The Right to Data Transfer: Social Problems and Response Plans
Critical Analysis of Personal Information Protection Act Enforcement Decree Amendment
Executive Summary: A Regulatory Overreach Threatening Innovation
On November 21, 2025, I presented at the MyData Policy Startup Seminar hosted by the Korea Startup Forum at D.CAMP in Gangnam, Seoul. As a researcher examining the intersection of data policy, regulation, and innovation, I raised serious concerns about the Personal Information Protection Act Enforcement Decree amendment proposed in June 2025.
The amendment, which aims to expand the “Right to Request Data Transfer” to all industries, represents a fundamental shift from data activation to data control—one that threatens to undermine Korea’s startup ecosystem while violating established regulatory principles and international norms.
🚨 Critical Alert
The June 2025 amendment proposal violates the Regulatory Reform Committee's August 2024 decision by re-proposing identical content only 4 months later. This procedural violation undermines administrative integrity and ignores legitimate industry concerns about security, costs, and trade secrets.Timeline: From Cautious Approach to Regulatory Overreach
Legal Framework Established
Personal Information Protection Act 2nd Amendment passes National Assembly, establishing Right to Request Data Transfer (Article 35-2)
Regulatory Reform Committee Decision
Key Recommendations:
- Limit to 3 sectors: Medical, Telecommunications, Energy
- Maintain consistency between self-transfer and third-party transfer scopes
- Allow sufficient preparation time for technical infrastructure
- Gradual expansion based on market readiness
Enforcement Decree Enacted (Presidential Decree No. 35343)
Adopted Regulatory Reform Committee recommendations: Limited to 3 sectors (Medical, Telecom, Energy)
System Launch
Right to Request Data Transfer system begins operation in 3 designated sectors
⚠️ Controversial Amendment Proposed
Personal Information Protection Commission re-proposes expansion to ALL industries
- Ignores Regulatory Reform Committee decision from just 4 months prior
- Expands scope to: E-commerce, Platforms, Gaming, Education, Hospitality, Culture & Leisure
- Threshold: Revenue 150B KRW + 1M users
- Creates specialized agency privileges
The Expansion Trap: Current Law vs. Proposed Amendment
✅ Current Enforcement Decree (Feb 2025)
Scope
- Medical institutions
- Telecommunications carriers
- Energy providers
Characteristics
- ✓ Self-transfer = Third-party transfer scope
- ✓ Follows Regulatory Reform Committee guidance
- ✓ Gradual expansion principle
- ✓ Sufficient pilot period
❌ Proposed Amendment (June 2025)
Scope
Any entity meeting:
- Annual revenue ≥ 150B KRW AND
- User base ≥ 1M persons
- Plus: All elementary/secondary/higher education institutions
- Plus: Any entity designated by Commission
Problems
- ✗ Self-transfer ≠ Third-party transfer (inconsistent)
- ✗ Violates Regulatory Reform Committee decision
- ✗ Simultaneous expansion to all sectors
- ✗ Only 4 months after initial implementation
⚠️ What "Revenue 150B KRW & 1M Users" Really Means
This threshold captures:
- Major platforms: Naver, Kakao, Coupang, Baemin, 11st, Gmarket, Auction
- Growing startups: Any company reaching 1M users automatically included
- Sectors affected: E-commerce, delivery, gaming, education, hospitality, culture & leisure
Result: Virtually all successful digital businesses are captured → De facto expansion to ALL industries
Seven Critical Concerns
Procedural Violation
Issue: Re-proposing rejected content only 4 months after Regulatory Reform Committee decision
Risk: Undermines regulatory review process, erodes administrative credibility
Constitutional Issues
Issue: Delegation of essential matters (proxy rights) to enforcement decree violates legal reservation principle
Risk: Legislative power infringement, legal system disruption
GDPR Non-Compliance
Issue: Lacks GDPR Article 20(4) protection for "rights and freedoms of others" (trade secrets)
Risk: International norm deviation, property rights violation
Market Distortion
Issue: Exclusive privileges to specialized agencies enable data free-riding
Risk: Market manipulation, ecosystem destruction
Security Risks
Issue: Allows screen scraping, creates Single Point of Failure (SPOF)
Risk: ID/PW exposure, nationwide simultaneous data breach
Economic Burden
Issue: Forces trade secret disclosure, imposes excessive compliance costs
Risk: Competitiveness erosion, growth inhibition
Policy Inconsistency
Issue: Contradicts Financial Services Commission's scraping ban (2022)
Risk: Administrative consistency loss
Deep Dive: GDPR Compliance Gap
Deep Dive: GDPR Compliance Gap
GDPR Approach (Balanced)
- ✓ Protects data subject rights
- ✓ Respects business property rights
- ✓ Explicitly protects trade secrets
- ✓ Considers technical feasibility
- ✓ Balanced approach
"The right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others."
Korean Amendment (Unbalanced)
- ✓ Protects data subject rights
- ✗ Ignores business property rights
- ✗ No trade secret protection
- ✗ Unconditional transfer obligation
- ✗ One-sided regulation
Forces transfer of core business data (purchase patterns, pricing policies, customer segmentation, seller information) without "legitimate grounds" despite being trade secrets accumulated through years of investment
EU Article 29 Working Party Guidelines
EU Article 29 Working Party Guidelines (WP242)
The EU’s authoritative interpretation provides clear boundaries:
| Principle | EU Interpretation | Korean Amendment |
|---|---|---|
| "Provided by" data subject | Limited to data directly provided by user; excludes company-generated analytics | No such limitation |
| "Work product" exclusion | Company work products (credit scores, recommendation algorithms) explicitly excluded | Not addressed |
| Rights and freedoms of others | Cannot violate trade secrets or database maker's rights | No protection clause |
| Technical feasibility | Direct transfer only "where technically feasible" | Unconditional obligation |
The Financial Sector Paradox: Regulatory Self-Contradiction
🔴 Financial Services Commission (2022): Screen Scraping Banned as Security Risk
Timeline:
- August 5, 2020: Credit Information Act amended - MyData legal framework established
- December 1, 2021: MyData pilot service launched (17 institutions) - Scraping temporarily allowed
- January 5, 2022: Screen scraping completely banned, API-only mandate
Official Rationale (FSC Press Release, Jan 4, 2022):
“From January 5, 2022, screen scraping is completely prohibited and MyData operators must provide services exclusively through API methods to all users.”
Security Concerns Cited:
| Risk | Details |
|---|---|
| ID/PW Direct Collection | MyData operators must directly collect and store user IDs and passwords |
| Inability to Use One-Way Encryption | Passwords must be stored in plaintext or reversible encryption → mass breach risk if hacked |
| 2FA Bypass | Must circumvent additional security measures like 2FA, OTP |
| Unclear Liability | Responsibility unclear between financial institutions and operators in case of breach |
API Benefits:
- Financial institution controls transfer → clear liability
- Token-based authentication → no password exposure
- Limited transfer scope → only necessary data
- Traceable transfer history → auditable
- TLS encryption → secure transmission
🟡 Personal Information Protection Commission (2025): Allowing Scraping as "Automated Tool"
Justification:
- “Convenience for exercising rights”
- “Technical flexibility”
- No clear security measures
Expected Result: Revival of risks that FSC banned
Scope: E-commerce, platforms, gaming, education, culture & leisure - ALL industries
⚠️ The Logical Contradiction
Regulatory Inconsistency:
- Financial information is important → scraping banned
- Medical, shopping, education information is not important → scraping allowed?
Violation of Personal Information Protection Act Article 29:
Article 29 (Security Measures Obligation): Personal information controllers must establish internal management plans, maintain access records, and take technical, administrative, and physical measures necessary to ensure safety as prescribed by Presidential Decree to prevent personal information from being lost, stolen, leaked, forged, altered, or damaged.
→ Allowing scraping directly contradicts the obligation to ensure security
Result: Loss of consistency in personal information protection principles
The Specialized Agency Privilege Problem
Creating Legal Data Brokers
Enforcement Decree Draft Article 42-9 (Duties of Personal Information Management Specialized Agencies):
- Integrated inquiry of personal information received from data subjects
- Providing customized services for data subjects
- Research and education related to personal information utilization
- Other duties determined by the Personal Information Protection Commission → Effectively: data collection, analysis, and utilization business
Critical Issue: Specialized agencies can use collected information as bait (e.g., coffee coupons) to obtain additional consent from data subjects, then sell or commercially exploit this information to third parties. This opens a legitimate channel for personal information trading and distribution.
Commission’s Stated Objective (June 2025 Legislative Notice):
“Activate data economy through new business opportunities”
→ Admits this is an industrial policy goal, not a data subject protection measure
The Free-Riding Structure
| Actor | Investment & Effort | Result |
|---|---|---|
| Platform Companies |
|
Forced asset transfer |
| Specialized Agencies |
|
Free data collection → Own revenue business |
Single Point of Failure (SPOF): A National Security Risk
🔴 From Distributed Risk to Concentrated Catastrophe
Current System (Distributed):
- Shopping site breach → Purchase history only
- Hospital breach → Medical records only
- Limited damage scope
Amendment System (Centralized):
- Specialized agency breach → Entire life history exposed
- All citizens affected simultaneously
- National-level disaster
What One Specialized Agency Would Know About Each Person:
| Category | Information |
|---|---|
| Medical | Medical records, prescriptions, health checkups, genetic information |
| Telecom | Call history, messages, location data, internet usage |
| Financial | Account balances, transaction history, card usage, loans |
| Shopping | Purchase history, wish lists, payment methods, delivery addresses |
| Education | Learning records, grades, course history |
| Sensitive | Adult products, pregnancy info, personal preferences |
→ Complete life profile in one location
Breach Scenario:
Person A: Pregnancy (obstetrics) + Adult products (shopping) + Specific locations (GPS) + Financial transactions = Complete privacy exposure
Specialized agency breach: 50 million people like Person A simultaneously affected
Economic Impact: Crushing Startups
Actual Financial MyData Costs
| Item | Cost |
|---|---|
| Total System Construction (All institutions) | ~37.2B KRW |
| Annual Operating Cost (All institutions) | ~92.1B KRW |
| Annual Total Cost | ~129.3B KRW |
| Average Cost Per Institution | Hundreds of millions to billions KRW (varies by size) |
Source: Financial Services Commission announcement (Jan 10, 2023), Samjong KPMG cost analysis
All-Industry Expansion Impact (Estimated)
- Target companies: Revenue ≥150B KRW & ≥1M users
- Estimated number: 100-200 companies (e-commerce, medical, telecom, etc.)
- Unlike financial sector: Must build new infrastructure from scratch
- Initial cost per company: Tens to hundreds of millions KRW
- Total estimated cost: Minimum hundreds of billions to trillions of KRW
The Startup Growth Trap
The Dilemma:
500K users → Growth, data accumulation, investment attraction
1M users milestone → Transfer obligation triggered → API construction costs tens of millions KRW
Choice → More growth = Massive costs + Core data exposure
Result → Stop growth just before 1M users → Loss of innovation momentum
Irony: The threshold “Revenue 150B KRW & 1M users” is marketed as targeting “large businesses” but actually hits growing companies the hardest.
Trade Secret Violation
Unfair Competition Prevention Act Article 2, Paragraph 2
“Trade secret” means production methods, sales methods, and other technical or business information useful for business activities that is not publicly known, has independent economic value, and has been maintained as confidential through considerable effort.
E-Commerce Platform Trade Secrets at Risk
| Information Type | Trade Secret Status | Transfer Mandate |
|---|---|---|
| Purchase Patterns | Years of analysis investment | Forced |
| Pricing Policies | Core competitive advantage | Forced |
| Customer Segmentation | AI/ML investment | Forced |
| Seller Information | Business partner data | Forced |
The Data Leakage Path
Specialized Agency Gains:
- Purchase patterns of millions of consumers
- Price sensitivity, preferred products, purchase timing
- This equals trade secrets accumulated by platforms through years of investment
Result:
- Specialized agency acquires for free
- Uses for own services
- Korean e-commerce competitive advantage eroded
GDPR Protection
"shall not adversely affect the rights and freedoms of others"
→ Can refuse if trade secrets are infringed
Korean Amendment
NO trade secret protection clause
→ Unconditional forced transfer
Four Essential Solutions
1. Withdraw Amendment & Follow Committee Guidance
- Immediately withdraw June 2025 amendment
- Comply with August 2024 Regulatory Reform Committee decision
- Maintain current enforcement decree (3 sectors)
- Sufficient pilot operation before reconsidering
2. Legal Reservation - National Assembly Legislation
- Delete proxy rights clause from enforcement decree
- Regulate essential proxy rights matters by law
- Social consensus through National Assembly deliberation
3. Adopt GDPR Approach
- Abolish specialized agency centralization
- Prioritize self-download rights
- Explicitly protect trade secrets & database rights
- Encourage market autonomy
4. Security Enhancement - Ban Scraping
- Ban scraping same as Financial Services Commission
- Allow only standard APIs
- Prevent SPOF through distributed structure
Recommended GDPR-Style Provisions
Proposed Amendment Article ○ (Limitations on Transfer Requests)
① Transfer may be refused in the following cases:
- Contains trade secrets or intellectual property
- Infringes database maker’s rights
- Violates rights and freedoms of others
- Technically difficult or excessively costly
② Obligation to notify reasons when refusing
Conclusion: Balance is Essential
Seven Critical Concerns Summary
| No. | Area | Core Problem | Social Risk |
|---|---|---|---|
| 1 | Procedural Legitimacy | Ignoring Committee guidance, re-proposing after 4 months | Regulatory process nullification, administrative trust damage |
| 2 | Legal Validity | Violating legal reservation principle, unconstitutional proxy rights | Legislative power infringement, legal system disruption |
| 3 | Global Compliance | GDPR contradiction, lack of trade secret protection | International norm deviation, property rights ignored |
| 4 | Policy Fairness | Specialized agency privileges, data free-riding | Market distortion, ecosystem destruction |
| 5 | Security Stability | Allowing scraping, SPOF formation | ID/PW exposure, nationwide simultaneous breach |
| 6 | Economic Rationality | Trade secret exposure, excessive costs | Competitiveness erosion, growth inhibition |
| 7 | Policy Consistency | Contradicting FSC measures, self-contradiction | Administrative consistency loss |
This is not “personal information protection” but “market restructuring through regulation”
Not “data activation” but “data control”
Not “innovation promotion” but “growth regulation”
Not “protection enhancement” but “risk centralization”
→ Careful reconsideration and sufficient social consensus required
Research Information
Presentation Date: November 21, 2025
Event: MyData Policy Startup Seminar
Host: Korea Startup Forum
Venue: D.CAMP, Gangnam, Seoul
Speaker: Yonghee Kim, Ph.D.
Research Focus:
- Data policy and governance
- Digital platform regulation
- Startup ecosystem protection
- Regulatory impact analysis
Contact:
- Email: yhkim1981@sunmoon.ac.kr
- Institution: Sunmoon University, Department of Business Administration
- ORCID: 0000-0002-5643-2748