Legal Concerns of Financial Institutions in the Big Data Era - The Use of De - Identified Personal Information without Prior Consent under the Korean Privacy Laws -

The importance of big data as a new source of industry development is rapidly on the rise globally. Commonly referred to as being in the “Big Data Era,” business analysts observe that big data will create new value both in public and private sectors. Empirical research shows that the financial industry will perhaps benefit the most from big data capabilities by utilizing large amount of personal information. Korea begins putting a significant value on big data potentials. Korean financial institutions have necessarily demanded deregulation of utilizing personal information to fully take advantage of big data systems for their businesses. Likewise, the Korean government wants to promote a favorable environment for big data utilization. One tangible effort is to relax the regulatory burdens as shown in Big Data Personal Information Protection Guideline (“Big Data Guideline”) published by a governmental authority, the Korea Communications Commission. According to the guideline, personal information managers can collect, use and transfer publicly available information and customer’s usage history information without prior consent if the information is de-identified. However, Korean regulatory agencies are rather cautious of allowing personal information utilization by virtue of big data because they experienced a series of high profile and serious personal information leakage incidents by big corporations in recent times. The Korean Personal Information Protection Act (“PIPA”), known as one of the far-reaching and austere personal information protection laws in the world, is a byproduct of this heightened concern. PIPA strictly requires prior informed consent when a person collects or utilizes other person’s personal information. With the backdrop of this arguably tense atmosphere in Korea, this thesis will attempt to deal with the relevant legal issues surrounding financial institutions’ use of publicly available information and usage history information without prior consent. First, it is posited that it is too risky for financial institutions to solely rely on the Big Data Guideline because it is an administrative rule, lacking relevant statutory basis. Second, de-identification as a sole prerequisite to consent exemption is a vulnerable method. Information profiling enables re-identification of once de-identified personal information, and thus the re-identified information should be subject to PIPA’s prior consent requirement. Especially, much of usage history information is sensitive information where PIPA adds extra caution. Third, taking publicly available personal information for profit is against the Constitutional right of self-determination on personal information. In order to fully appreciate the merits of big data but minimizing infringement of personal information rights, this thesis delivers two possible suggestions. First, PIPA should be amended with possibly three options to relieve or relax the current statutory regulation. The administrative rule alone, possibly conflicting with PIPA, falls short of truly encouraging financial institutions to benefit the value of big data given the reality of harsh potential penalties under PIPA. Secondly, anonymization should be adopted instead of de-identification as a pre-condition to allow personal information utilization without prior consent as UK, EU and Japan.