1. Like many modern democracies, the South Korean government has placed much focus on information technology and the value of data in generating innovations. Infrastructurally, the country presents a fertile context for innovation, having high rates of broadband and smartphone penetration and use. At the same time, a digital divide exists in populations such as the elderly and low income.

2.  A state-paternalistic approach to data innovation prevails, with the government having to provide express approval and legal direction before innovations can happen. While this stipulates the terms by which innovation may happen, such a prospective, cautious approach may also have the effect of curtailing the full possibility of innovative potential. This is seen in how innovators often have to wait for legal direction and precedent, and prospectively specify the use of data before carrying out innovative projects. This approach also disturbs the serendipitous element of innovation, where breakthroughs result from free explorations of data.

3. In 2020, South Korea passed three major legal amendments to its data privacy laws to promote data innovation: The Personal Information Protection Act (PIPA), the Act on the Promotion of Information and Communications Network Utilisation and Information Protection (Network Act) and the Act on the Use and Protection of Credit Information (Credit Information Act), collectively known as the “Three Laws of Data”. They are aimed at strengthening regulatory supervision and to introduce the concept of ‘pseudonymised data’.

4. However, major legal conundrums remain in the PIPA, and how it relates to the European General Data Protection Regulation (GDPR), which have major implications on how data is used. The foremost concern has to do with non-consensual processing of citizen data. The GDPR stipulates that non-consensual data processing may be justified by the production of socially beneficial results such as in public interest archiving, scientific research or statistical purposes, otherwise known as ARS purposes, but the PIPA relies too much on data ‘pseudonymisation’ and ends up making it a sufficient condition for derogating some of data subjects’ rights such as access, erasure, correction, and opt-out.

5. Experts interviewed also opine the laws’ disproportionate focus on consent and data subjects’ control on data processing. In South Korea, the predominant understanding of data protection law is that it gives data subjects control over data about themselves. In other words, personal data is understood primarily as being the property or under the control of the individuals who generate it, and data protection is seen in terms of preserving data control by owners, rather than ensuring data privacy. While affording control to data subjects over personal data, this approach may have stifled data innovation in cases where consent is required.

6. The consent-centric data protection law ended up relied too much on pseudonymization as a basis of non-consensual use and ended up deprecating data subjects’ rights such as right to access or erasure even outside the ARS context. This creates a loop hole whereby ill-intended data controllers may evade affordance of such data subjects’ rights simply by pseudonymizing the data. This is important for data privacy because it is through exercise of access and other rights that data subjects can protect themselves.

7. Civil society voices have attempted to balance government and industrial direction, although mistrust has led to a climate of mutual conflict. Pseudonymisation-backed non-consensual processing (including data linkage) and data portability were deemed encroachments on the individuals’ data sovereignty, with oppositional sentiment fuelled by negative, past experiences associated with the resident registrational number (RRN) system. To civil society groups, pseudonymisation-backed non-consensual processing and data portability all became ‘dangerous’ activities that needed to be somehow administered under a publicly sanctioned environment.

8. The COVID-19 pandemic presents a case example to study the trade-offs between data consent/privacy and public good. Unlike most countries around the world, South Korean infectious disease regulations permit the non-consensual use of data. This aspect was exploited towards exceptionally precise and efficacious contact tracing in curbing COVID-19 – integrated personal data, credit card information, mobile phone location information and surveillance camera data were utilised. In comparison, most other countries adopt voluntary contact tracing methods, which have had limited efficacy as it depends on citizen compliance and trust in proper data security and handling by authorities.

9. The post-COVID era will necessitate serious, country-level discussions of what data innovation means in the data age. Aside to sorting out legal requirements and digital infrastructure, decision makers would need to be cognisant of the importance of building mutual trust between government, industry and citizenry, so that data innovation is adopted in not only a permissive but transparent environment. While data innovation is often undertaken for reasons associated with strengthening public administration and economic growth, citizen transparency and being clear about the social, long-term benefits of innovation can go a long way to fostering wider acceptance of innovation while mitigating suspicion and discontent.