Personal Information Protection Commission

(unofficial translation)

Press release

Published on January 11

PIPC releases 'Direction of Investigation Work in 2023'

The Personal Information Protection Commission ("PIPC") has released its "Direction of the Investigation Work of Personal Information Protection in 2023," which was confirmed at the first plenary session on January 11.

The PIPC has established the basic direction of its investigation work to be "Establishing a digital ecosystem that the public can trust through proactive and preventive inspections to guarantee the rights of data subjects." This will be one of the major tasks of the PIPC in 2023.

The PIPC plans to strengthen its proactive and preventive inspection activities by focusing on guaranteeing the rights of data subjects during the digital transformation process. This will be a step further from the post-investigation and disposal of reports of breaches and infringements.

In 2023, the main areas of inspection and investigation will be: 1) major information systems in the public sector, 2) seven areas of online services, such as deceptive design (dark patterns), and 3) vulnerable areas of personal information protection, such as children's personal information and cross-border data transfer. The major implementation plans are as follows:

A. Major information systems in the public sector:

To eradicate personal information leaks in the public sector, the PIPC will focus on inspecting major information systems in the public sector as part of its follow-up measures of 'Personal Information Leaks Prevention Measures' established in July last year. The PIPC will establish and implement a plan to strengthen safety measures for 1,515 intensive management systems that deal with sensitive personal information in large volume. It will also intensively inspect systems that are difficult to manage and have a large ripple effect in case of leakage for three years.

B. Seven areas of online services:

As online services expand after COVID-19, the PIPC will conduct proactive and preventive inspections on seven key areas of the digital ecosystem, including deceptive design (dark patterns), which can manipulate the data subjects' decision-making. The seven key areas are:

Dark Pattern

Adtech

API Provider

Untact Platform

Super APP

Smart Device

Big Outsourcer, Solution Provider

In particular, with the recent increase in online activities of users, the PIPC will proactively inspect deceptive design, considering that the problem of deceptive design, which induces users to make unreasonable choices, has been raised internationally. The OECD and the U.S. Federal Trade Commission have recently released reports related to dark patterns, and the EDPB has also released guidelines for social media services.

C. Vulnerable areas of personal information protection:

To prevent other blind spots for personal information protection, the PIPC will conduct an inspection of children's personal information, cross-border data transfer, and domestic agents' operation of international service providers.

The PIPC will conduct inspections and investigations in accordance with the implementation plan for each sector. The PIPC plans to strictly sanction businesses that violate the law and provide guidelines for areas where the application of the law is unclear. In addition, the PIPC will promote the improvement of investigation proceedings and the establishment of an integrated online system of personal information and investigation information. This will help expedite the processing of investigation cases and improve the quality of the investigation.

Chairperson Ko emphasized that "It is time for a proactive and preventive inspection, focusing on guaranteeing the rights of data subjects during the digital transformation process and going beyond the current reactive investigation system." He added, "I expect major personal information controllers in both the public and private sectors to check their vulnerabilities in advance and improve deficiencies by referring to the Direction of the Investigation Work released by the PIPC."