개인정보보호법상 자동화된 결정 조항의 해석

Automated decision-making, despite its high efficiency and consistency, raises various concerns. The new provision on the rights of data subjects in response to automated decision-making (Art. 37-2 of the amended Korean PIPA) is expected to address these concerns. The provision has been influenced by the EU GDPR, but there are still differences in terms of structure and content. This study attempts to compare the two legal systems and derive improvement measures. The above-mentioned article has the following differences compared to the GDPR: i) It strengthens the requirements for the right to object. ii) It clarifies the legal nature of the right to object as ‘right.’ iii) It does not address the data subject protection measures in cases where the right to object is not granted. iii) It explicitly approves the right to explanation. iv) It specifies the obligation to disclose information. v) It does not have any provisions on profiling. vi) It does not provide special protection for sensitive information or children in relation to automated decision-making. The main issues requiring legislative improvement are as follows: With regard to the data subject's right to object, it is necessary to clearly regulate the effect of exercising the right to object and to specify the legitimate grounds on which the personal information processor may be exempted. With regard to the right to explanation, it is necessary to clarify and specify the requirement for the right to explanation, to specify categories of information subject to the explanation, and to grant immunity to the controller with legitimate grounds in the case of the obligation to disclose.