개인정보 침해로 인한 비재산적 손해의 인정기준에 관한 비교법적 고찰 －한국 판례와 EU GDPR의 해석을 중심으로－

Amid accelerating digital transformation, countries around the world, including Korea, are increasingly reorganizing their social and economic structures around the use of personal data as a core resource. Sectors such as platform-based industries, artificial intelligence services, targeted advertising, and digital healthcare actively rely on personal data, rendering its collection and utilization an everyday occurrence. This shift underscores the increasing need for substantive legal protection of data subjects against infringements of their informational privacy. In many cases, the harm suffered by data subjects takes the form of non-material damage. Korean courts, while in principle allowing claims for compensation for non-material damage, determine on a case-by-case basis whether such damage has actually occurred, taking into account various factors including the possibility of third-party access. This approach reflects an effort to strike a legal balance between the protection of the data subject’s personality rights and the societal or industrial necessity of utilizing personal data, while also delimiting the scope of corporate liability. Meanwhile, the European Union’s General Data Protection Regulation (GDPR) has become a global standard for personal data protection and has substantively influenced the development and revision of Korea’s Personal Information Protection Act. Article 82 of the GDPR provides that data subjects who have suffered either material or non-material damage as a result of a GDPR infringement are entitled to compensation. The Court of Justice of the European Union (CJEU) has, through recent rulings, provided concrete interpretative criteria regarding the concept of non-material damage, the scope of its recognition, and the conditions under which it arises. These rulings recognize the loss of control over personal data and reasonable fears of potential future misuse as forms of non-material damage, thereby enhancing the effectiveness of data subject protection. This article undertakes an in-depth analysis of key rulings by the CJEU interpreting Article 82 of the GDPR, with the aim of conducting a comparative legal examination in light of the Korean legal framework and drawing implications for the substantive enhancement of data subject protection. In addition, based on an analysis of the content and limitations of the punitive damages and statutory damages schemes introduced through the 2015 amendment to the Personal Information Protection Act, this article highlights the need to clarify the legal criteria for recognizing emotional distress and to develop concrete guidelines for calculating the amount of non-material damages. Such institutional reforms would serve as a key foundation for not only ensuring the substantive protection of data subjects’ rights, but also enhancing corporate accountability for personal data infringements and promoting the establishment of preventive compliance systems.