개인정보보호법에 의한 자동화된 결정의 규율

Automated decision-making is on the rise due to its efficiency and consistency. However, concerns have been raised regarding human dignity, privacy, freedom, democracy, and fairness. To address these concerns, various legal measures, including data protection laws, anti-discrimination laws, artificial intelligence regulations, and administrative laws, have been under consideration. Among these, data protection laws, characterized by their comprehensive, preventive, and instrumental nature, have garnered the most attention. The provision on the right to object to automated decision-making newly established in Article 37-2 of the revised korean Personal Information Protection Act is highly appreciated in that it attempted a balanced and rational regulation compared to its parent, the GDPR. However, there are a few things to consider for more desirable operation. First, it is necessary to consider technical limitations. This is because it is not possible to demand something that is technically impossible in social norms. In particular, it is necessary to consider the black-box characteristics of artificial intelligence technology, the conflict between performance and transparency, and the limitations of fairness metrics. Second, it is necessary to avoid rigid and excessive regulations, considering the characteristics of procedural and means-oriented regulations for new technologies. Third, it is necessary to operate by taking into account the situation and context. In particular, it should be kept in mind that private autonomy and balancing of interests should be prioritized in the private sector, unlike the public sector. Fourth, it is necessary to find an appropriate balance between autonomy and guardianship. The fact that the right to object is granted to the data subject to control the risks of automated decision-making itself is a self-regulatory approach. Even in cases where some supervisory approach is needed, self-regulation should be prioritized.