EU 개인정보 국외 이동 규정의 유용성

The issues regarding personal data are at the center of private, legal and economic life. Especially, the issue of transferring personal data beyond borders is one of the most critical issues in the global information age. EU Data Protection Directive and General Data Protection Regulation, ones of the strictest global regimes to protect personal data, are thought to be useful cross-border data transfer rules. According to the EU rules, the EU citizen personal data, in principle, cannot be transferred to a third country outside the EU unless the third country has adequate personal data protection. While, according to Personal Information Protection Act, once consent is obtained from the subject of personal data, his/her personal data can be freely transferred abroad, regardless of the level of personal data protection in countries to which personal data is transferred. Also, EU rules distinguish a processor from a controller, while Personal Information Protection Act just defines a processor, meaning the party to collect, create, link, interwork, record, save, hold, process, edit, search, output, correct, recover, use, provide, disclose, destroy personal information, and other acts similar thereto. Therefore, considering adequacy of personal data protection in transferring personal data abroad would be useful, and the term “a personal data processor” under Article 2(5) of the Personal Information Protection Act should be considered to explicitly distinguish a data manager or a data controller from a data processor or a data handler and to avoid confusion and evasion of personal responsibility.