인공지능(AI)과 개인정보규범의 긴장관계 해소방안에 관한 연구

This paper analyzes the growing tension between generative AI systems and existing data protection frameworks, focusing on the limitations of traditional privacy principles in addressing the AI data lifecycle. In AI development and deployment, personal data are processed continuously—from data collection and training to model deployment and reuse—often beyond the awareness or control of data subjects. Drawing on regulatory and judicial developments in Europe and the United States, including cases involving ChatGPT and Clearview AI, the paper shows that even publicly available personal data cannot be freely collected and reused for AI training without an adequate legal justification. It further highlights how personal data may become embedded in trained models, giving rise to risks such as memorization and inference-based disclosure. This paper argues that data subject rights, particularly the right to erasure, become difficult to exercise once models are trained, as deletion may imply model-level unlearning, which entails significant technical and normative challenges. It concludes by proposing a functional and risk-based reinterpretation of the principles of purpose limitation and data minimization, as well as data subject rights, to ensure effective privacy protection in the AI context.