Korea has seen an increasing use of biometrics in vehicles and related electronic products. As an illustration, Samsung’s Galaxy mobile phones enable the user to unlock the phone by face recognition and Hyundai’s new Santa Fe vehicles enable the driver to unlock and start the car using his/her fingerprint.
Under Korean law, a person’s biometric data is considered personal data, the use of which is governed most notably by the Personal Information Protection Act (the “PIPA”) and the Promotion of Information Communications Network Utilization and Personal Information Protection Act (the “Network Act”).
In December 2017, the Korea Communications Commission and Korea Internet & Security Agency jointly published a guideline on the protection of biometric information. This guideline is not independent legislation specifically regulating the use of biometrics, but it is considered the relevant authorities’ confirmation that biometrics constitute personal information under Korean law and their guidance on how biometrics should be used and protected under the current data protection laws of Korea.
Thus, to understand the current regulatory framework for use of biometrics in Korea, it is essential to understand Korea’s laws on personal data protection, which already impose specific and strict obligations on those who collect and use a person’s biometrics.
A. Personal data protection laws
The ground rule when collecting personal data is that only the minimum amount of personal data necessary for the intended purpose should be collected. Some additional key rules include obtaining prior consent from the data subject for the collection and use of personal data, taking proper measures to prevent the loss, theft or leakage of the personal data, and destroying personal data without delay when it is no longer needed.
B. Personal data
In Korea, personal data is broadly defined. Personal data means information pertaining to a living individual, which contains information identifying a specific person by name, national identification number, visual image, and so forth. Personal data also includes information that by itself cannot be used to identify a specific person but that enables the easy identification of such person if combined with other information.
Under Korea’s data protection laws, biometrics include physiological and/or behavioral characteristics that facilitate the identification or authentication of individuals (e.g. use of fingerprint and facial recognition to unlock vehicles). If such characteristics are not used for identification or authentication of individuals (e.g. simple recognition of approximate age or gender to transmit targeted advertisement), they are not considered to be the data which is protected by Korea’s data protection laws.
C. Prior consent required for collection of personal data
Data collection requires prior consent of the data subject, after having been notified in advance of the following matters: (i) purposes of collection and use of the personal data; (ii) items of personal data to be collected; (iii) period of time for which the personal data will be held and used; and (iv) data subject’s right to withhold his/her consent and disadvantages that may result by withholding consent.
In addition, collection and use of special types of personal data – including “sensitive information” which may seriously infringe upon the privacy of the individuals, such as information regarding political opinions, health and genetic information, and “uniquely identifying information” such as a resident registration number and passport number – requires a separate opt-in consent.
The consent form itself is heavily regulated in Korea – with specific rules for font size and checkboxes, for example.
D. Transfer of personal data
Any transfer of personal data to a third party for such third party’s own use, in which the third party recipient obtains the personal data for its own benefit and business, also requires prior consent of the data subject. Here, transfer of personal data to a third party for such third party’s own use should be distinguished from an entrustment of personal data to a third party, in which the third party recipient obtains personal data for the purpose of performing work entrusted by the original data collector, and the original data collector has the obligation to monitor, supervise and educate the third party recipient, regarding the protection of the entrusted personal data. In the event of any violation of personal data protection laws, there is also a divergence. The original data collector would be liable for any breach committed by the third party to whom personal data is entrusted, but not for the actions of a third party to whom personal data has been transferred for the third party’s own use.
Transferring personal data abroad (i.e., to a foreign entity) also requires the data subject’s consent in advance after notifying matters prescribed by law.
E. Management of personal data and security measures
Certain technical, administrative, and physical measures must be implemented to protect personal data from loss, theft, leakage, alteration or damage. Such measures include the encryption of personal data and maintaining safe storage facilities with appropriate locking devices.
In connection with the obligation to take security measures for the protection of personal data, both the PIPA and the Network Act promote cybersecurity through imposing certain duties to prevent unauthorized access to the network system (e.g. firewall, password system and network segregation) and analyze the cause of any intrusion into a network system and to take measures in response.
A violation of Korea’s personal data protection laws could lead to criminal liability and administrative fines, as well as exposure to civil lawsuits. For example, a person who collects personal information without consent may be punished by imprisonment for not more than 5 years or by a fine not exceeding 50 million Korean won (approx. USD 43,000), and an administrative fine of up to 3% of the annual sales for the relevant business under the Network Act. Additionally, failure to implement data security measures that results in data loss, theft, leakage, alteration or damage may be punished by imprisonment for not more than 2 years or by a fine not exceeding 20 million Korean won (approx. USD 17,000), and an administrative fine of up to 3% of the annual sales for the relevant business under the Network Act.
G. Other rules governing biometric data
In consideration of the heavy regulations governing the collection and use of personal data, which also apply to biometrics, the following rules are particularly worth noting.
First, biometrics may be considered to be “sensitive information” under the PIPA, which will require a separate opt-in consent for its collection and processing.
Second, when applying the rule on data minimization – i.e., only the minimum amount of personal data necessary for the intended purpose should be collected – care should be taken to destroy without delay the original biometrics once they are converted into the biometric identifiers and safely encrypted. Otherwise, consent must be obtained for its continued retention and use. Also related to the rule on data minimization, the data controller and processor should ensure that sensitive data should not be unnecessarily extracted from the original biometrics (e.g. ethnic data, religion or health information).
Third, the data subjects should be given various methods to easily control the use of biometrics (e.g. by using a cellphone or website). The data controller and processor is advised to offer alternative identification or authentication methods (e.g. passwords), that may be used in case the users withdraw their consent to use their biometrics or become unable to use the biometrics due to changes in their physical or behavioral traits.
Lastly, biometrics should be securely protected from theft and unauthorized use. In particular, biometrics should be encrypted using a secure algorithm when being stored or transmitted through a network.
Could the restrictive personal data protection laws impede the widespread incorporation of biometrics into AVs in Korea?
In the US, for example, the strong protections imposed by Illinois’ law on the collection of biometric data – requiring written individual consent and allowing a private right of action against private entities for violations – have deterred some companies from offering the use of their biometric technologies to consumers in Illinois.
In Korea, strong personal data protection laws may give rise to concerns that may similarly dissuade companies from using biometrics. Nevertheless, Korea-based companies, such as Samsung and Hyundai, have already heavily invested in biometrics technologies. In addition, to reduce the impediments created by the strong personal data protection laws, various members of Korea’s National Assembly have sought to amend the PIPA and the Network Act. It is therefore possible that the great commercial potential of biometrics and AVs may stem changes to Korea’s personal data protection laws and their interpretation and application.