자동화된 의사결정의 일반적 금지 원칙에 대한 EU사법법원의 첫 판결 분석

The recent ‘Schufa (Scoring) judgment’ of the Court of Justice of the European Union (CJEU) has clarified several critical issues concerning the interpretation and application of Article 22 of the GDPR regarding automated decision-making. The court affirmed that profiling, such as individual credit scoring based solely on automated processing, which produces legal effects or similarly significantly affects the data subject, as exemplified by a loan decision in this case, is prohibited in principle. In addition, the judgment provided detailed guidelines on the modalities and timing for the exercise of data subjects’ rights, including the right to ‘know and obtain communication’ regarding the processing under Article 15. This decision is anticipated to have a significant impact upon the interpretation of the new provisions in Korea’s Personal Information Protection Act (PIPA) regarding profiling using artificial intelligence and other automated technologies. Despite the similarities in the subject and content, Article 22 of the GDPR and Article 37-2 of the PIPA have notable differences in the legislative structure and application:the PIPA does not prohibit fully automated decision-making in principle. In light of the object and purpose of the new provision to protect data subjects in the AI era, and given the extraterritorial reach of the GDPR, the implications of the Schufa (Scoring) judgment warrant additional legislative measures to ensure and harmonise the human-centric approach to the relevant provisions in Korean law.