The Right to be Forgotten under Korean Legal System May 16 2012 Yun, Jae Suk
I Meaning change of privacy IV VI III V II Necessity of the right to be forgotten The right to be forgotten under Korean legal system Limit of the right to be forgotten Government policy for the right Conclusion Contents
The idea of privacy Decisional privacy Information privacy Right to be let alone • Griswold v. Connecticut(1965) • Roe v. Wade(1973) • Privacy as an individual’s right to control, edit, manage, and delete information about them(selves) and decide when, how, and to what extent information is communicated to others(Alan Westin, 1967) • The right to privacy(Warren & Brandeis, 1890) • Yellow journalism & new technologies(camera…) in 19C • Protection of private space
The idea of privacy Network privacy or Internet privacy Difficult to define the precise meaning of privacy • Family resemblance (Ludwig Wittgenstein) • Changes with technologies(newspaper, camera, computer, DB, etc.) • Result of history and knowledge (Western countries vs. Eastern countries, US vs. Europe) • Threats to the privacy on the Internet • Threats from multiple ISPs, not just from national authorities • Different and limited effect of assertion of privacy right
2. Necessity of the right to be forgotten
Digital Scarlet Letter Durability Comprehensiveness Accessibility • Digital data never disappears • Never escape from the past memory • Easy to access digital memory • Once permitted, difficult to block spread of the information • Capability of search engines • incompleteness LOOKS LIKE complete, precise and objective • Individuals lose self-control on his/her own information
Proposal for a Data Protection Regulation (EU) Right to be forgotten and to erasure (Article 17) • Individuals will have a general right to be forgotten, enabling them to force organizations to delete personal data stored about them "without delay." • When someone demands the erasure of personal data, an Internet Service Provider “shall carry out the erasure without delay,” unless the retention of the data is “necessary” for exercising “the right of freedom of expression,” as defined by member states in their local laws. • The regulation creates an exemption from the duty to remove data for “the processing of personal data solely for journalistic purposes, or for the purposes of artistic or literary expression.” • In theory, the right to be forgotten addresses an urgent problem in the digital age • It is very difficult to escape your past on the Internet now that every photo, status update, and tweet lives forever in the cloud. • European regulation defines the right to be forgotten very broadly, it would be applied more narrowly though.
3. The Right of Forgotten under Korean Legal System
Constitution Acticle 10 Acticle 17 The right to privacy shall not be infringed. All citizens shall be assured of human worth and dignity and have the right to pursue happiness. It shall be the duty of the State to confirm and guarantee the fundamental and inviolable human right of individuals.
Personal Information Protection Act Article 4 (Right of Information Subject) A subject of information has the following right in connection with the management of his/her personal information: 1. A right to receive information concerning the management of personal information; 2. A right to choose and decide whether he/she consents to the management of his/her personal information, the scope of consent, and related matters; 3. A right to verify whether personal information is managed and to request an inspection of personal information (including issuance of a certified copy; 4. A right to request the suspension, correction, deletion and destruction of personal information; 5. A right to receive relief from damage caused bythe management of personal information according to promote and fair procedures.
Personal Information Protection Act Article 36 (Correction or Deletion of Personal Information) • A subject of information who has inspected his/her personal information pursuant to Article 35 may request a personal information manager to correct or delete his/her personal information: • Upon receiving a request from a subject of information pursuant to paragraph (1), information manager shall investigate the personal information in question without delay, take necessary measures, such as correction, deletion, etc. based on a request from the subject of information, and notify the subject of information of the result unless other acts and subordinate statues stipulate special procedures for the correction or deletion of the personal information. • When information manager deletes personal information pursuant to paragraph(2), he/she shall take measures to prevent the personal information from being recovered or recycled.
Personal Information Protection Act Article 36 (Correction or Deletion of Personal Information) (4) Where a request from a subject of information falls under the proviso to paragraph (1), information manager shall notify a subject of information of the details without delay. (5) If it is necessary for conducting an investigation under paragraph (2), information manager may require a subject of information in question to submit evidence necessary for verifying a request for correction or deletion. (6) Necessary matters concerning the method, procedures, etc. of requesting correction or deletion, and providing notification shall be prescribed by Presidential Decree.
Personal Information Protection Act Article 37 (Suspension, etc. from Managing Personal Information) (1) A subject of information may request information manager to suspend managing his/her personal information. When the manager is a public institution, the subject of information may request the suspension on his/her personal information among the personal information files to be registered pursuant to Article 32. (2) Information manager in receipt of a request under paragraph (1) shall immediately suspend the management of the personal information completely or partially at the request of a subject of information: Information manager may reject a request from a subject of information to suspend management in any of the following cases:
Personal Information Protection Act Article 37 (Suspension, etc. from Managing Personal Information) • Where there exists special provisions in any Act or it is inevitable to comply with statutory obligations; • Where it is apprehended that any third person’s life and body may be harmed, or any third person’s property and other interests may be unduly infringed on; • Where a public institution is unable to carry out its affairs stipulated by or under other Acts unless it manages personal information; • Where it is impractical to perform a contract, such as a failure to provide a subject of information with stipulated services unless the personal information, and the subject of information fails to clearly express his/her intention to terminate the contract.
Personal Information Protection Act Article 37 (Suspension, etc. from Managing Personal Information) (3) When a personal information manager has refused a request to suspend management pursuant to the proviso to paragraph (2), he/she shall immediately notify a subject of information of the reason therefor. (4) A personal information manager shall immediately take necessary measures, such as destruction, etc. of the relevant personal information, the management of which is suspended at the request of a subject of information. (5) Necessary measures concerning the method and procedure of requesting or refusing the suspension of management, and providing notification pursuant to paragraphs (1) through (3) shall be prescribed by Presidential Decree.
Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. Article 30(Right of Users) • Every user may, at any time, revoke his/her consent given to a provider of information and communications services or similar to allow the provider to collect, use, furnish, or dispose otherwise of his/her personal information. • Every user may demand a provider of information and communication services or similar to allow him/her to inspect or to furnish him/her with, any of the following matters about him/her, and may also demand the provider to correct an error, if there is any: • Personal information of the user, which the provider of information and communications services or similar possesses; • The current status of personal information of the users, which has been used by the provider of information and communications services or similar or furnished to a third party; • The current status of personal information of the user, for which the user consented to collection, use, or furnishing of personal information by the provider of information and communications services or similar.
Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. Article 30(Right of Users) (3) A provider of information and communication services or similar shall, if a user revokes his/her consent in accordance with paragraph(1), take necessary measures without delay, including destruction of collected personal information. (4) A provider of information and communication services or similar shall, upon receiving a demand for correction of an error in accordance with paragraph(2), correct the error, notify the users of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use or furnish the relevant personal information to someone else until it completes taking such measures: Provided, that it may furnish the personal information to someone else or use the information, if requested to furnish the personal information pursuant to any other Act.
Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. Article 44-2(Request for Deletion of Information) • Where information provided through an information and communications network purposely to make it public intrudes on other persons’ privacy, defames other persons, or violates other person’s right otherwise, the victim of such violation may request the provider of information and communications services who handled the information to delete the information or publish a rebuttable statement, presenting it materials supporting the alleged violation. • A provider of information and communications services shall, upon receiving a request for deletion or rebuttal of the information under paragraph(1), delete the information, take temporary measure, or any other necessary measure, and shall notify the applicant and the publisher of the information immediately. …….
Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. Article 29(Destruction of Personal Information) Presidential Decree Article 15-2(Destruction of Personal Information, etc.) • Certain period time in Act Article 29 (2) is 3 years. Following condition shall be exempted: • It is necessary to preserve the information if other laws regulate other period of availability or it is unavoidable to abide by certain responsibility set by other laws otherwise. • The condition in which service provides agreed certain period of preserving time with users through separate contract. • (2) Service providers shall destruct or store separately personal information if the information has been unused for 3 years. • (3) Service providers shall not provide those stored information unless there are users request. (2) Service providers shall do necessary measures to destruct personal information which has not been used for certain period time according to the presidential decree
4. Government policy for the right
Support for deletion of RRN(Resident Registration No) Resident Registration Number (RRN) Identity Theft • All Korean citizens are assigned a unique number, comprised of 13 digits. • It includes meaning of gender, date and place of birth, etc. • It has been used widely both for public and private sector, such as registration to web sites, posting information online, online payment, identity check, etc. • The widespread requirement of a valid resident registration number to create an account on many Korean websites presents many opportunities for identity theft and other fraud • It was found that former South Korean president Roh Moo-Hyun's resident registration number was used to gain access to hundreds of pornographic websites, as well as to register accounts on a number of entertainment and gaming web sites • Complaints about identity theft led the Korean government to implement stiff penalties for using someone else's resident registration number and take appropriate measures such as operations of RRN Clean Center, PRIST.
Support for deletion of RRN(Resident Registration No) RRN Clean Center(clean.kisa.or.kr)
Privacy Incident Response SysTem (PRIST) Search for domestic websites Search through Google, Baidu Passport NO RRN Driver License NO Mobile Phone NO Support team for Deletion Email address Phone NO Health insurance Bank account NO Credit card NO RRN
Privacy Incident Response SysTem (PRIST) Shopping Mall(18)/Game(12) Portal (12) Leakage report monitoring Hosting (22) Association(4)/etc(35) (Privacy Incident Response SysTem) Info sharing Delete cooperation
5. Limit of the Right to be Forgotten
Limit of the Right to be Forgotten Record of History & The Right to Know Knowhow & Business Activity for Profit Openness of the Internet • Deletion of personal information could cause erasure of historical fact & memory • The right to be forgotten could lead to the restriction of the right to know • Complete deletion of personal information on the Internet IS IMPOSSIBLE • Who would assert the right to be forgotten to whom? Even if so, do they have right or capability to delete requested information? • Personal information collected, stored, and managed by a corporate is invaluable business asset • If the right to be forgotten is granted, it would cause damage of the business activities seriously
How do we respond? Collision of Constitutional Rights Need to find new privacy concept Proper balance between privacy & freedom of expression • Rapid development of new ICT services on the Internet including Social Networking Services, concern for Internet privacy invasion has been soaring • The right to be forgotten is one of new privacy issues need to be addressed • Emphasis on the right of self-determination on personal information could lead to restriction of business activities • Emphasis on the right of human dignity could lead to erasure of historical fact and invasion of the right to know, and academic freedom • Result of historical experience (e.g. US freedom of expression vs. EU human dignity) • Which right should be more focused and emphasized on?