In December 2014, the Korea Communications Commission (KCC) released the“Big Data Guidelines for Data Protection” (Guidelines). Aimed at Information and Communications Service Providers (ICSPs), they are designed to prevent the misuse of “publicly available information” to create and exploit new information. The Guidelines expressly permit ICSPs to collect and use “publicly available information”, within certain parameters.
“Publicly available information” is defined as “code, letters, sounds and images” that are “lawfully disclosed”; however, the Guidelines also cover Internet log information and transaction records.
According to the Guidelines, where such information includes personal information, the data must be de-identified before it may be collected, retained, combined, analysed or sold. The Guidelines also include a number of specific measures for ICSPs to take in connection with their collection and use of such information.
These measures include a duty to disclose their big data processing activities and policies to users, and to inform users of their rights to opt out. Other provisions include a prohibition on the collection, analysis and exploitation of sensitive information, and an obligation to ensure that information collected and used remains de-identified.
Before the Guidelines were introduced, the right to collect and use such information in South Korea was widely considered to be a grey area. The KCC has therefore provided much-needed clarification in this area. The Guidelines strike a balance between protecting personal information, on the one hand, and recognising the growth of the big data industry on the other.