The Data Protection Measures in line with EU DirectiveThe author studied on the Data Protection Measures in line with EU Directive 95/46/EC under the sponsorship of the Korea Information Security Agency (KISA) for the period of June 1 to November 30, 2001. The following is the outline of the study.
Purpose and Significance of the Study
Nowadays world-wide use of the Internet and explosive data flows across borders give rise to the increasing misuse and alteration of, and unauthorized access to and transfer of, personal data encroaching on the privacy of data subjects. As a result, the issue of data protection are discussed more often than not on the global scale.
There are several major models for privacy protection. First, some countries including many of the EU Member States have a comprehensive general law that governs the collection, use and dissemination of personal information by both the public and private sectors. An oversight body ensures compliance. Second, other countries, such as the United States, have avoided enacting general data protection rules in favor of specific sectoral laws governing financial privacy, etc. Accordingly, there is a lack of an oversight agency. In some countries, for example, the United States and Japan, data protection can also be achieved through various forms of self-regulation, in which companies and industry bodies establish codes of practice and engage in self-policing. It should be noted that the EU has established full-fledged data protection rules under the OECD guidelines for data protection and requires its Member States to ban data transfer to the third country which fails to ensure an adequate level of data protection.
Therefore, in order to promote Internet-based electronic commerce, Korea should be regarded as a country which ensures an adequate level of protection in conducting trans-border data flows with Europe. It is prerequisite for Korea to reinforce its IT power and to set standards in the Asia-Pacific Region.
This study delves into the current status of the Korean legislation with respect to data protection in view of the EU directives. Later on the preparatory works should be done for any discussion with the EU Commission in this regard.
Contents and Scope of the Study
This study is based upon the EU Directive and other Community laws in defining the data protection. To conduct this study, Researchers visited Belgium and met with a number of specialists including one Commissioner of the EU Commission and several experts at the Research Center of Information and Law (CRID), the University of Namur, who have been involved in the research project on data protection methodology committed by the EU Commission. Also the 23rd International Conference of Data Protection Commissioners, which was held in Paris during September 24 through 26, 2001, was highly useful for Researchers to collect information on the latest developments of data protection in Europe.
In the first part of this study, the data protection laws of Korea both in the public sector and the private sector will be examined. It is believed that the relevant Korean laws have incorporated the OECD privacy guidelines on data protection in line with the prevailing global standards. However, there seems more or less insufficient regulations on the matter of transparency, onward transfer and the independence nature of the supervisory agency.
So it is suggested that a general law on data protection is advisably to be established for a standard and reference to various special laws in the private sector. Japan is now making a comprehensive law on the same subject matter. Also it is true that it takes burdensome preparatory works and considerably long time to effect new legislation. In this context, it is advisable to resort to the industry self-regulation or contractual solutions in order to supplement any discrepancy in Korean laws against the backdrop of the EU directives. In doing so, we can expect undisturbed information flows with EU Member States or other countries.
Result of the Study
The conclusion of this study calls for preparing for future negotiations with the EU Commission in the manner in which immediate safeguards with respect to on-line data protection are necessary and important rather than the amendment to, or establishment of, laws which is time-consuming for national consensus. In the United States, the self-regulation approach is turned out to be questionable in the issues of the representative nature of associations, the level of general compliance, the enforceability of dispute resolutions, and any moral hazard of their members. So it is recommendable for Internet service providers to declare their own data protection policy and to conclude standard contracts ensuring privacy issues.
For the decision of the adequate level of protection in the third country, the EU Commission, in collaboration with the EU Data Protection Working Party, usually collects and analyse general information on data protection through data protection supervisory body of Member States, local specialists, professors, lawyers, EU representatives, etc.
It is necessary and important to fully explain and persuade the EU negotiators that the level of data protection in Korea is sufficiently adequate because:
- the relevant Korean laws are based upon the OECD privacy guidelines giving attention to the EU data protection directives;
- any problem or complaint of data subjects is thoroughly investigated and mediated by an independent body with possible remedies;
- a private association of information and telecommunication service providers is going to implement privacy mark labeling;
- industry-wide self-regulation instruments and general terms incorporating an EU standard contract on data protection are discussed for early implementation; and
- the authorities concerned are staging a nation-wide campaign to respect personal information in general.
Practical Usage of the Study
This study presents various useful approaches to the preparation for the future negotiations with the EU Commission which adheres to a kind of reciprocity in data protection. It calls for a division of efforts between the government and the private sector in order to introduce the current status of Korean legislation on data protection to the EU representatives, and refer to the case studies which involve major countries including Canada, Australia and Japan. At the same time, it is necessary to implement industry-wide self-regulation instruments and contractual solutions.
Expected Benefits
This reveals that the future negotiations with EU are not beyond our capacity. Therefore, stepped-up public relations, in particular, with overseas data protection bodies and counterparts, establishment of independent supervisory body and, in the long run, new legislation based upon global standards will be helpful to ensure the adequate level of data protection.
Contents
Chapter 1 Introduction
I. Purpose and Necessity of the Study
II. Scope and Method of the Research
Chapter 2 Current Status of Data Protection Regime
in Korea
I. Data Protection Legislation
1. Overview
2. Public Sector
3. Private Sector
II. Data Protection in the Public Sector
1. Applicable Laws
2. Scope of Application
3. Collection of Personal Data
4. Use and Transfer of Personal Data
5. Access to Personal Data
6. Supervisory Body
7. Remedies and Sanctions
8. Legislative Issues
III. Data Protection in the Private Sector
1. Overview
2. Act on Information Network Utilization and
Data Protection, etc.
3. Other Regulations
IV. Industry Self-Regulation
V. Dispute Resolution on Data Protection
Chapter 3 Data Protection in EU
I. Data Protection Principles
1. Privacy and Human Rights
2. EU Data Protection Guidelines
II. EU Data Protection Standards
1. Working Document
2. Data Protection Criteria
3. Self-Regulation Approach
4. Contractual Solutions
5. Exceptions
6. Decision Process
III. Procedural Issues
IV. Third Country Issues
1. Overview
2. Council of Europe Convention Countries
3. United States of America
4. Other Third Countries
V. Preparatory Works
Chapter 4 Prospects
I. Strategies
1. Case Studies
2. Applicability in Korea
3. Strategic Approach
4. Technological Issue
II. Modifications in the Public Sector
1. Scope of Application
2. Data Protection Principles
3. Supervisory Body
4. Remedies
III. Enhanced Data Protection in the Private Sector
1. Applicability
2. Possible Comprehensive Legislation
3. Comparison with the EU Standards
4. Stepped-up PR Strategy
References
Appendices
1. EU Directive 95/46/EC (translation)
2. EU Working Document on Transfers of personal data
to third countries (condensed translation)
3. EU Standard Contractual Clauses (excerpt)