a. Background - Is the "Consent" of data subject a relevant consideration?

In light of massive surveillance scandal of US and other western countries, the concept of the "Transactionality of Privacy", which is regarded as a significant assumption in privacy legal framework of many countries, may be deemed totally irrelevant and fundamentally inappropriate, as criticized in Professor Moglen`s Snowden lectures. Nevertheless, irrespective of the pedagogical or academic feasibility of such criticism, it is challenging to refute that the notion of "Transactionality" of Privacy, ensuring the right of consent, serves as the last gatekeeper for preserving fundamental constitutional rights within current legal framework anyway. Therefore, following discussion does not seek to challenge the fundamental approach of the current framework, but rather aims to analyze its deficiencies in protecting data subject`s fundamental and constitutional rights within existing legal circumstances.

b. Discussion

(Daljae Park) I do understand your perspective on the notion of the "Transactionality of Privacy" being deemed irrelevant and misleading, as you extensively discussed in your Snowden lectures and during this semester. However, even though such a notion poses serious risks of unconstitutionality, I still believe in the importance of analyzing the deficiencies within the current legal framework. This is because (i) if a comprehensive revision of the current legal framework, which is based on your approach, cannot be achieved in the near future, ensuring the consent rights of individuals would remain one of the most favorable interim tactics to protect fundamental rights; and (ii) considering the technical aspects of legislative drafting, a microscopic revisionary approach under current legal framework is necessary alongside revolutionary macroscopic changes; and (iii) personally, as a practitioner, I could not find any alternative to protect individual`s fundamental right as well as the above mentioned concept. In summary, while I agree with your remarks, I respectfully disagree with the assertion that the concept of the "Transactionality of Privacy" is entirely irrelevant within the legal framework. Therefore, I have revised my essay briefly in accordance with your comments and have retained other discussions.

The central question is not one of procedural detail. Why is consent the relevant consideration in dealing with an essentially environmental problem? I discussed this in the Snowden lectures and again in class. If consent is the relevant consideration in what is viewed as a transactional rather than social situation, then you should be able to show that. If it is not, if standards rather than gestures of individual decision-making are actually required, then GDPR-like approaches are irrelevant where they are not harmful.

Framework for Overseas Transfer of Personal Data in South Korea - Is it really enough to protect right of privacy?

I. Background

In the world of globalization and digitalization, transfer of data, especially including the “Personal Data” seems somehow irresistible flow by now. However, prior to the comprehensive revision of “Big 3 Data Acts”, including Personal Information Protection Act (“PIPA”), in August 2020, South Korean legislation de facto prohibited oversea transfer of personal data. However, following the aforementioned revision, South Korean legislation permits overseas transfer of personal data when it aligns the requirement in the Framework for overseas transfer of personal data (the “Framework”).

The Framework was understood as comparable to or incorporating core aspects of the GDPR(Global Data Protection Regulation) of the EU. This perception arose from the adequacy discussions initiated between South Korean and EU, which is started in 2017, and subsequent joint declaration of South Korea and EU of a high-level of adequacy between their respective Framework in March 2021, which was based on aforementioned revision of relevant statues of South Korea.

However, it does not inherently guarantee the Framework`s constitutionality or offer sufficient privacy protection. From my perspective, several contentious issues remain unresolved.

II. Summary of the Framework in South Korea

Ironically, there is no provision for justifying “Overseas transfer” of personal data in legislation, statutes, regulation, and rules of South Korea. Consequently, without explicit authority, the “Overseas transfer” of personal data is generally interpreted as the transfer(including inquiry) of personal data(by the definition in PIPA) between servers or computers located overseas. Requirements for overseas transfer of personal data in current Framework is following,

• Obtain separate consent from the data subject, after providing prior notice from a personal data controller. This notice should include specific details such as a list of the personal data transferred, transfer date, method and destination country, purpose of transfer and usage, period of retention and usage, as well as the method and consequences of refusal.
• Special provisions in a statute, a treaty, or other international conventions.
• In any case requiring personal data processing and retention for the conclusion and execution of a contract with the data subject, either through prior disclosure in the privacy policy or notice that contains specific details that should be included in the notice for a forementioned separate consent.
• Where the recipient of personal data obtains relevant certification of personal information protection by the Protection Commission, a governmental agency.
• Where the Protection commission recognizes that that the Framework of recipient country is substantially equal to the level of South Korean Framework

Also, a personal data controller that intends to transfer personal data overseas shall take protective measures described in the presidential decree and rules. However, also ironically, the relevant rules are not technically prescribed in details of such measures, rather based on principals and conceptions, like minimized process, transparency, safety, responsibility.

III. Discussion and Conclusion - Is the Framework enough or constitutional?

The new Framework of South Korea places emphasis on “Separate Consent”, which differentiate between ‘consent for transfer personal data oversea’ and ‘consent to “process” personal data (including collection, generation, connecting, interlocking, recording, storage, retention, value-added processing, editing, output, correction, recovery, use, provision, disclosure, and destruction of personal information and other similar activities, as defined by Art. 2 (2) of PIPA)

However, I believe that “Separate Consent” for transferring personal data overseas does not have a substantive effect on the protection of privacy.

First, suppose transferring data overseas under the control of personal data controller, without involving transfer of personal data to the third parties. In such cases, it simply involves relocating the physical storage location, and the controller of personal data remains subject to South Korean jurisdiction. However, under the new Framework, the controller of personal data is required to obtain separate consent, which can be seen as another superficial procedure imposed by bureaucratic officials.

Second, under PIPA, there is another ‘separate consent’ scheme on providing personal data to ‘third parties’, including domestic and foreign recipients. This implies that to provide personal data to foreign recipients, the controller of personal data must obtain three distinct consents from the data subject: one for collection, one for provision, and one for overseas transfer. However, requiring an additional consent specifically for overseas transfer may not serve as an effective safeguard, as the data subject has already confirmed the foreign recipient and consented to provide the data.

In short, it is challenging to find a rationale to support the “Separate Consent” scheme for transferring personal data overseas. It represents another form of overregulation, potentially running afoul of Art. 37(2) of the South Korean Constitution, which pertains to the principle of ‘the Less Restrictive Alternative’ in constitutional adjudication, mirroring the position of U.S Supreme court`s position as seen in the well-known case Shelton v. Tucker, 364 U.S 479, 487 (1960).

Next, technical provisions. In the initial stages of Big 3 Data Acts, including PIPA, policy makers leaned toward a more technical approach to ensure the adequacy of protection measures or other necessary measures for personal data. However, during discussions for the comprehensive revision of Big 3 Data Acts, regulators encountered criticism against this technical approach, due to its tendency to rely on limited technologies or programs. Therefore, PIPA departed from its previous technical approach, and adopted more conceptual, principle- based rules for protection measures after the revision.

Nevertheless, the impact of the revision was minimal, and subsequent changes were negligible, particularly for financial institutions. In respect of supervision and examination by supervisory authorities, it is almost impossible to prove adequacy of the system they used. This difficulty arises from the lack of technical expertise among supervisors, and the absence of specific guidelines to ascertain the adequacy of such systems. Consequently, financial institutions tend to adopt systems that have been verified in prior examinations or supervisions by regulators. This situation exemplifies another instance of 'under-regulation', highlighting the need for revisions to establish rules including minimal technical requirements to fulfill the purpose of protection.

<--/commentPlugin-->