The Personal Information Protection Commission (PIPC) of South Korea convened a meeting with major public institutions, including the Ministry of the Interior and Safety, Ministry of Land, Infrastructure and Transport, and National Pension Service, to discuss strengthening the safety of personal data transfers. This initiative follows the amendment of the Personal Information Protection Act Enforcement Decree, which was promulgated on February 19 and will take effect on August 20, 2024. The meeting aimed to explain the expanded scope of personal data transfer rights and the necessary preparations for public system operators newly included under the revised law. The focus is on ensuring that individuals can securely transfer their personal information, moving away from less secure methods like data scraping.
Public system operating agencies, defined by criteria such as the scale of data processing and number of authorized handlers, are directly impacted by these changes. These agencies must now prepare for API-based data transfers, update their website terms of use, and ensure that information about transfer methods, eligible data, procedures, and status is publicly available online. The law restricts automated scraping of personal data without prior consultation, except for cases where trusted agents, such as certified personal information management institutions, act as intermediaries. This shift aims to improve both the safety and reliability of personal data transfers within the public sector.
The revised enforcement decree expands personal data transfer rights from previously limited sectors like healthcare and telecommunications to all areas. Public system operators are required to implement secure transfer methods and update their websites by August 2024, detailing the rights and procedures for individuals. The Commission recommends transitioning from scraping to API-based transfers, allowing temporary scraping only when trusted agents are involved and prior consultation is conducted. Agencies must revise their terms of use to clarify that automated scraping without consultation is prohibited, and cooperate with certified intermediaries during the transition period.
Frequently asked questions include: What is the new requirement for public institutions? Public institutions must adopt API-based data transfer methods and restrict scraping, ensuring secure and transparent processes. Who can act as intermediaries for data transfers? Only government-recognized agencies, such as certified personal information management institutions, are permitted to act as intermediaries and use APIs. What is the deadline for compliance? All requirements must be implemented by August 20, 2024, with temporary exceptions for trusted agents during the transition. These changes are designed to protect individual rights and enhance trust in public data handling.
Metaqsol opinion: South Korea’s policy revision demonstrates a strong commitment to improving personal data security and transparency in the public sector. By expanding transfer rights and requiring API-based methods, the government addresses longstanding concerns about data scraping and reliability. The structured timeline and involvement of certified intermediaries provide clarity and reduce transition risks. This approach is expected to enhance public trust and set new standards for data governance.