korea, was amended in major parts, laying the legal foundation for leading Korea’s transition into a full-blown digital society. Inconsistent regulatory requirements for online and offline businesses was also eliminated in the amended PIPA, in an effort to update regulations that were not suitable in an evolving digital environment. On the other hand, certain provisions intended to strengthen the rights of data subjects were newly introduced, such as the right to data portability. The amended PIPA also acknowledges diversified conditions for cross-border transfer of personal data, as well as introducing the legal basis to order the suspension of data transfer to destinations deemed not to be in compliance with the applicable regulations due to a privacy violation. These changes are aimed at better aligning the PIPA with global privacy and data protection norms. Throughout the year, the PIPC released a series of guidelines intended to facilitate data utilization and boost data economy, such as the “Policy Direction for Safe Usage of Personal Data in the Age of AI”, “Expansion Plan for Pseudonymized Data Usage” and “National MyData Strategy.” At the same time, efforts were made to bolster privacy and data protection in areas closely related to people’s daily lives. For instance, we launched a pilot project to help children and young adults exercise their “right to be forgotten” by helping them remove online posts containing their personal data. Separately, self-regulation efforts of the private sector were reinforced through public-private cooperation. We made various efforts to improve the level of privacy and data protection in the public sector, particularly by adopting the principle of “One Strike Out” – which means a “zero tolerance” policy – to intentional data leakage by a public official, and formulated plans to impose rigorous data protection standards across public institutions. On the global front, the PIPC has been engaging in many international discussions on data governance. In 2023, we hosted an international conference entitled “AI and Data Privacy” in Seoul, participated in a series of discussions at the UN High-level Advisory Body on AI, and won the bid to host the meeting of the Global Privacy Assembly (GPA) for the year 2025, among others. III. The Six Key Policy Tasks for 2024 Building on the achievements made in the last year, the PIPC will continue to implement a multitude of important policy measures throughout 2024. Outlined below, these measures are intended to reduce regulatory uncertainty for businesses while enabling us to respond preemptively to new privacy challenges, thereby facilitating digital innovation across society based on public trust. 1. Creating conditions for the development of trustworthy AI The PIPC will continue to resolve legal uncertainties and encourage businesses to develop legitimate AI technologies and services without having to worry about potential violations or penalties. At the same time, we will introduce safeguard measures that are commensurate with the level of risk an AI system poses. These efforts are aimed at promoting a flourishing data economy driven by AI. To this end, the PIPC will prepare and publish six guidelines about AI, each dealing with a different stage of the development and deployment of AI systems. Intended to clarify the principles and criteria for applying the PIPA in the increasingly complex context of AI, the six guidelines will each cover the below topics:
One important new system we have introduced recently is the Prior Adequacy Review Mechanism. Under this scheme, the PIPC will work together with startups developing innovative AI models or services to ensure that sufficient privacy and data protection measures are embedded in the design of AI systems so that they comply with the PIPA. We will expand application of regulatory sandbox that allows the use of original video information across mobility sectors, such as self-driving cars, to nurture cutting-edge industries. Another new initiative is the Personal Information Safe Zones. These specifically designated areas would provide AI researchers with a secure environment for processing and using high-quality training data, and we plan to expand operation of the Safe Zones throughout the year. In addition, we will uphold data subjects’ rights to request explanation and refuse AI-based automated decisions that can significantly impact their lives, such as those made in recruitment or welfare beneficiary selection processes. 2. Expanding data portability rights through MyData services Second, we will promote the expansion of data portability rights through MyData, or Korea’s open and portable data service, to bring tangible benefits to the people. This means that individual data subjects will be able to choose what personal data they want to use and allow data controllers holding their data to pass on to a third data controller. To enable this, the PIPC will build the institutional and technical infrastructure to support the implementation of MyData services across various domains and sectors. Firstly, we will support the development and validation efforts of new and pioneering MyData services that focus on the areas closely related to people’s daily lives, such as healthcare and telecommunications. We will also establish detailed criteria for exercising the right to request the transfer of personal data, such as the request procedures and methods, for individuals. Standardization of data formats and transfer specifications will also be pursued. In addition, a “MyData support portal” will be launched to help people make use of MyData services with ease. 3. Building a system of secure data protection for everyday life In order to enhance privacy and data protection throughout society, the PIPC will conduct proactive inspections on the status of data safeguard measures being implemented in six key areas. The first three areas are closely related to people’s lives: education and training services, food and beverage ordering services, and information, broadcast and communication services. The other three areas are emerging industries: smart cars, AI and metaverse, and “super apps.” Building on the findings of analysis of last year’s public-private co-regulation, we will promote an upgraded version of the system, dubbed “Online Platform Public-Private Co-Regulation 2.0.” Separately, we will establish a “medium-term investigation roadmap” that contains our plans for investigation along with an analysis of new types of privacy infringement factors, investigation directions, and ways to secure investigative experts and technologies. Meanwhile, we will conduct assessment of the status of personal information protection in the public sector. The assessment itself is not new, but we are expanding the scope of the target organizations, and integrating diagnosis of qualitative factors such as the appropriateness of the relevant work carried out in practice. We expect this system will significantly improve the level of privacy and data protection across public institutions. 4. Strengthening the rights of data subjects in the digital age To provide data subjects greater control over the use of their personal data, the PIPC will implement a scheme to assess the content of the privacy policy documents of target organizations. With the relevant legal basis introduced in the amended PIPA, such assessment aims to improve transparency of data processing by data controllers and protect the self-determination rights of data subjects. The PIPC will establish safeguards to ensure that the privacy of data subjects is properly protected in the context of using biometric data, such as by setting reasonable criteria for the use of such data and expanding means to guarantee the rights of data subjects. This year, we will promote legislation to strengthen the protection of personal information for children and teens. Last year, we launched a pilot project to support young adults exercise their digital “right to be forgotten” by helping them delete unwanted online content containing their personal information. We are expanding the target age groups that are eligible to apply for this service by raising the age cap from 24 to 29 years old. For digitally vulnerable groups such as children and adolescents, the elderly, and people with disabilities, the PIPC will provide education and consulting about personal information protection that are tailored to the needs of each group. For small and medium-sized businesses and startups, we will offer training and counseling as well as technical support in relation to personal data protection. 5. Establishing a data privacy ecosystem to support data economy We will pursue the enactment of a Personal Video Information Act to establish reasonable standards and safety measures for the lawful use of video information in line with rapid advancements in new technologies and industries, such as self-driving cars and drones. To promote safe use of personal information, we will operate an online one-stop support platform for pseudonymized data utilization, and designate multiple support centers offline to encourage the use of pseudonymized data. We will support the development of various privacy enhancing technologies (PETs) as well as the formulation of privacy technology standards in each of the newly emerging fields including AI and blockchain. We will also conduct a study on the collection of online behavioral information. A dedicated chief privacy officer (CPO) system, which will be required for certain large institutions and organizations, is introduced to provide the ground for an organization’s data protection officer to perform their work with competence and independence. Separately, five universities will offer a bachelor’s degree program in data privacy. We are also pushing to open master’s and doctoral degree programs majoring in privacy. 6. Engaging in international efforts to shape data privacy standards The PIPC will actively participate in international discussions on data governance to ensure that international privacy norms and domestic regulatory frameworks are largely aligned and consistent, and that they can work in an interoperable manner. We will remain committed to taking a proactive role in the global norm-setting discussions from their early stages. This includes our engagement in the initiative led by the UN High-level Advisory Body on AI (of which I am a member), and the ongoing work at the AI Working Group (of which the PIPC is serving as a co-chair) of the Global Privacy Assembly (GPA). At the same time, we will endeavor to contribute to the international discussions on data governance frameworks by organizing timely events such as the “AI Privacy” International Conference and the General Assembly of the GPA in Korea. As an effort to ensure interoperability of data governance among various countries, the PIPC will promote the stable operation of the “equivalence recognition system.” This newly established scheme would provide the basis for cross-border transfer of personal data. * A .pdf version of this press release is attached
|
||