Rule or Standard: The De-Identification of Personal Information in Korea

Korea is a data-rich country with huge potential in this era of the data-driven economy. Nonetheless, it is unclear if the country is actively utilizing its potential. A central reason for this hesitancy appears to be related to Korea’s strict privacy law regime. In an effort to encourage utilization of data, the Korean government issued multi-agency de-identification guidelines in 2016. The guidelines rely heavily on the statistical concept of “k-anonymity.” In the context of academic discourse distinguishing between rules and standards, the adoption of k-anonymity can be identified with the adoption of a rule. By analogy, employing the concept of k-anonymity is akin to imposing the same speed limit in all cases, regardless of road conditions such as the traffic situation, time, and number of lanes. On the other hand, a standard would demand that drivers drive at a reasonable speed. As such, while a rule is simpler and easier to follow, a standard could be adapted to suit diverse circumstances. This article suggests that Korea needs to adopt a risk-based approach for de-identifying personal information and argues that a risk-based approach would be predicated upon providing a suitable standard, not a rule.