• 5th APB Forum, Spring 2018

    Trustworthy Privacy Across Asia

  • Establishing Effective Privacy Policies

    Celebrating the third foundation anniversary, the Barun ICT Research Center was created for the purpose of addressing the negative effects of ICT development and is currently conducting research on issues such as ICT addiction, the digital divide, personal data protection, privacy, and more. In accordance to the previous five forums, the APB Forum provides a discussion platform for experts from each nation’s government, academia, and business sector and endeavors to lead the issue of Asia’s personal information protection and privacy in the right direction through international cooperation efforts. Moreover, the APB Forum aims to uphold individual rights in personal data protection policies, as well as contribute to social development by enhancing social values of ICT usage. This year’s forum opened discussion on each nation’s personal information systems and considered global issues that should be prioritized and proposed measures to adapt to those changes. Particularly, we want to establish effective privacy policies through discussions on GDPR which will take effect on May 25.

    The Social Problems Derived from Information Technology Development and the Solution of Interdisciplinary Academic Research

    Until recently Korea has mainly directed its information communication technology towards infrastructure expansion and service speed enhancement. However, we are now facing social issues such as the digital divide, personal information protection, privacy protection, the right to be forgotten, and other issues that are emerging from core ICT-related problems. In particular, with the upsurge of AI, Big Data, sharing economy, variance accounting, and other revolutionary services, it will become more important than ever to solve these social issues as we enter the Fourth Industrial Revolution.

    On Becoming a Global Research Center for Privacy Competitiveness and Safe ICT Culture Creation in Asia

    I congratulate the fifth opening of APB Forum and the third anniversary of Barun ICT Research Center's Foundation. Last September, the Barun ICT Research Center and I co-hosted the “University Student Policy Debate on Start-Up Support Policies in the Fourth Industrial Revolution.” Here, we shared thoughts on how to convert students’ passion and ideas into successful start-ups, and through this event, we realized the importance of support policies and the creation of a friendly start-up environment to our future society—in fact, it is a task we need to consider and discuss further upon. I remain hopeful that this forum will promote international cooperation on personal information protection and national privacy competitiveness in Asia. I also wish the best for the Barun ICT Research Center’s future endeavors to contribute to humanity’s happiness and a safe culture of ICT on a global scale.

    Thanks for Hosting APB Forum to Promote Collaboration among the Asian Countries

    Currently, Korea has strengthened its privacy protection regulations so that it has become more difficult to use Big Data compared to other countries, such as the United States. By referencing international issues and performances of ICT, I hope Korea and Asia will find the right solutions to managing personal information measures. The European countries have enforced collaborative legal measures through the GDPR amongst the EU member states, and they too, show great interest in the APB Forum promoting collaboration between the Asian countries. I again thank Professor and Director Beomsoo Kim for hosting this forum and leading in academia what the government must do. I also give my sincerest hopes that the APB will become a sustainable bridge hereafter for enhanced privacy collaboration in Asia.

    [South Korea] Measures Regarding Privacy Protection in Cross-Border Data Transfer and Protecting Date Subjects' Right

    In 2014, the amount of data flows across the world has grown 45 times larger since 2005 and is currently rising more sharply than before. This shows that data functions as an important resource in our industries, but it also foreshadows the coming dangers when such a mass amount of data is transferred internationally. Even the news continually reports businesses violating and leaking personal information, and the growing fears and concerns of the public. Amidst this global change, the Korea Communications Commission has found a privacy collaboration center in China and is in the process of establishing one in the U.S. in order to prevent personal data violations across borders. Moreover, we have newly created a Personal Data Breach Research Committee to more directly redress personal information breaches and damage relief to victims. Currently, Korea is also in the midst of a legislative debate on whether users’ consent is required for cross-border transfers of data, and whether there are other ways of data transference without their consent. While such progress is being made on the one hand, the scope of Asia’s privacy protection should be expanded through the credibility established by the APEC Privacy Framework on the other. This February, the APEC privacy meetings held in Papua New Guinea reached the conclusion to strengthen the CPEA (Cross- Border Privacy Enforcement Arrangements) and publicize collaborations of this kind. Furthermore, countries are continuously amending their personal data protection laws, and it is vital to understand and collaborate with each national legal system at this stage. The Korean government and the EU are in the long-term process of evaluating the compatibility of their legislation and discovering differences and points of synthesis. Asia, too, needs to strengthen such collaborative efforts.

    [Japan] The Tasks We Face Today on Personal Data and Privacy Protection

    Japan has enforced privacy and personal data protection laws and further effort is being done on the private and civilian level to protect personal information. In the recent 2017 amendment of Japan’s personal data protection legislation, personal data has been more exactly defined to include race, religion, medical history, and other instances of private information; so that using “information about a living individual which can identify a specific individual by the description contained in the information” is banned. Moreover, in order to better oversee the usage of an individual’s personal data for a lawful purpose, Japan has organized the PPC (Personal Information Protection Commission). Whereas the leaders of each industry sector have managed personal data protection before, the PPC will be an independent supervisory body to oversee data protection from multiple perspectives. Japan currently faces the task of addressing the privacy problems derived from the Fourth Industrial Revolution, such as AI profiling, data management, IoT, connected cars, smart robots, and more.

    [Hong Kong] Cases of Collaborative Global Privacy Protection

    With regards to cross-border data transfer, Hong Kong currently bans all transfer of personal data except under certain special circumstances. Likewise, the third principle of data protection in the Personal Data Ordinance states, “Personal data must be used for the purpose for which the data is collected or for a directly related purpose unless voluntary and explicit consent with a new purpose is obtained from the data subject.” At present, privacy protection must occur across national borders, and international collaboration is crucial. Last year, the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) successfully hosted the 39th International Conference of Data Protection and Privacy Commissioners (ICDPPC) to strengthen cooperation between nations. Despite the recent scandal of Cambridge Analytica harvesting 87 million Facebook users’ personal information, the problem was solved through the joint efforts of the U.S. Federal Trade Commission (FTC), the British Office of the Information Commissioner (ICO), and the Singapore Personal Data Protection Commission (PCPD). Another collaborative success case was in 2017, when the Registration and Electoral Office (REO) reported two of their notebook computers had gone missing in which 3 million electors’ and 1,200 Election Committee members’ personal information were lost. In this case, as well, the U.S. FTC, the U.K. ICO, Office of the Privacy Commissioner (OPC) Canada, Office of the Privacy Commissioner (OPC) New Zealand, and Privacy Protection Authority of Israel worked together to recover the lost data and subdue damages.

    [The Philippines] On Privacy Rights and Strengthening Measures

    The Philippines National Privacy Commission (NPC) was initially founded for the purpose of creating the 2016 Data Privacy Act (DPA). Hence, this agency both monitors and ensures data protection through risk management and appropriate data flow. Privacy rights are also included in the Constitution, and violation of these rights are punished by hefty fines. The Commission’s role is to help civilians abide by the Data Privacy Act (DPA), and currently, the government has appointed Data Protection Officers (DPO) to monitor Filipino businesses on their compliance to data protection regulations. Many Filipino users were inflicted by the recent scandal of Facebook harvesting mass amounts of personal data, in which the Data Protection Authorities (DPA) have pressured Facebook to redress users’ personal information breach. The NPC is currently investigating the legality of Facebook’s relief measure process.

    The Subject and Scope of the GDPR’s Right of Data Portability

    Korea currently has no legislation regarding the right of data portability. The GDPR is a united body of law on data protection and privacy despite the 28 EU member states already having their own personal data regulations. According to the GDPR, the right of data portability ensures that the data subject can receive their personal data through their consent or contractual format from controllers, as well as their right to request personal data transmission to another controller. Private corporations that utilize personal data of European citizens or provide goods and services related to monitoring civilians will be subject to the GDPR. Moreover, the scope of the right to personal data portability includes only personal data concerning the data subject and not information derived from analyzing the personal data. This right also shall not be in conflict with previous rights

    Points to Consider When Transferring Personal Data

    The GDPR’s right of data portability consists of the personal data provided
    to the controller and the personal data concerning the data subject. These
    regulations are systematic and extensive, and it is important to transfer this data in a “commonly used and machine-readable format.” The GDPR states that transfer of personal data must occur with data subject’s consent and aims to empower the civilians by giving them control over their personal data while regulating the data subject and controller’s function in the transaction. This is for the purpose of facilitating the transfer of one’s personal data to another controller, as well as creating competitiveness in new service and development sectors. When privacy experts were consulted on the difficulties in implementing the GDPR, the right to be forgotten and data portability were given the highest rankings. For small and medium enterprises especially, enforcing such data protection will be challenging and require supplementary measures.

    China’ Current Legislation on Cross-Border Transference of Personal Data

    Cross-border flow of personal data also occurs actively in China. According to
    the McKinsey Global Institution, such data transference has raised the world’s
    GDP by 10% and contributes to the growth of national economies (source: “Digital Globalization: The New Era of Global Flows”). Although Chinese laws tend to be on the stricter side, it does not meet adequate privacy protection standards. Thus, China’s next measures on cross-border flow of personal data should be as followed. Firstly, China should enforce professional personal data protection measures against data breaches, and secondly, to create and request supplementary laws if cases under the jurisdiction of subordinate legislation surpass that of the primary legislation. Thirdly, self-evaluation methods and obligations should be clarified, and fourthly, refining of legal punishments is needed.

    Korea’s Regulation on the Transborder Flow of Personal Data

    That Korea’s Personal Information Protection Act consisting of both general
    laws and special laws makes it a relatively complex piece of legislation. Under the general provisions, Article 17 elaborates the conditions for the provision of personal information. Here, cross-border transfer of personal information shall not be in violation of this Act when under a legal contract, and when transferring personal information between domestic controllers, the same regulation will be applied as to providing personal information to an overseas controller. However, there is no certain regulation pertaining to an overseas processor (a party that processes personal information directly or indirectly in place of the controller). Unlike the Personal Information Protection Act, the more specific Act on Promotion of Information and Communications Network dictates that one must have the data subject’s consent before transferring the data to a different controller or processor. Conditions that do not require consent are when the commissioned third party requires the data to provide its services; when the data is indispensable to the data subject; and when the data subject has been notified beforehand. In other words, Korea’s legislation on cross-border transference of data is heavily dependent on consent and does not clarify specific regulations and measures. In addition to Korea, the issue of data localization is being rekindled in Russia and China as well as in Europe’s implementation of the GPDR, and further debate on the multiple perspectives of the problem is needed.

    은 “개인정보 보호법(이하 개인정보보호법)”  웹사이트 운영을 위해 준수해야 할 관련 법령의 개인정보 보호 규정을 준수하고 있으며, 이를 바탕으로 정보주체의 권익보호를 위해 최선을 다하고 있습니다.
    의 개인정보 처리방침은 다음과 같은 내용을 담고 있습니다.
    제1조 (개인정보의 수집 항목 및 방법)
    가. 개인정보 수집 항목
    - 필수정보 : 성명, 소속 기관, 부서명, 직위(직책), 휴대전화, 이메일주소
    나. 수집방법 : 온라인 사전 등록 신청서 작성
    제2조 (개인정보의 처리 목적)
    가.  운영
    ‘바른ICT연구소’ 행사 참가 안내, 참가 신청 확인 및 출입증 발급, 참가 확인증 발급 등  운영에 관련한 목적으로 개인정보를 처리합니다.
    나. 민원처리
    개인정보 열람, 개인정보 정정·삭제, 개인정보 처리정지 요구, 개인정보 유출사고 신고 등 개인정보와 관련된 민원처리를 목적으로 개인정보를 처리합니다.
    제3조 (개인정보의 처리 및 보유 기간)
    은 관련 법령에서 명시하고 있는 개인정보 보유ㆍ이용기간 또는 정보주체로부터 동의 받은 개인정보 보유ㆍ이용기간 내에서 개인정보를 처리ㆍ보유합니다. 각각의 개인정보 처리 및 보유 기간은 다음과 같습니다.
    가. 참가자 정보 : 참가일로부터 3년
    나. 개인정보 열람 등 요구 처리 사용자 정보 : 개인정보 열람 등 요구 접수시부터 3년
    다. 유출사고 신고 처리 사용자 정보 : 유출신고 접수 시부터 3년
    제4조 (개인정보의 제3자 제공)
    은 원칙적으로 참가신청자의 개인정보를 제3자에게 제공하지 않습니다.
    제5조 (개인정보처리 위탁)
    ① 은 원활한 개인정보 업무처리를 위하여 다음과 같이 개인정보 처리업무를 위탁하고 있습니다.
    가. 위탁받는 자 (수탁자) : ㈜이인벤션
    - 주소 : 서울시 구로구 디지털로33길 50, 301(구로동, 벽산디지털밸리 7차)
    - 전화 : 02-2630-8777
    - 근무시간 : 09:00 - 18:00
    - 위탁하는 업무의 내용 : 시스템 운영 및 유지보수, 데이터 추출 및 가공
    나. 위탁받는 자 (수탁자) : ㈜온오프믹스
    - 주소 : 서울시 서초구 신반포로 45길 22 은양빌딩 5층
    - 전화 : 02-6080-5579
    - 근무시간 : 09:00 - 18:00
    - 위탁하는 업무의 내용 : 참가자 등록 처리를 위한 데이터 추출 및 가공
    ② 은 위탁계약 시 개인정보 보호 관련 법규의 준수, 개인정보에 관한 3자 제공 금지 및 책임부담 등을 명확히 규정하여 계약내용을 보관하고 있으며, 업체 변경 시 공지사항 및 개인정보 처리방침을 통해 고지하겠습니다.
    제6조(정보주체의 권리ㆍ의무 및 행사방법)
    ① 정보주체는 에 대해 언제든지 다음 각 호의 개인정보 보호 관련 권리를 행사할 수 있습니다.
    가. 개인정보 열람요구
    나. 오류 등이 있을 경우 정정 요구
    다. 삭제요구
    라. 처리정지 요구
    ② 제1항에 따른 권리 행사는 에 대해 서면, 전화, 전자우편, 모사전송(FAX) 등을 통하여 하실 수 있으며 은 이에 대해 지체 없이 조치하겠습니다.
    ③ 정보주체가 개인정보의 오류 등에 대한 정정 또는 삭제를 요구한 경우에는 은 정정 또는 삭제를 완료할 때까지 당해 개인정보를 이용하거나 제공하지 않습니다.
    ④ 제1항에 따른 권리 행사는 정보주체의 법정대리인이나 위임을 받은 자 등 대리인을 통하여 하실 수 있습니다. 이 경우 개인정보 보호법 시행규칙 별지 제11호 서식에 따른 위임장을 제출하셔야 합니다.
    ⑤ 정보주체는 개인정보 보호법 등 관계법령을 위반하여 가 처리하고 있는 정보주체 본인이나 타인의 개인정보 및 사생활을 침해하여서는 안 됩니다.
    ⑥ 정보주체의 열람, 정정, 삭제, 처리정지 요구 거절 시 불복을 위한 이의제기 절차는 다음과 같습니다.
    ▶ 불복 사유
    - 정보공개 청구에 대한 의 열람거절
    - 정보공개 청구에 대한 의 일부열람
    - 정보공개 청구일로부터 20일 이내에 가 공개 여부를 통지 하지 않은 경우
    ▶ 처리 절차
    - 이의신청 : 열람여부의 결정 통지를 받은 날 또는 열람거절의 결정이 있는 것으로 보는 날부터 “30일” 이내 제기
    - 행정심판 : 처분이 있음을 안 날로부터 “90일” 이내 제기(처분이 있은 날로부터 180일을 경과하면 제기 불가
    - 행정소송 : 처분이 있음을 안 날로부터 “90일” 이내(처분이 있은 날로부터 1년을 경과하면 제기 불가).
    제7조(개인정보의 파기)
    ① 는 개인정보 보유기간의 경과, 처리목적 달성 등 개인정보가 불필요하게 되었을 때에는 지체 없이 해당 개인정보를 파기합니다.
    ② 정보주체로부터 동의 받은 개인정보 보유기간이 경과하거나 처리목적이 달성되었음에도 불구하고 다른 법령에 따라 개인정보를 계속 보존하여야 하는 경우에는, 해당 개인정보를 별도의 데이터베이스(DB)로 옮기거나 보관 장소를 달리하여 보존합니다.
    ③ 개인정보 파기의 절차 및 방법은 다음과 같습니다.
    가. 파기절차
    은 파기 사유가 발생한 개인정보를 선정하고, 의 개인정보 보호책임자의 승인을 받아 개인정보를 파기합니다.
    나. 파기방법
    는 전자적 파일 형태로 기록ㆍ저장된 개인정보는 기록을 재생할 수 없도록 로우레밸포멧(Low Level Format) 등의 방법을 이용하여 파기하며, 종이 문서에 기록ㆍ저장된 개인정보는 분쇄기로 분쇄하거나 소각하여 파기합니다.
    제8조(개인정보의 안전성 확보조치)
    는 개인정보의 안전성 확보를 위해 다음과 같은 조치를 취하고 있습니다.
    ① 관리적 조치 : 내부관리계획 수립ㆍ시행, 정기적 직원 교육 등
    ② 기술적 조치 : 개인정보처리시스템 등의 접근권한 관리, 접근통제시스템 설치, 보안프로그램 설치
    ③ 물리적 조치 : 자료보관실 등의 접근통제
    제9조(개인정보 보호책임자)
    ① 는 개인정보 처리에 관한 업무를 총괄해서 책임지고, 개인정보 처리와 관련한 정보주체의 불만처리 및 피해구제 등을 위하여 아래와 같이 개인정보 보호책임자를 지정하고 있습니다.
    ▶ 개인정보보호 책임자
    성명 : 김범수
    직책 : 연구소장
    연락처 : 02-2123-6694 / barunict@barunict.kr
    ② 정보주체께서는 에 참여하시면서 발생한 모든 개인정보 보호 관련 문의, 불만처리, 피해구제 등에 관한 사항을 개인정보 보호책임자 및 담당부서로 문의하실 수 있습니다. 은 정보주체의 문의에 대해 지체 없이 답변 및 처리해드릴 것입니다.
    제10조(개인정보 열람청구)
    정보주체는 개인정보 보호법 제35조에 따른 개인정보의 열람 청구를 아래의 사무국에 할 수 있습니다. 는 정보주체의 개인정보 열람청구가 신속하게 처리되도록 노력하겠습니다.
    ▶ 개인정보 열람청구 접수ㆍ처리 사무국
    부서명 : 바른ICT연구소
    연락처 : 02-2123-6694 / barunict@barunict.kr
    제11조(권익침해 구제방법)
    정보주체는 아래의 기관에 대해 개인정보 침해에 대한 피해구제, 상담 등을 문의하실 수 있습니다.
    - 아래의 기관은 과는 별개의 기관으로서, 의 자체적인 개인정보 불만처리, 피해구제 결과에 만족하지 못하시거나 보다 자세한 도움이 필요하시면 문의하여 주시기 바랍니다.
    ▶ 개인정보보호 종합지원 포털 (행정자치부 운영)
    - 소관업무 : 개인정보 침해사실 신고, 상담 신청, 자료제공
    - 홈페이지 : www.privacy.go.kr
    - 전화 : 02-2100-3394
    ▶ 개인정보 침해신고센터 (한국인터넷진흥원 운영)
    - 소관업무 : 개인정보 침해사실 신고, 상담 신청
    - 홈페이지 : privacy.kisa.or.kr
    - 전화 : (국번없이) 118
    - 주소 : (58324) 전남 나주시 진흥길 9(빛가람동 301-2) 3층 개인정보침해 신고센터
    ▶ 개인정보 분쟁조정위원회
    - 소관업무 : 개인정보 분쟁조정신청, 집단분쟁조정 (민사적 해결)
    - 홈페이지 : www.kopico.go.kr
    - 전화 : 1833-6972
    - 주소 : (03171) 서울특별시 종로구 세종대로 209 정부서울청사 4층
    ▶ 경찰청 사이버안전국
    - 소관업무 : 개인정보 침해 관련 형사사건 문의 및 신고
    - 홈페이지 : cyberbureau.police.go.kr
    - 전화 : (사이버범죄) 02-393-9112
    (경찰청 대표) 1566-0112
    제12조(개인정보 처리방침 신설)
    이 개인정보처리방침은 시행일로부터 적용되며, 법령 및 방침에 따른 변경내용의 추가, 삭제 및 정정이 있는 경우에는 가능한 변경사항의 시행 7일 전부터 공지사항을 통하여 고지할 것입니다.
    - 공고일자 : 2018년 4월 19일
    - 시행일자 : 2018년 4월 19일