South Korea's Personal Information Protection Commission held a plenary meeting on May 27 and approved a resolution recommending improvements to the Ministry of Science and ICT regarding face authentication when activating mobile phone service.

The science ministry has been running a pilot "face authentication" system since Dec. 23 last year as part of a joint government "comprehensive measures to eradicate voice phishing". The system compares in real time the face photo on an ID presented for mobile service activation with the actual face of the ID holder.

As concerns about privacy violations were raised through civic group complaints and media reports, the commission investigated the actual state of the system.

Based on the investigation, the commission concluded that the science ministry had not sufficiently reviewed how to operate the system from a personal information protection perspective, taking into account the sensitivity involved, as it piloted the use of biometric information (facial information) that is managed more strictly than general personal data as a means of identity verification.

Biometric information is sensitive information under the Personal Information Protection Act, and can be processed only when there is consent from the data subject or a legal basis. But it was unclear under current relevant laws, including the Electric Telecommunications Business Act, whether facial information may be used as a means of identity authentication when activating mobile phone service, and there was a problem that refusal was effectively difficult because consent is obtained when the data subject's choice is not guaranteed. The commission also judged that there is a need to minimise the information processed on contractor systems, and recommended that the science ministry design and operate the system with personal information protection at its core.

The commission first recommended that the science ministry, considering the sensitivity of processing biometric information, sufficiently conduct an advance review before formally implementing the system on the need to introduce it and on the effectiveness, appropriateness and proportionality of its scope and methods, and design the system with Privacy by Design. It also recommended that, if the advance review finds that the purpose of introducing the system is legitimate and that its scope and methods are appropriate and effective in proportion to the potential restriction of data subject rights, the ministry should operate the system while considering measures to comply with the privacy law.

Going forward, the commission plans to check whether the recommendations are implemented and support efforts so that government-wide measures to prevent voice phishing can proceed in a safe personal data processing environment.