3th APB Forum, Spring 2017

Some of the characteristics of personal information leakage accidents can be seen through the examples of the three credit card companies and telecommunication companies in Korea. Firstly, it takes just a single unlawful act to create many victims. It is difficult for individuals to realize their personal information has been leaked and serious secondary damage can arise as a result. Additionally, victims face difficulties in proving that damage has been done. If the victim makes a claim for damages, the victim may claim proprietary damage and mental damage, but generally only mental damage is recognized. This is because it is not easy to prove proprietary damage caused by personal information leakage. Alternative Dispute Resolution (ADR) exists to protect victims of personal information leakage from these difficulties. The system applies the principle of transferring the burden of the evidence, which removes the burden on the victim to present the evidence and stipulates liability for illegal acts in personal information leakage. Furthermore, there is a personal information leakage notification system in Korea, which requires the administrator of the data to notify data subjects when personal information leakage has been recognized.

In June 2015, Japan Pension Service was hacked and lead to 1.25 million cases of personal information leakage. This included “My Number” pension service which the Japanese government planned to introduce. The establishment of this law was criticized by Japanese citizens due to its risk of personal information leakage. New clauses were added to the “My Number Law”. One of these clauses is to notify the data subjects when personal information leakage has occurred in order to stop secondary damage. Furthermore, the Personal Information Protection Commission can track the exchange of personal information to prevent the misuse of personal information. To strengthen personal information protection, it is necessary to conduct a privacy impact assessment in advance and to notify the data subjects about the data infringement once it has happened. In addition, international cooperation is required to handle trans-border data breaches.

The enforcement of personal information protection laws in Singapore occurred later compared to other countries. The data protection law was enacted in 2013, the commission was created in 2013 and the provisions of relevant laws were applied from July 2014. One of the features of Singapore’s information protection laws is that it does not recognize a right to privacy. Therefore, the word privacy does not appear in the legislation. The law focuses on the balance of economic and personal interests, not the protection of privacy rights.
As data protection laws are about the data itself, the scope of the law and the
definition of personal information are specified. The law cannot be applied outside of these criteria. Information collected for businesses, society, and organizations outside of personal and domestic capacities are exempt from the scope of the law. This includes personal information employees provide to businesses. Most of the personal information collected by public agencies is also exempted. There are exceptions for data intermediaries. Furthermore, digital information is a category of personal information which is defined using different criteria and must be passively collected. Data which falls under the scope of personal information must be protected and inaccurate information must be corrected.

The Personal Data Protection Act has been enforced in Malaysia since 2010, but Indonesia does not have a comprehensive act on personal information protection. Recently, both Malaysia and Indonesia have tried to embrace the digital economy and there are institutional tasks which must be addressed. While cross-border data transfers are inevitable in the digital economy, Malaysia restricts the transfer of data to countries permitted by the Minister. On the other hand, while data transfers are possible in Indonesia, the recipient region must have a data center and disaster recovery center. In addition, while the Malaysian law does not require the notification of data breaches, the Indonesian law imposes a notification duty to data subjects. Personal information protection transcends legal jurisdictions and is also related to the establishment of mutual trust among stakeholders and the design of profits. Consequently, international cooperation for personal information protection will be the basis for economic development in the Asia-Pacific region.

To deal with personal information issues of Korean citizens in China such as information exposed and even illegally traded online, Korea-China Internet Cooperation Center was established in Beijing, China. Korea-China Internet Cooperation Center uses Korea Internet & Security Agency’s PIRST (Privacy Incident Response System) to search personal information and request the deletion of the information found. In spite of these efforts, the illegal trade of personal information continues to increase. There was an incident where Chinese fans sold and purchased the personal information of Korean citizens to vote for a Korean entertainment program. In addition, Korean IDs and passwords are traded on TaoBao, a popular Chinese website, and WeChat Messenger. As there is no legal basis to request the deletion of Korean citizens’ personal information, the center has collaborated with the Internet Society of China to deal with these incidents. The most important issue is to create a law which identifies and punishes people involved in the illegal trade of personal information. This requires government level cooperation.

Founded in 2000, the International Association of Privacy Professionals (IAPP)
is the world’s largest independent privacy and personal information protection
association. IAPP offers an internationally recognized education program and
certification on personal information protection. There are currently over 30,000
members worldwide from more than 90 countries, with a threefold increase in the past five years.
The European Union's General Data Protection Regulation (GDPR) requires
agencies and companies to assign data protection officers. According to a study
by IAPP, if the GDPR is fully enforced in May 2018, this will require 28,000 data
protection officers in Europe and approximately 1,400 data protection officers in
Korea. In addition to these mandatory requirements, the GDPR states that data
protection officers must prove their professional qualities. IAPP provides high-level certifications which are recognized by the GDPR such as CIPP, CIPM, and CIPT.

There are three cases where personal information leakage accidents in Hong Kong were successfully resolved through international cooperation. The first case is when the customer database of VTech, a toy-maker in Hong Kong, was hacked in November 2015. A total of 5 million parents’ personal information and 6.6 million children’s personal information was leaked. As VTech is a multinational company, this also involved customer data from over ten other countries including the US, Canada, UK, France, and Germany. During this incident, the PCPD shared details of the data breach with these countries and mediated the interactions between these countries to assist in resolving the case. The second case is the leakage of webcam data taken from homes which was publicly displayed in August 2016. This content was leaked under Backdoored.io in the UK. Some of the video clips were filmed in Hong Kong and certain screenshots were sold. To deal with this situation, the Hong Kong PCPD asked the UK Information Commissioner’s Office for assistance and took measures to mosaic the faces of people and prevent the selling of these images. The third case of international cooperation was after laptops containing personal information of 3.8 million Hong Kong voters were stolen from the Registration and Electoral Office of the Hong Kong government. While two laptops were stolen, since these laptops had multi-layer encryption, it was impossible to decrypt and access the data. The PCPD spoke to data agencies in the UK, Canada, and Australia. Although this incident involved the theft of laptops, it was classified as a breach of data since it was caused by the lack of adequate government control.

There is an increase in cybercrimes such as DDoS, Ransomware and financial fraud. Cybercrimes are associated with many countries and require international cooperation for data collection, tracking, and arrest. In Korea, the operators of the pornographic websites Soranet and Gangnam Patch were arrested in 2016 through international cooperation. In 2017, the website of a Korean airline was defaced and three countries were asked for assistance to track the IP address. In addition to investigations involving international cooperation, government agencies and companies from various countries have cooperated to create a project in response to cybercrime. No More Ransom project was launched in 2016 as a nonprofit project which started with the Dutch National Police Agency, Europol and two global security companies. There are now over 30 countries, including the Korea National Police Agency, fighting against Ransomware (The No More Ransom Project, https: // www.nomoreransom.org/). Cybercrime is a threat to the economy; at the G7 ministerial meeting on finance in May 2017, the last day was devoted to discussing cyber security. It is necessary for nations to cooperate through bilateral agreements and simplify international cooperation procedures to respond quickly.