On January 9, 2020, amendments to the Credit Information Use and Protection Act (“Credit Information Act”) were passed during a plenary session of the National Assembly. These amendments to the Credit Information Act (“Amendments”) were passed in tandem with respective amendments to the Personal Information Protection Act (“PIPA”) and the Act on Promotion of Information and Communications Network Utilization and Information (“Network Act”). The PIPA, the Network Act, and the Credit Information Act are collectively referred to as Korea’s 3 major data privacy laws (“Three Data Laws”). The main objectives behind the Amendments are (1) promotion of the data economy in the financial sector by, inter alia, establishing the statutory basis for the analysis and utilization of big data, (2) reform of the legal framework for the regulation of industries related to credit information by, inter alia, introducing the concept of credit information self-management (“MyData”) and revamping the existing system for regulating credit bureaus (“CBs”) that carry out credit evaluations of individuals, and (3) reinforcement of data protection in the financial sector by, inter alia, introducing the right to request transmission of personal credit information and the right to challenge decisions based on profiling.
The Amendments are expected to serve as a catalyst for the increased utilization of big data and convergence of data in the financial sector, and lead to the emergence of innovative services (e.g., customized financial services catering to the needs of individual customers) and new industries related to data (e.g., MyData services, non-financial CBs). In addition, the Amendments have been designed to enhance interoperability with the European Union’s General Data Protection Regulation (“GDPR”) as well as the data protection regulations of other countries and thus, are expected to facilitate the processing of data by Korean companies when they conduct business abroad.
The Amendments are expected to go into effect in late July or early August of this year (which will be 6 months from their promulgation date). Key provisions of the Amendments are summarized below.
1. Key Provisions of the Amendments
- In line with the aforementioned amendments to the PIPA, the Amendments also introduce the concepts of “pseudonymized information”, “pseudonymization”, and “anonymization”. Please refer to our newsletter dated January 14, 2020 (“Major Amendment to the Personal Information Protection Act Passed by National Assembly”) for more information on these concepts.
- The Amendments permit credit information handlers to provide personal credit information to third parties without the consent of personal credit information subjects to the extent such provision is not inconsistent with the original purpose of collection after considering factors such as the circumstances surrounding the collection of personal credit information, the potential impact to personal credit information subjects, and whether necessary safeguards have been implemented to ensure the security of personal credit information.
- The Amendments breakdown CBs into subcategories (whereas under the current Credit Information Act, CBs are defined rather broadly without such distinction) such as “CBs for individuals,” “CBs for sole proprietorships,” and “CBs for corporations” while relaxing regulatory entry barriers for each subcategory. In addition, CBs are no longer prohibited from engaging in other types of commercial enterprise so long as there is no risk of harming credit information subjects or undermining the soundness of credit transactions due to such commercial endeavors.
- The concept of MyData services will be introduced which will allow individuals to, among other things, conduct integrated searches of their own credit information as well as carry out credit and asset self-management.
- The consent system will be streamlined (simplified and visualized) to enable credit information subjects to provide their “informed consent” and a rating system will be introduced for the use of information, such that different ratings will be assigned to the use of information depending on the risk(s) and benefit(s) associated with such use so that credit information subjects can make informed decisions when providing their consent (taking effect within 1 year from the promulgation date of the Amendments).
- Credit information subjects will be granted the right to challenge (i.e., request explanations and raise objections) decisions based on profiling (i.e., automated processing of data to evaluate certain things about an individual).
- Credit information subjects will be granted the right to request financial companies and public institutions to transmit their personal credit information (i.e., right to data portability of personal credit information) to other financial companies (taking effect within 1 year from the promulgation date of the Amendments).
- The maximum amount of punitive damages that may be imposed on financial companies and other credit information handlers in connection with the leakage of personal credit information has been increased to 5 times (from the current 3 times) the amount of proven damages.
2. Implications for companies likely to be affected by the Amendments
- With the introduction of the concepts of pseudonymized information and anonymized information, companies are advised to review the scope of data processing that will be permitted under the amended Credit Information Act without the need to obtain consent as well as the methods to utilize pseudonymized information, safeguards to prevent the combination of data, and ex post facto control measures.
- In light of the expected changes in the legal framework for the regulation of CBs, companies planning to expand into the CB business are advised to carefully consider the conditions for entry into this business segment, potential synergies with their existing business, and growth opportunities as well as constraining factors.
- With the introduction of MyData services, the Amendments will serve to minimize entry barriers for Fintech companies. Accordingly, companies planning to provide MyData services are advised to begin preparations in advance to obtain necessary licenses and approvals.
- Companies are advised to pay special attention to the changes to the legal provisions governing consent and the newly created rights that will be granted to credit information subjects under the amended Credit Information Act. In particular, financial regulatory authorities are expected to establish and announce corresponding amendments to consent forms and other detailed measures prior to the effective date of the amended Credit Information Act and thus, companies are advised to continue monitoring related developments on this front.
- Given that the Financial Services Commission has announced its intention to hold future discussions to canvass public opinion for corresponding amendments to the implementing rules (e.g., the Enforcement Decree of the Credit Information Act) of the Credit Information Act, companies are advised to closely monitor the amendment process and to provide their input as necessary to promote their business interests.
- Companies are also advised to closely review the amendments to the PIPA and the Network Act that were passed by the National Assembly along with the Amendments, and make the necessary preparations to their practices in light of the changes that are expected to occur once these amendments take effect.
If you have any questions regarding this article, please contact below:
Kwang Bae PARK (firstname.lastname@example.org)
Jongsoo (Jay) YOON (email@example.com)
Hyun Koo KANG (firstname.lastname@example.org)
Hwan Kyoung KO (email@example.com)
For more information, please visit our website: www.leeko.com