슈렘스 Ⅱ결정 후 유럽데이터보호위원회(EDPB) 권고에 대한 평가- GDPR의 위험기반접근을 중심으로 -

This paper analyzed the adequacy evaluation of personal information processing through a risk-based approach. From the Schrems I judgment to the recommendations of the European Data Protection Board as a follow-up measure to the Schrems II judgment, the method of regulation for cross-border transfer of personal information is developing in a way that imposes an excessive burden on the personal information controller. This trend is connected to the inherent limitations of the right in terms of the ‘risk’ of privacy infringement as the essence of the protection area of the right to self-determination of personal information, along with the discussion on the interpretation of ‘proper processing’. In other words, from the meaning of ‘appropriate measures’ and ‘risk’, it will be said that the regulation of personal information protection requires a case-oriented approach. EU-US Privacy Shield were nullified in the Schrems decision. This was an important judgment related to the evaluation of the adequacy of the level of personal information protection in the country to which the data was transferred. As a result, cross-border transfer of data is only possible under a standard contract clauses(SCCs) based on Article 46 of the GDPR. After the Schrems ruling, the European Data Protection Board has issued a recommendation with additional measures, which is evaluated as a rigid discipline that places excessive responsibility on data processors. GDPR has a risk-based adequacy evaluation factor as well as proportional personal information processing according to the protection density of personal information. The European Data Protection Board recommendations are an additional, near-zero risk measure that results in excessive restrictions on data use.