‘Pseudonymous data’ refers to the fake information in which the personal data cannot be revealed without additional information to retrieve the original data, which beforehand could be reached by using his name, social identification number or etc.
The Revised Personal Information Protection Act allows that pseudonymous data from each personal information could be combined for statistical data, scientific research, and public record. However, when it happened, there occurs another problem of “re-identification”, through which the relevant individual information could be exposed: If the pseudonym data is allowed to be linked with the other data, thus being “easily combined”, the original data could be open to be retrieved through combining it with another data.
This paper analyzes the measures to prevent this re-identification problem through comparing the GDPR(General Data Protection Regulation) of Europe and the CCPA(California Consumer Privacy Act) of the United States. In the revised Personal Information Protection Act, provisions were made regarding “an agency for processing pseudonymous data”, which are mentioned in the GDPR and the CCPA. Following these provisions, the Personal Information Protection Committee made guidelines for processing pseudonymous data on September 2020. We can appraise this installation highly since any other country has not tried it. However, this measure may have an aftereffect – by transferring all authorities to combine pseudonymous data to a special agency- to lower the incentive for private companies to use data. This paper examines the way the GDPR and the CCPA – both of them have no such special agency- prevents re-identification problem, thus giving another thought on our current actions of the Revised Personal Information Protection Act.