The National Policy Committee of the National Assembly approved a revision bill on the Credit Information Use and Protection Act on November 28. Along with the Personal Information Protection Act and the Act on Promotion of Information and Communications Network Utilization and Information Protection, this revision bill on the Credit Information Act is considered as a key legislation to promote data economy.
► ESTABLISHING NEW LEGAL BASIS FOR USING AND ANALYZING BIG DATA
- Pseudonymised information may be used without consent from the owner of the information for statistical, industry research and public documentation purposes.
- Converging data is permitted only by the institutions designated by the government.
- Safety measures are established for the use and convergence of pseudonymised data, including a prohibition on re-identification of pseudonymised data and a requirement for separate management of additional information.
► STRENGTHENING THE ROLE OF PERSONAL INFORMATION PROTECTION COMMISSION
- The revision bill on the Personal Information Protection Act upgrades the status of the Personal Information Protection Commission (PIPC) from an administrative commission to that of a central administrative agency with authority to conduct investigations, regulate commercial enterprises and implement relevant laws.
► IMPROVING REGULATORY FRAMEWORK ON CREDIT BUREAU INDUSTRY
- The credit bureau industry will be categorized into a) personal CB, b) individual business CB and c) corporate CB, while the entry barrier for credit bureau businesses will be lowered.
- The current regulation which restricts credit bureau businesses from performing for-profit operations will be lifted, and credit bureau businesses will be allowed to conduct data analysis and processing as well as consulting.
- Conduct regulations will be established to improve the soundness of the credit bureau industry. Largest shareholders of personal CB and individual business CB businesses will be subject to eligibility tests.
► INTRODUCING MYDATA BUSINESS IN FINANCIAL SECTORS
- The revised bill introduces MyData businesses through which individuals may access their integrated personal information and receive credit and asset management services.
- MyData businesses can make recommendations on different financial products and offer financial advisory services using personal data.
- The revised bill has put in place safety and security measures, such as the application of a standard API for the transfer of credit information and strict personal authentication procedures.
► ENHANCING PERSONAL INFORMATION PROTECTION IN FINANCIAL SECTORS
- Based on the level of information sensitivity, consumers will be notified of which class of private data they are giving consent to be used.
- Consumers will have the right to request an explanation or file an objection against profiling.
- Consumers will be entitled to the right to data portability through which a request can be made for a transfer of private information from one financial institution to another.
- The penalty of punitive damages on breach of personal information will be raised from three times the amount of inflicted damages to five times.
The government expects that the revision to the Credit Information Act will provide a foundation to foster new growth engines in the financial industry for the era of data economy. The revised measures also place the Korean data regulations more closely on a par with global standards, such as the European Union’s General Data Protection Regulation.
It is expected that the revision bill will be debated in the Legislation & Judiciary Committee and during a plenary session of the National Assembly within this year. The bill is expected to take effect six months after its promulgation.
* Please refer to the attached PDF for details.