일본법상 개인관련정보에 관한 연구 ― 일본 개인정보보호법 가이드라인을 중심으로 ―

Online behavioral information, even if non-identifiable at the stages of generation and collection, possesses the character of so-called “dynamic information” in that it may acquire identifiability when it is accumulated over a long period and processed and utilized in connection with other information. Today, although Big Tech firms such as Google and Meta collect, analyze, and use behavioral information originating from other companies, they often fail to provide clear notice to data subjects or obtain prior consent on the ground that behavioral information, by itself, makes it difficult to identify individuals. However, the current Korean Personal Information Protection Act (PIPA) contains no explicit provisions on behavioral information. Although the ‘Guideline on the Protection of Personal Information in Online Targeted Advertising’, enacted in 2017, regulates behavioral information, it does so only in a rudimentary manner and, being administrative guidance of a recommendatory nature, it is very difficult to use it as a basis for actively constraining the above practices of Big Tech companies. Against this backdrop, this study undertakes a comparative analysis of legislative frameworks governing behavioral information in Japan, the United States, and the European Union, derives implications therefrom, and proposes a legislative direction for the protection of behavioral information in Korea. While national regulatory architectures differ, recent trends in the United States and the European Union point toward expanding the statutory scope of “personal information” so as to cover behavioral information and toward strengthening the responsibilities and obligations imposed on Big Tech platforms. In particular, Japan introduced the concept of ‘information related to personal information’, which is analogous to Korea’s behavioral information, through the 2020 amendment to the Act on the Protection of Personal Information(APPI), and, in August 2021, through the sixth amendment to the APPI Guidelines(General Rules), newly set forth provisions on ‘information related to personal information’. These guidelines concretize the regulation of personal-related information by, inter alia, presenting detailed rules and examples regarding restrictions on third-party provision of ‘information related to personal information’. Specifically, the guidelines provide, in great detail, on such matters as the applicability of the restriction on third-party provision, methods of obtaining the data subject’s consent, methods of confirming the acquisition of consent, the provider’s obligations of record-keeping, verification, and retention, and the record-keeping obligations of the receiving third party. In short, Japan has comparatively well established a regulatory scheme for ‘information related to personal information’ by linking statutes, cabinet orders, rules, and guidelines. Korea is currently preparing to revise its guideline for the protection of online behavioral information, and Japan’s guideline offers important implications for the direction of Korea’s forthcoming revisions. Building on these implications, this study proposes the following legislative directions for regulating behavioral information. First, PIPA should include an explicit statutory basis for ‘behavioral information’. Second, the 2017 ‘Guideline on the Protection of Personal Information in Online Targeted Advertising’ should be comprehensively revised—or a new guideline enacted—to provide detailed rules on the protection of behavioral information. Third, both statutes and guidelines should strengthen the principle of prior notice and explicit opt-in consent. Fourth, statutes and guidelines should introduce obligations of verification, record-keeping, and retention on the part of relevant businesses when behavioral information is provided to third parties, applying to both the disclosing provider and the receiving third party. Fifth, guidelines should adopt a regular revision cycle and a system of periodically soliciting public comments and revising the guideline in light of the results.