With the advancement of information technology, the number of privacy violations has increased dramatically, leading to overlapping laws and blind spots. In response, Korea enacted the Personal Information Protection Act in 2011 to protect personal information and strengthen legal regulations.
The rapid development of information technology has led to a surge in new forms of privacy violations. As a result, a number of special laws were enacted, but as special laws were enacted in response to each breach, overlapping laws and blind spots in the law became inevitable. Eventually, the need for a comprehensive law to protect personal information was raised in Korea, and the Personal Information Protection Act was enacted in 2011.
Even after the Personal Information Protection Act was enacted, the development of information technology did not stop. In particular, the development of artificial intelligence and big data technology has provided opportunities for more sophisticated analysis and utilization of personal information, but it has also increased the risk of privacy violations. Personal data collected through artificial intelligence is often combined with various databases to determine an individual’s life patterns, preferences, and even psychological state. This has made the protection of personal data even more important and emphasized the need for legal regulation.
In order to properly protect personal information under the law, it’s important to know exactly what the law defines as personal information. We often think of personal information as “information that can recognize an individual” and assume that it is not personal information unless the individual can be identified, which is wrong. For example, if there are Kim Young-soo and Park Young-soo in the Human Resources Department 1 team, the information “Young-soo Kim, Human Resources Department 1” is not personal information because it is not possible to determine whether it refers to Kim Young-soo or Park Young-soo. However, according to the Personal Information Protection Act, even information that is difficult to identify a specific person is personal information.
The Personal Information Protection Act defines personal information as “information about a living individual, such as a name, resident registration number, and image, that allows the individual to be recognized.” It adds, “Even if the information cannot be used alone to recognize a specific individual, it includes information that can be easily combined with other information.” In other words, not only information with ‘specificity’ but also information with ‘specific possibility’ is considered personal information. Fingerprint, iris, signature, social security number, cell phone number, etc. are personal information with specificity, while age, occupation, residential address, etc. are personal information with specificity. Therefore, even though we cannot know for sure who “Mr. Yeongsoo, HR Team 1” is referring to, it should be considered personal information.
In this way, the Personal Information Protection Act not only protects information with specificity, but also information with specific possibilities. This is because it is believed that information with a certain possibility can always become specific when combined with other information. In modern society, the premise is that an individual can suffer tremendous harm from the leakage or misuse of personal information, and the law protects even those things that are not, but are likely to be.
In addition, the Personal Information Protection Act imposes a safety measure obligation that requires those in charge of processing personal information to take measures necessary to ensure the safety of personal information. Accordingly, if a data processor obtains someone’s personal information and stores it on a computer without any encryption device, they will be fined. This is because even if the personal data hasn’t actually been compromised, there’s a chance that it could be. These legal restrictions on privacy reflect social recognition of the importance of personal information.
Therefore, in addition to complying with privacy laws, companies and organizations need to strengthen technical measures and internal training to protect information. This is not just about fulfilling legal obligations, but also about gaining and maintaining the trust of customers and users. Customer trust is directly linked to a company’s reputation, which in turn plays a key role in increasing its competitiveness in the long run. As technology continues to evolve, so does the need for privacy, which is why it’s important to continue to pay attention to it.