This article is the countribution of jinbonet to the country report of South Korea in Privacy and Human Rights 2007 published by EPIC.
Full text of country report of South Korea is attached.
Privacy Supervisory Authority
In Korea, there is not the Basic Act on the Protection of Personal Information to protect privacy in all spheres of society yet. There is not an independent privacy supervisory authority either. Human rights groups in Korea had insisted on enacting the Basic Act on the Protection of Personal Information and establishing independent privacy supervisory authority for a long time from late nineties. Three different acts on the protection of personal information which include establishing independent privacy supervisory authority were proposed in the 17th National Assembly. The Democratic Labor Party proposed the act that was drafted in cooperation with human rights groups in November 2004. The act drafted by government and the ruling party, Uri Party, was proposed in July 2005, and the act drafted by Grand National Party was proposed in October 2005. However, these acts were not passed even in the Standing Committee in National Assembly, which was not because there were objections in the Standing Committee, but because Assemblymen were negligent, even they were not discussed. Finally, the acts were repealed automatically when the 17th National Assembly was closed in may 2008.
After that, there was a public hearing on June 27, 2008, on the Basic Act on the Protection of Personal Information drafted by the Ministry of Public Administration and Security (MOPAS) to propose in the 18th National Assembly. However MOPAS plans not to establish an independent privacy supervisory authority, but take charge of supervisory role by itself. Human rights groups criticize that MOPAS itself is main object to be supervised as a ministry directly managing huge personal information such as resident registration databases, and that it’s illogical to supervise itself.
Personal Information Leaks
The Auction site, which was one of the biggest on-line market in Korea, was hacked causing personal information of more than ten million people to be exposed in February 2008. Soon after, the fact that one of the major ISPs, Hanaro-Telecom, intentionally abused its more than six million clients’ personal information (the number of leaked records were more than eighty five millions) became known in April 2008. These accidents were a great shock to the public. The victims of these accidents raised class suits against the Auction and Hanaro-Telecom.
Human rights groups claimed that the reason why leakage of personal information had occurred on a large-scale in these accidents was because large-scale personal information was collected unnecessarily by the companies in one hand, and public authority did not perform its jobs in monitoring and overseeing these companies’ behaviors in collecting and using personal information in the other hand, and urged the government to enact the Basic Act on the Protection of Personal Information and establish an independent privacy supervisory authority.
Among the personal information leaked in these accidents, the exposure of the Resident Registration Numbers poses tremendous problems. The Resident Registration Number is issued to every Korean at birth. It is a unique number which includes sensitive information such as date of birth and sex, and can never be changed. The Korean government allowed private entities to collect such sensitive information without proper regulations, and abandoned its responsibility by not providing effective corrective measures even though massive numbers of Resident Registration Numbers have been traded and used for fraudulent IDs. To minimize the damage of victims, human rights groups requested the Ministry of Public Administration and Security (MOPAS) to reassign their Resident Registration Numbers in May 2008. However, MOPAS denied that request saying it is impossible.
Internet Real Name Policy
Since the Ministry of Information and Communication expressed the necessity of introducing the ‘Internet real name policy’, which is a policy that obligates every user of major Internet portal sites and government sites to confirming his/her real identity, in the early 2003. Human rights groups had been against the policy. They criticized that the policy would violate freedom of expression and right to anonymity of all users. In addition, they worried about identity theft in the process of authentication using name and Resident Registration Number. Actually, there was a large scale identity theft accident in the on-line game site, Lineage, where fake accounts, more than 220 thousands, were made using stolen names and Resident Registration Numbers in February 2006. As the public opinion criticizing beef import negotiation between Korea and U.S. spread fast over the Internet, the Korean government and the governing party, GNP, planned to expand the sites which were forced to adopt Internet real name policy up to over 200 sites including Google.
Meanwhile, the revision of Public Election Act was passed in the National Assembly in May 2004, which requires Internet newspaper sites to adopt technical management of confirming user’s real identity in their bulletin boards or chat rooms during the election period. Human rights groups and Internet newspapers criticized that ‘Internet real name policy during the election period’ would restrict political participation of citizens, and announced disobedience to the policy. (http://freeinternet.or.kr/) The National Human Rights Commission expressed objection to ‘Internet real name policy’ in the “Opinions to the National Assembly about Politics related Law and its revision” in February 2004. (*) In the opinion, the NHRC pointed out that Internet real name policy was clearly censorship presuming that all people who would post in the bulletin board during the election period would circulate false information and/or libel, and violated freedom of expression under the article 19 of the World Human Rights Declaration and the article 21 of the Constitution by restricting freedom of expression and right to form opinions based on anonymity in the Internet, and would possibly violate right to control his/her own information under the article 17 of the Constitution in that individual information would be subject to misuse for the purpose other than original purpose presented when information was collected, by allowing the minister of MOGAHA and credit information companies to confirm users’ identity using name and Resident Registration Number when requested by Internet newspapers.
Since ‘Internet real name policy during election period’ was first enforced in May 31st local elections in 2006, some of progressive Internet newspapers practiced disobedience. An Internet newspaper, ‘People’s Media Chamsesang’, which was imposed a fine of KRW 10 million at the price of disobedience during the presidential election in 2007, raised a unconstitutionality suit on April 4, 2008. (**) In addition, A netizen raised a unconstitutionality suit claiming that Internet real name policy violated basic rights under the Constitution at the last date of enforcement of Internet real name policy during general election, on April 8, 2008.
* http://www.humanrights.go.kr/04_sub/body02.jsp?NT_ID=24&flag= VIEW&SEQ_ID=554728&page=1
The Ministry of Foreign Affairs and Trade proposed a revision of the Passport Act which would introduce electronic passports(or biometric passports) in may 2007. It’s only one year since the new passport in which picture is digitally printed was introduced in September 2005, to tighten security of passports. Before this change, the picture in the passport was printed and then glued to the passport. An electronic passport has IC chip embedded on the back cover and the personal information is retrieved by RFID technologies. According to the guideline of International Civil Aviation Organization (ICAO), the IC chip should contain the passport holder’s personal information and a face shot and optionally fingerprints. Korean electronic passports was designed to include fingerprints as a requisite information on the ground of improving accuracy. The reason why the Korean government introduce electronic passports is to be eligible for the U.S. Visa Waiver Program (VWP). Human rights groups in Korea criticized that electronic passport system would violate citizen’s privacy due to gathering of biometric information and indefinite collection of personal information, and that introduction of electronic passport system just after introduction of digital passport system is wasting budget. Moreover, they criticized that Electronic Travel Authorization(ETA), that one of the requirements of VWP, is just a different name of Visa system, and that personal information can be easily transferred across national borders due to the measures such as the passenger information exchange agreement.
The revision of the Passport Act, which postponed the collection of fingerprints for 2 years, was passed in the National Assembly in February 2008. Electronic passports were issued to the public from August 2008. Human rights groups including Korean Progressive Network Jinbonet built up ‘Reissue for Freedom’ campaign that encourage people to apply for reissue of their passports before electronic passports will be introduced.(http://biopass.jinbo.net/)
In June 2007, revisions to the Protection of Communications Secrets Act passed through the National Assembly’s Legal and Judiciary Committee. The revisions would require mobile phone service providers, credit card firms and mass transit operators to store clients’ records for up to a year and provide the information at the request of state investigators. This means a citizen’s cellular phone calls, e-mails, financial transactions and even where he or she goes on buses and subways over the past year must be kept and disclosed upon a warrant request.
The present Protection of Communications Secrets Act has articles on retainment of communication log data such as phone records, location log data, Internet log data, etc., but has not penal clauses. The revision forces communication service providers to retain communication log data by imposing fines not exceeding KRW 30 million on who don’t retain communication log data. Moreover, the revision requires mobile phone service providers to redesign their networks to permit wiretapping.
Human rights groups criticized that the amendment would severely jeopardizes people’s right to privacy and freedom of expression by regarding all people as potential criminals and making people under surveillance. Considering that users of major Internet portal sites and government sites are obligated to confirm his/her real identity in Korea, retaining communication log data enables investigators to monitor one’s every action, which has critical impact on citizen’s privacy.
The National Human Rights Commission (NHRC) expressed its opinion on the revision of the Protection of Communications Secrets Act under National Assembly on January 16, 2008. (*) In the written opinion, the NHRC said that the revision could threaten citizen’s privacy by forming recognition that interception could be routinized, and had the possibility to be abused by communication service providers. And the NHRC criticized that forcing service providers to retain communication log data for some period would be against the principles of the protection of personal information and violate the intent of the act. At the end of the written opinion, the NHRC emphasized that the revision could cause the leak or misuse of personal information lasting for a long period of time considering that ‘the Basic Act on the Protection of Personal Information’ and independent privacy supervisory authority didn’t exist.
The revision to the Protection of Communications Secrets Act did not pass in the National Assembly until the 17th National Assembly was closed in may 2008, and were repealed automatically. However, the revision is expected to be proposed again in the 18th National Assembly.
Public institutions have been introducing CCTVs rapidly since the Kangnam-gu ward office and the Kangnam police office installed five CCTVs by a way of showing an example in 2002. According to “White Paper of MOGAHA(2003-2007)”, the number of CCTVs installed by public institutions is estimated about 126 thousands in June 2007. (*) They are used for crime prevention, control over illegal parking or fly-tipping, etc. Human rights groups had criticized that CCTVs installed by public institutions had no legal ground and would infringe citizen’s privacy. In may 2004, the National Human Rights Commission(NHRC) announced “The Policy Recommendation on the Installation and Management of Unmanned Regulation Equipments such as CCTVs Installed by Public
Institutions”(**), which pointed out that at present the police or the local government entities judged necessity, installation locations, ways of management and installation processes of unmanned regulation equipments such as CCTV at their discretion, which could infringe citizen’s right by taking pictures and recording the portrait and motion of passersby, or private life depending on the way of installation and management. And the NHRC recommended the chairman of the National Assembly and the minister of the MOGAHA to make a legal guideline on unmanned regulation equipments such as CCTV by enacting a new law to guide the installation and management of unmanned regulation equipment such as CCTV installed by the police or the local government entities for crime prevention and investigation, or modifying the Act on the Protection of Personal Information Maintained by Public Agencies. Since then, articles on CCTV were included in the Act on the Protection of Personal Information Maintained by Public Agencies in May 2007, and were enforced since November 2007.
However, according to ‘the survey on management of CCTV installed by public institutions’ conducted by the Data Protection Review Commission under the Premier’s Office in February 2008, most of CCTVs were capable of zooming and rotating. In addition to that, some CCTVs had recorded voices even without the recognition of the person concerned. Only 64 % of CCTVs noticed their existence. This survey investigated only 12,778 CCTVs installed by 14 public institutions. Human rights groups has insisted on removing illegally managed CCTVs and strengthening the regulations on CCTV.
There is not legal ground to regulate CCTVs in the private sector yet. There is only “Guideline for Protection of Personal Image Information by CCTV” proposed by the Ministry of Information and Communications in October 2006.(***)
* White paper of MOGAHA(2003-2007), http://www.mopas.go.kr/gpms/ns/mogaha/user/userlayout/bulletin/userBtView.action?userBtBean.ctxCd=1010&userBtBean.ctxType=21010005&userBtBean.bbsSeq=1034660
** http://www.humanrights.go.kr/04_sub/body02.jsp?NT_ID=24&flag= VIEW&SEQ_ID=554769&page=2
On November 27, 2007, the National Human Rights Commission made a decision that electronic surveillance using various technologies such as CCTV, IC chip embedded card, GPS etc. was conducted in the workplace in the private and the public sector, which could violate human rights of workers who were kept under surveillance, and recommended the minister of the Ministry of Labor to enact a special act to regulate strictly all kinds of electronic surveillance in the workplace and a concrete guideline for the protection of human rights, which should be included in the act. In addition, recognizing that generalized electronic surveillance was an important factor which would change worker’s circumstances, it recommended the minister to revise ‘the Labor Standard Act’ reflecting the factor, and to strengthen its supervision of individual workplace. (*)
The Youngnam University Medical Center, which was under conflicts between labor and management since August 2006, installed CCTVs around the sit-in place of the labor union in Octorber 2006. Labor unions and human rights groups in the region criticized that it was intended to supervise and control the labor union.
The fact that the location information of workers and laid-off workers of Samsung had been traced for several months through illegally-copied mobile phones became known to public in 2004. Though labor unions and human rights groups in the region claimed that it was the surveillance conducted by Samsung, the prosecution announced that it was true that someone traced the location of workers, but they couldn’t find who traced the location, and stopped indictment. However, the prosecution resumed investigation in March 2008, because a new testimony and evidences that location tracing had been conducted by Samsung were presented.
* “The Act for the Protection of Workers under Electronic Surveillance is Needed” http://www.humanrights.go.kr/04_sub/body02.jsp?NT_ID=24&flag=VIEW&SEQ_ID=555369&page=1