디지털 고도화와 개인정보의 보호와 활용

In the era of a data economy, data has emerged as the core of economic activity. The extensive use of data can foster competition, enhancing consumer convenience and accelerating technological development. However, it also introduces uncertainties in data processing, expanding risks related to the abusive use of data. In this context, personal information protection legislation serves as a primary regulation to protect data and a ‘legal restriction’ on data utilization. It also plays a role in promoting the secure data utilization by preventing the risk of data abuse. Consequently, it is a prevalent issue finding ways for safe data utilization faced by many countries, including South Korea. Specifically, it is asserted that data utilization is constrained in South Korea due to stringent personal information protection legislation. In such circumstances, to progress toward personal information protection legislation that balances data utilization, the legislation should extend beyond solely the personal information protection to encompass the free flow and utilization of personal information. For generated data, it is necessary to include cases under regulation not based solely on whether they contain personal information, but rather if there is a potential for privacy infringement. For instance, in situations like profiling, where it is difficult for the data subject to be aware of the profiling activities, enhancing information disclosure is necessary. In case of the data processing stage, there is a need to allow the collection and transfer of personal information through various means, including opt-out options, in addition to prior consent. To enhance responsibility for personal information processing, there is a need to strengthen the obligation of information provision and to introduce a presumption system that does not recognize the effectiveness of deceptive acts. Additionally, it should be considered to implement an evaluation system for contract terms involving personal information consent and the active use of a representative system for the exercise of data subject rights. Regarding the right to request data transfer, it is necessary to include generated data within the scope of rights, and there should be a reduction in responsibilities for personal information transfer in cases where the benefits to the data subject are significant. In the data anonymization stage, there is a need to standardize the degree of pseudonymization and anonymization as procedural concepts. Relaxing regulations on pseudonymous information, including allowing limited re-identification and reducing liability, is essential. Finally, in the data disposal stage, retention periods can be flexibly determined based on the purpose of personal information processing. However, when personal information is disposed of earlier than the originally specified retention period, there should be an obligation to notify the data subject. Notably, the recent revision of the ‘Personal Information Protection Act’ on March 14, 2023, reflects major elements of the EU General Data Protection Regulation (GDPR). Thus, the legal framework for personal information protection is considered sufficient. However, it is necessary to scrutinize the details and enhance coherence to improve effectiveness in the future.