Song Kyung-hee, Chairperson of the Personal Information Protection Commission, presents a plan to shift to a prevention-centered personal information management system during the Emergency Economic Headquarters meeting combined with the Economic Ministers and National Startup Era Strategy meeting and the Real Estate-Related Ministers meeting at the Government Complex Seoul in Jongno-gu, Seoul, on the 22nd. /Courtesy of Yonhap News

The Personal Information Protection Commission said improvements are needed for the facial authentication system being piloted by the Ministry of Science and ICT for activating mobile phone service.

The Personal Information Protection Commission said on the 27th that it held its 10th plenary meeting and voted to recommend improvements to the Ministry of Science and ICT regarding the facial authentication system for activating mobile phone service.

As part of the government's joint "comprehensive plan to eradicate voice phishing," the Ministry of Science and ICT has been piloting a facial authentication system in the process of activating mobile phone service since Dec. 23 last year. Under the method, the photo on the ID presented at activation is compared in real time with the user's actual face to confirm whether they are the same person.

The Personal Information Protection Commission determined that, in the process of the Ministry of Science and ICT introducing biometric information—which requires stricter control than general personal information—as a means of identity verification, review from the perspective of personal information protection was insufficient.

Because biometric information is sensitive information under the Personal Information Protection Act, it can be processed only with the data subject's consent or a legal basis. It said it is unclear under current related laws, including the Telecommunications Business Act, whether facial information can be used as a means of identity authentication.

The Personal Information Protection Commission also cited as a problem that refusing consent is in effect difficult. It determined that the scope of personal information processed in the contractor's system likewise needs to be minimized.

Accordingly, the Personal Information Protection Commission recommended that the Ministry of Science and ICT fully review, before formal implementation, the necessity of introducing the system, its scope of application, and its effectiveness, suitability, and proportionality, given the sensitivity of processing biometric information. It also asked the ministry to operate the system according to the principle of privacy-by-design and to prepare measures to comply with the protection law, considering proportionality between restrictions on data subjects' rights and the intended purposes.

The Personal Information Protection Commission said it will check whether the recommended improvements are implemented and will support efforts to promote a pan-government voice phishing prevention plan in a safe personal information processing environment.

※ This article has been translated by AI. Share your feedback here.