개인정보 비식별 조치 가이드라인의 법적 문제와 개인정보보호법제 개선방향

We stand at the dawn of the fourth industrial revolution, in which the promotion of the ICT industry, which includes areas such as cloud computing, big data, and internet of things, can have substantial impact on the future of countries. As the ICT industry grows, so do voices of concern over the privacy risks it may pose on personal information. However, without the utilization of personal information, the ICT industry, which is based on the use of information, cannot seek further development. The Korean legislation has been continuously reinforced after large-scale infringements of personal information, but such reinforcements resulted in hampering the development of the ICT industry. Hence, the Korean government proposed the Guideline on De-identification of Personal Information which provides for the use of effectively de-identified information for conducting big data analysis and other such activities. It is welcome news that the government has proposed a guideline that aims to promote the legitimate utilization of personal information amid excessive regulation. The guideline is also meaningful in that it provides a guide for interpretation for those ambiguous situations where it is unclear whether an information is personal. However, the guideline has its problems: first, the terminology “de-identification” is not clear in substance; second, service providers are overburdened with the obligation to conduct regular monitoring as a form of post management; third, personal information can still be invaded by combination support of de-identified information; and fourth, there it does not stipulate obligations of service providers that corresponds to the use of personal information. Furthermore, it sets down the concept of personal information and the right to consent, which are the core contents of personal information protection legislation, and therefore contravenes the form of law. Countries around the world are setting up their legislation regarding the protection of personal information. Among them, the GDPR of the EU and the Personal Information Protection Act of Japan are full of suggestions. The development of IoT and big data eventually will bring about changes in the protection system of personal information, which builds upon the concept of personal information and the right to consent. In this paper, building on the criticism against foreign legislation and the guideline set forth by the Korean government, will propose a way to improve the personal information protection legislation. The strict opt-in method used for consent shall change, and eventually the responsibilities of the personal information manager shall be fortified in order to protect personal information while at the same time also protecting the value of personal information utilization.