개인정보 유출통지제도의 효과적인 운영 및 개선방안

Under data breach notification law, person or business who owns or licenses data that includes personal information is required to notify the data subject of the breach of the security system of personal information. Since the enactment of California's data breach notification law in 2003, other forty five states of the United States have legislated notification law. Korea adopted data breach notification law under which a personal information controller is supposed to notify the subject of the breach. While Korea's legislation is expected to improve practices of personal information protection, it would be more effective with some amendments. This paper suggests some proposals to improve the operation of data breach notification in Korea. First, publicly available information that is lawfully made available to the general public from government needs to be excluded from the scope of personal information, although its definition is flexible enough to cover new types of sensitive personal information. Second, encryption exemption is necessary so that the controller may not be required to notify the breach if data which includes personal information has been encrypted. It will create incentives to adopt encryption, improving practices of protection, and would alleviate burden on the controller. Third, Korea's legislation should require, in addition to the acquisition of personal information by a third party, an additional element of harm to trigger notification. This additional element will limit unnecessary notification of breach, preventing the subject from becoming desensitized to notification with over-notification.