입법의 개인정보 리스크 관리에 관한 연구 ― ｢개인정보 보호법｣과의 체계정합성을 중심으로 ―

The rapid advancement of digital transformation and the widespread adoption of artificial intelligence (AI) technologies have led to an exponential increase in the use and processing of personal data across all sectors of society. Reflecting this reality, legislative initiatives are frequently being pursued to establish legal grounds or create specific regulatory frameworks for the processing of personal data in individual sectors such as healthcare, welfare, education, and public administration. These legislative efforts generally aim to achieve public-interest objectives—including improving the efficiency of government operations, enhancing public services, and promoting the development of digital industries in particular fields—and are thus recognized as necessary and legitimate. However, as laws that regulate the processing of personal data inherently restrict the fundamental right to informational self-determination, such legislation must comply with the constitutional limits on restrictions of fundamental rights. At the same time, efforts should be made to seek a “third way” that both pursues public interest and realizes individuals’ right to control their personal information. The Personal Information Protection Act(PIPA) specifies the concrete rights of data subjects and the corresponding obligations of personal data controllers to realize the constitutional right to informational self-determination. Therefore, ensuring consistency and coherence between newly enacted laws providing legal grounds for personal data processing and the PIPA serves as both a useful standard and a method for safeguarding constitutional rights. In the case of government-initiated legislation, the “Personal Information Impact Assessment” system established under Article 8-2 of the PIPA allows the Personal Information Protection Commission(PIPC) to review proposed legislation in advance for consistency with the PIPA and to recommend improvements when necessary. This assessment system should be utilized more actively than before. However, legislation proposed by members of the National Assemblyis not subject to this impact assessment system. Although the PIPC may provide its opinion when consulted by relevant ministries during the legislative process, this mechanism is insufficient to operate in a stable and systematic manner comparable to the formal assessment process. This study emphasizes that legislation concerning personal data processing must be designed in a way that protects the rights of data subjects. It aims to propose specific criteria for ensuring systematic consistencybetween such legislation and the PIPA, thereby aligning with the realization of informational self-determination and the fundamental principles guaranteed by the PIPA. By analyzing and critically examining legislative cases that do not conform to the intent and principles of the PIPA, this study offers concrete recommendations for incorporating personal data protection considerations into the legislative process. Furthermore, it presents the rationale for why legislation governing personal data processing must maintain systematic consistency with the PIPA and uphold the core principles of personal data protection.