생성형 AI의 포괄적 로그 데이터 보존 명령의 법적 한계와 이용자 보호를 위한 규범 설계

This study examines the legal limits of comprehensive log data retention orders in generative AI services, with a focus on conversational models such as ChatGPT, and explores normative frameworks for user protection. Log data generated by these services extend beyond simple prompts and outputs to include metadata such as timestamps, session identifiers, IP addresses, and device information, which can indirectly reconstruct a user’s identity, behavior, and interests. Recent court cases have begun to mandate broad retention of all output logs, regardless of user intent or relevance to specific disputes, thereby exceeding the scope of traditional evidence preservation. Such orders raise significant concerns, including violations of data minimization and purpose limitation principles, privacy and freedom of expression risks, cross-border data transfer conflicts, and technical and operational burdens. The paper first analyzes the legal nature and constitutional limits of log retention through the lens of GDPR provisions, comparative jurisprudence (e.g., Digital Rights Ireland, Tele2 Sverige, Carpenter v. United States), and U.S. case law. It then evaluates the practical impacts on generative AI users, highlighting risks of privacy infringement, intellectual property issues, and chilling effects on expression. Finally, it proposes a multi-layered regulatory framework that combines legal, policy, and technical safeguards: narrowing the scope and duration of retention orders, adopting anonymization and pseudonymization techniques, and strengthening independent oversight mechanisms. The study concludes that comprehensive log data retention can only achieve legitimacy and effectiveness when accompanied by strict limitations and robust user protection measures.