By Sunny Um and Seo Jeong Yun WIRED Korea

In December 2009, a lesbian mother stood against lawyers from the online movie rental giant Netflix in the United States District Court for the Northern District of California. As a Jane Doe, she argued that Netflix spilled her private data, including her sexual orientation, to the public.

Three years before the lawsuit, Netflix disclosed the records of a half-million seemingly unidentifiable users from December 1999 to December 2005 to the participants of the “Netflix Prize”, a competition launched to improve the movie recommendation algorithms. The records include the watch history and the assigned ratings from the users.

Netflix claimed that all records were “anonymized” as it scrubbed out any user-identifiable details, such as usernames, and replaced them with “a numeric identifier unique to the subscriber”.

Doe, the lead Plaintiff, believed that there still was a risk of herself being identified in the data set, and the rental service violated the Video Privacy Protection Act. The act bans any “videotape service provider” from “knowingly disclosing the personally identifiable information concerning any customer of such provider”.

As the controversy went on, Netflix called off the second contest and settled the case out of the court in March 2010. But there is no U.S. federal law that specifically prohibits companies from using people’s personal data with fake identifiers.

Privacy is an issue of great concern to Korea as well, with civic groups demanding tightened protection. As such, three revision bills on data regulation had been pending more than a year until the National Assembly passed them last week. They were the Personal Information Protection Act, the Protection of Credit Information Act and the Information and Communications Network Act.

With the Personal Information Protection Act now revised, businesses can use the personal data with identifiable names replaced with pseudonyms with no permission obtained from the persons concerned. The revised Protection of Credit Information Act allows the financial entities to use the pseudonymized financial data in the similar manner.

But this does not mean that pseudonymized data can be indiscriminately used. Its use is limited to compiling statistics, for both commercial and non-commercial purposes, doing research and promoting public interest.

The Information and Communications Network Act is revised to transfer the right to monitor online private policy breaches to the Personal Information Protection Commission, an independent commission government agency. Previously, the Ministry of the Interior and Safety, together with the Korea Communications Commission, did the monitoring job, raising suspicions about data integrity.

The de-identified personal data, not containing the person’s name and resident registration number, may now include some other personal information, such as income, age, and spending, all of them being key components of the big data.

The amendments are certain to bring changes to finance and other industries. For instance, there will probably be a surge in the demand that client financial data held in the possession of individual financial institutions be shared by other business enterprises. The financial institutions concerned are now required to share their client data when a third party demands it with permission from the client.

Another outcome of the legislative change, experts say, would be the emergence of a new type of service provider, who will take the process of collecting personal financial data for its customers.

There would be many other beneficiaries. A software writer, for instance, may use statistical information derived from a certain type of pseudonymized personal data in designing an artificial intelligence-powered algorithm for the provision of a specified service, such as healthcare for the elderly. Such an algorithm may learn better from the big data, made bigger with the inclusion of pseudonymized personal data, and consequently perform better.

Healthcare and pharmaceutical industries are set to benefit, too. The Korea Pharmaceutical and Bio-Pharma Manufacturers Association has high hopes that the business environment will change for the better.

In its statement issued after of the passage of the revision bills, the special interest group said what it called excessive personal data protection was a hindrance to the development of new drugs and that more drugs will be in the pipeline with the obstacle removed now.

“The amendments will provide a turning point in the provision of healthcare, with new drugs set to be developed and medical services to be customized, both with the use of AI and big data,” it said.

The revision of the laws has undoubtedly paved the way for a wider sharing of personal data between Korean and European corporations. With personal data integrity called into question in Korea, the European Union has not authorized an unhindered exchange of personal data with Korean companies.

The European Union started to control cross-border data transfers from when the General Data Protection Regulation came into force in 2018. Companies from a non-European country need a specific authorization to manage the data of Europeans, including targeted marketing. When it comes to a review of non-European countries by the European Union, the revision of the law will certainly cast Korea in a more favorable light.

Nonetheless, the People’s Solidarity for Participatory Democracy voices a grave concern about the use of pseudonymized data, which it says often contains very sensitive personal information, such as medical, financial and criminal records. The civic group warns such information can be used for voice phishing and crimes.

“The three data laws allow the companies to sell, buy, and store personal data permanently without permission from the people involved, as long as it’s pseudonymized,” it said in a statement.

Some others are more vociferous in condemning the use of personal data without permission which they claim constitutes an infringement upon human rights. “Obtaining and processing personal information, be it anonymous or not, and acquiring an added value from it without the consent of the individuals involved can be a violation of human rights,” says a Representative Ji Sang-wook of the opposition Liberty Korea Party.

Also, persons can be identified when their pseudonymized data is combined with some other data sets with fake identifiers. For example, the New York Times reporters were able to track down and identify several individuals from the “anonymized” search-engine logs from AOL within days after the data release in 2006.

“Some companies may have an urge to identify each person [in a data set], but they say [the data] will be safely encrypted by an authorized institution,” says Lee Ji-eun, a coordinator of the Public Interest Law Center of the PSPD.