개인정보 수집, 이용, 제3자 제공에 관한 4개국 법제 비교분석

This paper compares and analyzes the Personal information protection legislation of Korea, EU, Japan, and the United States, concerning the collection of personal information, the out-of-purpose use, and the third-party provision. Regarding the consent to collect personal information, even the EU, which takes opt-in approach, does not require prior consent for contractual necessary personal information. Japan and the United States, which take opt-out approach, of course. In Korea, however, Article 22 (3) (1) of Act On Promotion Of Information And Communications Network Utilization And Information Protection requires that “if the personal information is obviously difficult to get consent in an ordinary way due to any economic or technical reason.” Because of this, meaningless consent is repeated about contractual necessary information. It is necessary to delete that clause. Regarding the out-of-purpose use, EU, Japan and the United States permit it in cases where it can be foreseen from the view point of data subject and does not cause actual infringement. On the other hand, Korea tends to acknowledge the use of personal information very narrowly. Regarding the provision of personal information to third parties, In Korea, the recipient of personal information must be consented to by specifying the name of the individual or corporation. EU, Japan and the United States solve this problem by a legislation of collective use of personal information(‘Joint Controllers’) or by allowing consent to ‘categories of recipients.’ The amendment to the law on de-identification on personal information was initiated by the National Assembly on Nov. 15, 2018, but the amendment is not including measures to improve above three issues. Social consensus on this part is also critical.