Starting in August, South Koreans will be able to manage personal information scattered across major hospitals, transportation services, retail chains, and cultural institutions through a unified system.
The Personal Information Protection Commission announced Tuesday that the Cabinet approved amendments to the Personal Information Protection Act Enforcement Decree, expanding the scope of MyData's personal data transfer request rights to all sectors.
The revised decree extends the data portability system—which allows individuals to transfer and utilize their personal information wherever they choose—from the current medical and telecommunications sectors to all industries. It also specifies secure transfer procedures and methods.
Under the decree, entities required to comply with transfer requests are defined as large-scale personal information processors with adequate data protection capabilities. This includes organizations with average annual revenue exceeding 180 billion won ($123 million) that process data for more than 1 million users, or those handling sensitive or unique identification information for at least 50,000 individuals. Public system operators and third-party data transmitters are also subject to the requirements.
Information eligible for transfer includes data processed with the consent of the data subject, data generated through contract execution, and data processed in accordance with laws and regulations.
For secure transfers, requests made through agents must follow methods pre-agreed with personal information processors. The government recommends API-based transfers but will temporarily permit scraping through pre-approved secure methods.
Processors cannot refuse transfer requests made through pre-agreed methods without legitimate cause. Direct downloads of encrypted information viewable on websites are also specified as a valid transfer method.
Public system operators and third-party transmitters will have a six-month grace period following promulgation, while private large-scale processors with revenue exceeding 180 billion won will have one year to comply.
The commission plans to operate working-level consultative bodies to expand third-party transfers to energy, education, employment, culture, and leisure sectors. Briefings on designation and support programs for specialized personal information management institutions will begin in March.
"With this revision, we expect citizens to actively exercise sovereignty over their personal information and transfer and utilize data according to their wishes," said Song Kyung-hee, chairperson of the Personal Information Protection Commission. "We will build trust in the MyData system by ensuring information is transmitted in a safe and reliable environment."