South Korea

HMPPartnerCS Ahn

By Chan Sik Ahn, HMP Law

 

In thinking about big data, the legal collection, use and storage of information obtained from countless individuals has emerged as a big concern for all companies and organizations. Despite the trend to gather ever more data, the Republic of Korea’s Personal Information Protection Act still chooses the opt-in method, which requires every individual’s prior consent allowing their personal information to be collected. Under the Constitution, each individual’s right to control access to their particulars seems inevitable; however, society is coming to realize that this right frequently conflicts with so-called big data collection. As a result, as new methods have appeared enabling either the anonymizing or pseudonymizing of personal information without gaining prior consent from the individuals concerned, de-identification measures are now attracting the attention of numerous companies in light of corporate compliance issues.

Recently, the Seoul High Court rendered a significant judgment in dealing with the de-identification of personal information in the so-called “Korean Pharmaceutical Information Center Case” (the “KPIC Case”). This is a case of second instance, still pending at the Supreme Court. Besides this civil lawsuit, a criminal case is still pending at first instance and an administrative case has been finalized. Amongst a variety of issues related to the usage of personal information, this Article is designated to focus on the de-identification of personal information to highlight the significance of corporate compliance, related to relevant rulings and legal reasoning, as written in the judgment of the KPIC Case.

Plaintiff / Defendant and Factual Grounds

Plaintiffs consist of patients (the “Patients“) who submitted prescriptions to pharmacists after receiving medical treatment from doctors (the “Doctors”) who wrote and issued those aforementioned prescriptions. The two Defendants are, firstly, a foreign company (the “Company”) which developed a software tool named PM2000 that automatically transmits, to its headquarters in the United States, certain items of personal information contained in the prescription, such as the resident registration number of the Patients, their date of birth, the name and license number of the relevant medical personnel, the disease classification symbol, and the names and volumes of the prescribed drugs (the “Prescription Information”), and, secondly, the KPIC which installed the PM2000 software in Korean pharmacies in order to send the Prescription Information to the Company.

After receiving the Prescription Information transmitted from the KPIC at its head office in the United States, the Company has subsequently sold that on to other pharmaceutical companies. Ever since the National Health Insurance of Korea was introduced in 1974, Korea’s classification system related to Prescription Information and the data thus gathered has been regarded as world class; therefore, the KPIC Case is garnering a great deal of attention in consideration of the fact that Prescription Information has already been sold to foreign pharmaceutical companies.

Judgment of the Court of First Instance (Case number 2014Gahap508066·2014Gahap538302, issued on September 11, 2017 by the Seoul Central District Court)

Criteria for the Judgment of the First-instance Court

The criteria for the de-identification of personal information was that, with an appropriate method of personal information such as encryption, any particulars that are found unable to be identified with a given individual will not be regarded as personal information as defined under Article 2 (1) of the Personal Information Protection Act. Nevertheless, it shall be regarded as personal information if there is even a small possibility of re-identification afterwards.

The question of whether appropriate de-identification measures have taken place will be determined based comprehensively upon: (i) the nature of the source data, (ii) the particular context in which the de-identified information has been processed, (iii) the level of technique or detail involved in such de-identification measures, (iv) the purpose and the method of the data collection, (v) the terms of use of said data, (vi) the possibility of re-identification in line with technical expertise, and any economic profit gained by doing so, (vii) possible benefits of re-identification accruing to parties already provided with de-identified information, (viii) the level of privacy protection given by parties who receive de-identification information, (ix) the possibility of combining de-identified information with external information about the same data subject, (x) the relationship between the provider of de-identified information and the party who receives it, (xi) and the management and control of access rights to de-identified information.

The Assessment of De-identification by the Court of First Instance

According to the abovementioned de-identification criteria, the court of first instance made a finding as to whether the Prescription Information (as it is received by the Company’s head office) shall be deemed personal information.

The encrypted medical license number is comprised of several numbers rearranged in a predetermined order. For instance, ‘1234567’ may be shuffled as ‘6327145’. In light of this method, the court found that the medical license number in the Prescription Information shall not be regarded as personal information due to the fact that an appropriate de-identification process has been carried out. There could have been some controversy as to whether this particular method was sufficient as a form of de-identification measure, but the Plaintiffs withdrew that item from the relief sought in the demand in their appeal to the High Court.

On the other hand, as for Prescription Information, the court of first instance applied different criteria to judge the first, second and third encryption methods as the KPIC gradually improved them over time.

First of all, the first encryption method was a bi-directional process to convert the 13-digit Patients’ registration number to letters of the alphabet in a pre-determined order (the “Data Masking”). For example, the resident registration number ‘541008-1030024’ may be converted into ‘delafjhafcjnd’. As such, it was possible to decrypt the data since the method was bi-directional, which means that the same method can be used to decrypt the data as to encrypt it.

The second encryption method was to encrypt the Patients’ resident registration number using ‘SHA-512’, a one-way encryption method. This SHA-512 form of encryption, impossible to be decrypted, utilizes a hash function that converts specific data into a 128-digit value composed of numbers and letters. For instance, the resident registration number ‘780708-2177911’ may be converted into:

‘25525ab9f38678f802c8dd416bd488132c0682919f004986a328c125a3f192a934d482c371af2e2476fc66cfc257e0d6d58c83f536f36a2aa0e80caba39b0ebb’

The third encryption method functions in the same way as the second method, but instead of the resident registration number, individuals are identified by the Patients’ name, date of birth, gender information, and others encrypted with SHA-512.

Evaluating the encryption techniques, using the first method, it is possible to find the order and decrypt the data. On the other hand, since the second and third encryption algorithms involve hash functions, data of any length can be converted into output values of 512 bits, which makes it impossible to decrypt without knowing the correct function value.

Based upon the methods described above, the court of first instance deemed data processed using the first encryption method as personal information that could be decrypted, whereas the data of the second and third encryption methods, which cannot be decrypted, shall not be regarded as personal information according to the Personal Information Protection Act.

Defendants’ Liability for Damages

Whereas the court of first instance found a violation of Personal Information Protection Act via the first encryption method, it had difficulty admitting the Defendant’s liabilities for non-economic damages and compensations, since (i) it is hard for any third parties to identify individuals through the encrypted data even if the Defendants can decrypt the data, (ii) third parties’ access to the data is theoretically impossible, and (iii) there existed no anticipated secondary damages.

Regarding this judgment, some level the criticism that the extent of compensation has been set overly strictly, while some other opinions agree with the court’s decision to deny damages and leave the control of such risk to administrative or criminal procedures.

Judgment of the Court of Second instance (2017Na2074963·2017Na2074970, given on May 3, 2019, by the Seoul High Court)

After the first instance, Plaintiffs appealed, and the Seoul High Court rendered a relevant judgment on May 13, 2019.

Even though the Seoul High Court found the same conclusion that the Defendants were not obliged to compensate Plaintiffs for damages, nevertheless, the Court rendered a different judgment as to whether Defendant KPIC’s de-identification had been processed appropriately and whether the Prescription Information fell into the range of personal information.

First of all, the matter concerning the medical license numbers was not addressed by the High Court, as Plaintiffs had withdrawn it from the relief sought in the demand when they appealed. Nonetheless, with regard to the Prescription Information of the Patients, considering the fact that the first encryption method could be decrypted to some extent, the High Court also recognized that proper de-identification steps were not taken.

Secondly, as for the second and third encryption methods, previously seen as properly de-identified in the first instance, the High Court also found no disputable issue regarding these methods, as they could not be decrypted due to the hashing.

Despite the foregoing, the High Court raised the question of whether the second and third methods had successfully de-identified the Prescription Information, as (i) the Defendants already owned data which could be decrypted via the first encryption method, (ii) based on this previous data, the data encrypted by the second and third methods could be decrypted in the same manner, and (iii) the server possessed the matching table to decrypt any data that had been processed by the first method. In the relevant criminal judgment, the prosecution confiscated the defendant’s server and verified that it was possible to decrypt the data.

In other words, in spite of the sufficient encryption method itself, the second and third encryption methods were not regarded as appropriate de-identification measures, because of the existence of a matching table to process decryption. No matter how strong the defense barriers were built up, it would not be meaningful if the key to open the gate was handed over to others. Regarding this, the Company claimed that it had received the matching table but had never used it to decrypt the data and had no intention to gain any economic interest through such a process. However, the High Court ruled that it would not be necessary to consider the data recipients’ motives, interests, and methods to use such information in evaluating the de-identification.

Therefore, the High Court rendered the judgment that all the data in the KPIC Case, regardless of the encryption stages, violated the Personal Information Protection Act as the Defendants had collected personal information without any prior consent of individuals and provided them to third parties.

As in the court of first instance, the High Court also rejected the Defendants’ alleged obligations to compensate damages, but it added another reasoning, namely that the data had been used for statistical purposes only.

How to Deal with the De-identification Measure

Despite the government’s publishing of the ‘Personal Information De-identification Guideline’ in 2016, many companies continue to face ambiguity in terms of utilization of personal information, since the contents of the guidelines are frequently in conflict with the Personal Information Protection Act. Although it seems necessary for those companies to utilize big data in order to develop new services and industries in due course, they have difficulty operating within the strict privacy regulations. Making matters worse, proposed legislation to deal with these concerns has been continuously delayed.

Therefore, the KPIC Case may be helpful to understand to what level de-identification shall be admitted and to what extent it can vary depending on the possibility of decryption of such de-identified data. In addition, companies will be contemplating compliance issues related to the KPIC Case, as the Defendants’ liabilities for non-economic damages were denied in both instances. Also, they have to keep a close eye on the future judgment by the Supreme Court as to whether it will admit any civil liabilities in the future, or if it only places administrative or criminal liabilities.

As of now, the civil court is adhering closely to the rationale that as long as the data has been de-identified via the encryption method and is unable to be in any way decrypted in the future, it will not be seen as personal information, even without having obtained any prior consent of the data subject(s). However, even in this regard, companies must examine the criteria provided in the KPIC Case, in order to determine the extent of the de-identification measures in accordance with specific circumstances and situations enumerated in the judgment.

Chan Sik Ahn Attorney at Law Partner HMP LAW

9th Floor, Shinhan Bank Building, 20, Sejong-daero 9-gil, Jung-gu

Seoul 04513, Korea

Tel. +82 2 772 2700

Mobile. +82 10 9096 4984

Fax. +82 2 772 2800

E-mail. csahn@hmplaw.com

Dir. +82 2 772 2809

Web. www.hmplaw.com

Related Articles by Firm
Impact of permit and reporting system on location information business in South Korea
Korea's permit system is unlike legislation found in other countries, such as the EU or US.
Responding quickly to personal information breaches in South Korea
What in-house lawyers should know in case of a personal information leak in Korea.
Cryptocurrency regulations and their prospects in Korea
Lawmakers and regulators have struggled to come to terms with bitcoin and other cryptocurrencies ...
Related Articles
Related Articles by Jurisdiction
Notes to foreign financial investment corporations that are starting businesses in South Korea
As of September 2019, there were 47,799 foreign investors registered with the Korea Financial Supervisory Service, including 36,190 institutional investors ...
The Gig Economy: A challenge to conventional labour law
Both employers and workers should pay attention to the issues ...
Recent revisions to the “Three Data Laws” on privacy protection in South Korea
The National Assembly of South Korea recently passed a bill to amend the so-called “Three Data Laws” of Korea — the Personal Information Protection Act, the Act on Promotion of Information and Communications Network Utilisation and Information Protection ...
Latest Articles