개정 개인정보 보호법과 일본법의 비교 연구 - 데이터의 국내외 이전을 중심으로 -

The Republic of Korea began reforming the Personal Information Protection Act(PIPA) of version 3.0 to keep pace with the implementation of the EU GDPR and the changes in the ICT society of the Fourth Industrial Revolution. Japan has already amended the Personal Information Protection Act in 2015 and pushed for a change to version 3.0, proving its effectiveness through the phased implementation of GDPR and recognized adequacy decision from the EU in 2019. In the South Korea, the reform of PIPA was amended in 2020, but the reform should continue to promote to Version 3.0 to enable international change, the development of the ICT industry environment and privacy. Japan act can be an effective benchmark. Therefore, it is necessary to compare and analyze the Korean Personal Information Protection Act and the Japanese Personal Information Protection Act, focusing on the ecosystem on the transfer of data in and out of Countries in 2020. Article 24 of the Personal Information Protection Act of Japan states “A personal information handling business operator obtains a principal’s consent to the effect that he or she approves the provision to a third party in a foreign country, excluding those prescribed by rules of the Personal Information Protection Commission as a foreign country establishing a personal information protection system recognized to have equivalent standards to that in Japan in regard to the protection of an individual’s rights and interests”. And the EU and Japan made efforts to assess adequacy level. In January 2019, the EU and Japan recognized mutual adequacy decision. On the other hand, in the amended act of Korea in 2020, there was no provisons regarding mutual adequacy decision, to provide for the transfer of overseas. However, there is only the principle of reciprocity clause in article 39-13 of the amended act. In the end, we should follow up to ensure that the deficiencies in these regulations have no negative impact on the EU's adequacy decision. On the other hand, Japan has a provision for joint use in accordance with paragraph 5 of article 23 (Limitation of Third Party Provisions), cases in which personal data is provided accompanied by a personal information handling business operator entrusting a whole or part of the handling of the personal data within the necessary scope to achieve a utilization purpose and personal data to be jointly utilized by a specified person contributes to the free use of data by Japanese companies that have passed the adequacy assessment from the EU. The Republic of Korea should continue to review and further work on subsequent acts to upgrade to the Personal Information Protection Act 3.0, which uses both wings of data and protection simultaneously.