This is the abstract of an article on the protection of personal credit information in South Korea, which is contained in the Kyung Hee Law Journal, Vol.41 No.1, published in June 2006.

These days consumers are increasingly concerned about any possible chance of abuse and misuse of their credit information. Upon hearing endless reports of numerous ID theft and leakage of personal information, the affected data subjects are inclined to file lawsuits for compensation in group against such game companies and financial institutions as deemed responsible for the incidents.

However, in the Information Age, it is useless and unwise to hide personal information. Brisk flow of favorable credit information will enhance considerably credit availability and job opportunities of a data subject. For example, in the Internet banking, active flow of credit information is conducive to the appropriate risk management of financial institutions. It is also helpful to assess the credit standing and to identify financial needs of customers so as to develop new financial products and to conduct aggressive marketing.

The situation is all the more important in cross-border financial transactions. If an unauthorized use of a person's credit information results in credit fraud in a foreign country, we cannot figure out the scope of financial damage to the data subject as well as irrecoverable damage to his credit.

In this case, we can count the EU Directive on data protection, which regulates the conditional data export to a third country, as a universal norm governing credit data flow. In the United States, there are the Fair Credit Reporting Act (FCRA), Gramm-Leach-Bliley Act (GLBA) and Sarbanes-Oxley Act. In particular, the GLBA purports to supplement the existing privacy provisions of the FCRA.

The GLBA financial privacy rule requires financial institutions to provide each consumer with a privacy notice at the time the consumer relationship is established and once a year thereafter. The privacy notice must explain the information collected about the consumer, where that information is shared, how that information is used, and how that information is protected. The notice must also identify the consumer's right to opt-out of the information being shared with unaffiliated parties. On the other hand, the GLBA safeguards rule requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients' nonpublic personal information. This plan must include: еб) denoting at least one employee to manage the safeguards, ев) constructing a thorough risk management on each department handling the nonpublic information, ег) developing, monitoring, and testing a program to secure the information, and ед) changing the safeguards as needed with the changes in how information is collected, stored, and used. In 2003, FCRA was amended by the Fair and Accurate Credit Transactions Act (FACTA, Public Law 108-159) to guard against identity theft.

Once a credit information is infringed upon by means of phishing, pretexting, hacking and other illegal act, the resulting damage is almost immeasurable. So the financial institution is primarily held responsible for the data security of financial information of its customers. If a customer argues that his credit information is hurt by negligent management of financial institutions, they have to investigate disputed information. Also, users of the information for credit, insurance, or employment purposes must notify the consumer when an adverse action is taken on the basis of such reports. A proposed amendment to the GLBA (H.R. 3997) will oblige the relevant financial company to provide free credit report service to the affected customers so that the accuracy and completeness of the report may be verified or contested by them. It sounds reasonable because customers are not in a position to know the occurrence of, or to identify, the real damage arising out of the infringement upon their credit information.

In Korea, the Act concerning the Use and Protection of Credit Information (the "Act") has been under in-depth discussion and year-long debates for the necessary revision. At present, three amendments to the Act have been presented to the National Assembly by lawmakers of the Ruling Party and the Opposition Parties.

In short, the writer has an opinion that the identity information requires the high-level "opt-in" consent of the data subject, while a low-level negative consent or "opt-out" is necessary for the credit transaction information (Item 2 of Article 2, the Enforcement of Decree of the Act) and the credit capacity information (Item 4 of the said Decree). It is very helpful to the banking industry to promote the data flow and to process such credit information.