Humanities & Social Sciences Communications (Jul 2024)
Automated decision-making in South Korea: a critical review of the revised Personal Information Protection Act
Abstract
Abstract The General Data Protection Regulation (GDPR) of the European Union has established regulations on automated decisions in Article 22 with the proliferation of artificial intelligence. In response, the Personal Information Protection Act (PIPA) of South Korea, serving as a counterpart to the GDPR, has recently incorporated provisions for automated decisions under Article 37-2 through an amendment. Although the PIPA follows a distinct legal framework from the GDPR, it is crucial to ensure an equivalent level of protection for fundamental rights. Recognising this concern, this study analyses the differences between the PIPA and GDPR regarding automated decisions, focusing on three aspects: format, target, and content. This analysis identifies that the PIPA lacks comprehensive safeguards for data subjects in certain aspects compared to the GDPR. First, regarding the format, the PIPA grants the right to object rather than establishing a general prohibition to automated decisions, posing limitations in protecting individuals who are unable to effectively exercise their rights. Second, in terms of the target, the PIPA regulates a completely automated status at the overall system level, creating a regulatory vacuum for a multi-stage profiling system. Third, concerning the content, the PIPA faces several technical and practical limitations that remain unresolved in delineating the content of the right to explanation. Building upon this analysis, this study proposes potential legislation and interpretation remedies to address these concerns based on each aspect.