11 December 2012

The ICN Act and privacy in S Korea

The short 'Korea Rolls Back ‘Real Name’ and ID Number Surveillance' by Whon-il Park and Graham Greenleaf in (2012) 119 Privacy Laws & Business International Report 20-1 comments that
South Korea’s online ‘real name’ statute - Article 44-5 of the Act on Promotion of Information and Communications Network Utilization and Data Protection, etc. (the 'ICN Act') was enacted in 2007 in response to such things as posted Internet comments describing fictitious sex scandals and plastic surgery operations concerning celebrities, and a number of suicides of celebrities. It required large-scale portal sites with more than 100,000 visitors on average a day to record the real name identities of visitors posting comments, usually via the poster's resident registration number (RRN). One result was that many South Koreans Internet commentators started to use overseas websites which allowed anonymous posting, such as Google and Twitter, and some therefore argued the law discriminated against domestic Internet services. A series of security breaches resulting in leaks of of personal data concerning millions of South Koreans from those websites that were required to adopt real-name policy also occurred over the last couple of years.
In August 2012 South Korea’s Constitutional Court unanimously held that the ‘real name’ statute is unconstitutional because the public gains achieved had not been substantial enough to justify restrictions on individuals' rights to free speech. The two cases decided by the Court were brought by individuals who were required to provide their real names in order to make postings, and also by an online Internet publisher required by the law to verify the names of those posting. This article analyses the Court’s reasoning, in the context of other decisions concerning freedom of speech, and the overall relaxation of South Korea’s previously very restrictive Internet environment.
Legislative reform has occurred in parallel. The RRN was previously compulsory in almost all dealings with government and many organizations in the private sector. Abuse of the RRN accounted for over 20% of all complaints about misuse of personal information. Under Korea’s new Personal Information Protection Act of 2011, unique identifiers the including RRN may not be processed without consent and explicit legislative approval. Alternative means of identification other than the RRN must now be provided by processors where individuals are subscribing to web-based services.
The article concludes with parallels between developments in Korean and European data protection.
The authors' 'Korean DPA Faults Google's TOS Changes: Global Privacy Implications?' comments that
The first decision of Korea’s Personal Information Protection Commission (PIPC) has borne out the perception that Korea’s new Personal Information Protection Act (PIP Act) is ‘Asia’s toughest data privacy law’. The PIPC has decided that Google’s changes to the Terms of Service (TOS) of over 60 of its services, unifying them in a single TOS, may be in breach of various provisions of the Act.
Google’s TOS changes are considered by the Commission to likely to breach these laws in three ways: (i) they do not specify the purpose of collection clearly enough, and cannot comply with the requirement that personal information may only be collected and used to the minimum extent necessary for the purpose for which it is collected; (ii) they do not comply with the requirement that where personal information is to be used for purposes other than the purpose for which it was collected, it is necessary to obtain additional consents for such uses; and (iii) they do not specify that that personal information will be erased immediately upon the expiration of its retention period or on request from a data subject.
This article analyses this decision, considering the PIPC’s reasoning, and the terms of the Korean legislation, in order to determine whether the PIPC’s findings (and the potential remedial action) are a result of features which are unique to the Korean law, or are they features which are common to at least some other countries’ data privacy laws.
The same issue of PLBIR features 'Obama's Privacy Framework: An Offer to be Left on the Table?' by Graham Greenleaf and Nigel Waters.

They comment that
The Obama Administration is offering the rest of the world a deal: ‘global interoperability’, comprising ‘mutual recognition and enforcement cooperation’. Perhaps we should read the small print. The ‘Framework’ initiative (Consumer data privacy in a networked world: A framework for protecting privacy and promoting innovation in the global digital economy, The White House, Washington, February 2012), launched in early 2012, represents a new level of serious consideration of privacy protection by a US Administration. While it is difficult to assess how much of it it is likely to be achieved in the face of both political gridlock and constitutional uncertainties, it is clearly in the interest of Americans that their government is attempting to take these steps to improve domestic privacy protections. But does this initiative offer sufficient of value to the rest of the world, for the price of ‘interoperability’?
This article looks at the proposed Framework from the following explicitly ‘non-US’ perspectives: Does the Framework’s ‘Consumer Bill of Rights’ meet international standards? Is the proposed method of achieving it realistic or futile? Is the US demand for ‘interoperability and mutual recognition’ reasonable? Is the USA ever likely to protect privacy to international standards? The article concludes that the rest of the world has to accept that there are some aspects of US domestic law on data privacy which are unlikely to change, but that does not constitute a reason for reducing international privacy standards in fundamental ways in order to accommodate the weaknesses of American privacy protection. The US approach does not deserves an undue amount of respect simply because of its economic and political power, and the Framework proposals do not at this stage change that. A better approach is to support those seeking reform in the USA by deferring ‘interoperability’ until US standards are in practice somewhere closer to those being adopted by most other countries. At some point it could become a rational decision that to have the USA implement and enforce significantly better CPBR would be a deal worth making, for the benefits of ‘interoperability’ on the basis of a minimum global standard. But at the moment that is not the right, best or only choice.