Telecom Carriers Can't Delete Your Data
When you say what a privacy officer does, most people picture roughly the same thing. Tweaking consent forms, revising the privacy policy, auditing outsourcing vendors, filing a report when there's a breach. The skeleton doesn't change much across industries.
But a mobile carrier has one more thing bolted on: handling data-production requests that come from investigative agencies. MVNOs (알뜰폰 operators) are no exception. There's a paper that takes on the legal structure of this work head-on (Park Hee-young, Criminal Law Research Vol. 35 No. 1), and reading it, it was more tangled than I expected.
What is communication metadata
Article 2(11) of the Protection of Communications Secrets Act (PCSA) enumerates seven items exhaustively: the subscriber's telecommunication date/time, start and end times, originating and terminating numbers, usage frequency, computer-communication and internet log records, base-station location data for the sender, and access-point tracing data.
It's not call content. It's data about who communicated with whom, when, how much, and where they connected from. What's commonly called "metadata." In a 2018 decision (2012Hun-Ma538), the Constitutional Court held that although this data is non-content information, it is an essential element constituting the freedom of communication.
Investigative agencies can request this data under PCSA Article 13, and telecommunications operators must cooperate under Article 15-2. Article 41(2) of the Enforcement Decree sets retention periods: depending on the type of data, "3 months or more," "6 months or more," or "12 months or more."
A duty to delete and a duty to retain collide head-on
This is the point that's interesting for a privacy officer.
PIPA Article 21(1) says that when personal data becomes unnecessary because the retention period has passed or the processing purpose has been achieved, you must destroy it without delay. The same goes for communication data. Once a call ends and billing is settled, that communication record is data you're supposed to delete.
But the PCSA Enforcement Decree tells you to keep it for 3, 6, or 12 months. The proviso to PIPA Article 21(1) says not to destroy data when it must be preserved under another statute, and Article 21(3) says such preserved personal data must be stored and managed separately from other personal data.
Here's where the paper's core argument comes in. The PCSA has no explicit wording that says "retain." There's only a duty to cooperate and a retention period. So the author derives the legal basis for retention from the combination of PIPA Article 21(3) (the duty to store and manage separately) and its penalty provision, together with PCSA Article 15-2 and Enforcement Decree Article 41. Only by joining the two laws does a retention obligation come into being. And since a penalty is attached, the author treats this as a mandatory rule, not a discretionary one.
Translated for a practitioner: deletion is the principle, but there's data you can't delete, it has to be set aside and managed separately, and if you don't, you get an administrative fine. And when an investigative agency requests it, you have to hand it over. This disclosure, too, amounts to disclosure beyond the purpose under PIPA Article 18(2), and the paper regards it likewise as a legal obligation.
MVNOs are covered too
The PCSA's "telecommunications operator" covers both facilities-based and value-added telecom operators. The paper points out that even the provider of KakaoTalk becomes a party obligated to retain communication metadata, noting that our scope is far broader than Germany's. Germany narrowly limits the obligated parties to those under its Telecommunications Act and excludes telemedia service providers.
MVNOs (알뜰폰) are registered as telecommunications operators, so they fall inside this structure too. That said, the boundary between the data held by the facilities-based operator that leases the network and the data an MVNO holds on its own, and which way an actual request is routed, can differ by business structure, so that's a part that needs separate checking.
This regime could get shaken
The paper's real subject is unconstitutionality.
In 2022, the Court of Justice of the European Union ruled that the traffic-data retention provisions of Germany's Telecommunications Act violated Articles 7 (private life and communications), 8 (protection of personal data), 11 (freedom of expression), and 52(1) of the EU Charter of Fundamental Rights (C-793/19, C-794/19). Retaining the communication records of all citizens, without distinction and regardless of any criminal suspicion, for a set period exceeds the limit of strict necessity. Such retention, the Court said, should be the exception in a democratic society, not the rule.
The Court allowed two exceptions: targeted retention and expedited retention (so-called quick freeze). The former narrows the targets by objective criteria before retaining; the latter, under court control, orders operators to promptly preserve data they already hold.
The author says that applying this reasoning to our rules, the same conclusion could well follow. We, too, systematically retain the communication metadata of the entire population with no criminal suspicion, and on top of that, unlike Germany, we don't limit it to "particularly serious crimes" but target all crimes, and the retention scope even includes data related to value-added telecom services. The likelihood of a fundamental-rights infringement is, if anything, higher.
The regime won't change overnight, but if you're a privacy officer at a carrier, you probably ought to know where this discussion is heading.
What changed after the paper
One thing snagged me while reading.
The paper repeatedly cites the old PIPA Article 39-3(2) (the special provisions for information and communications service providers) as the basis for collecting communication data without consent. But this paper was published in March 2023, and at that very moment PIPA was amended and the entirety of Chapter 6, the special provisions for ICS providers, was deleted (amended 2023.3.14).
What's nasty here is that it didn't end with deletion. In the same amendment, as Chapter 6 was pulled out, its numbering was refilled with a provision about damages litigation. So if you look up Article 39-3 now, you get a completely different provision titled "Submission of Materials." The provision is marked not as "newly inserted" but as "wholly amended." The number stayed the same while the content was swapped out entirely, so if you follow an old text's citation as-is, you arrive at the wrong provision.
Consent-free collection for performing a contract is now consolidated into the general provision, Article 15. The paper's conclusion (that the basis for retention is the combination of Article 21(3) and the PCSA) survives intact on its own, since Article 21 is a general provision. But when citing, the article numbers have to be updated. It was a fresh reminder that a statutory citation is a snapshot of the moment it was published.
Source
- Park Hee-young (2023), "The Legal Basis and Nature of Communication Metadata Retention," Criminal Law Research 35(1), 239–274. DOI 10.21795/kcla.2023.35.1.239