AI 학습 과정에서의 개인정보 보호에 관한 한·EU 법제 비교연구
A Comparative Analysis of Personal Data Protection in AI Training under Korean and EU Law
김경숙(상명대학교)
32호, 151~190쪽
초록
The development of artificial intelligence technologies presupposes the large-scale collection, analysis, and use of data, among which personal data functions as a core resource that directly affects the performance of AI systems. In particular, with the rapid diffusion of generative AI and large language models, diverse forms of personal data—such as web posts, images, voice data, and location information—are increasingly used as training data. This development raises a fundamental question as to whether existing data protection regimes are capable of adequately regulating AI training environments. While data utilization is indispensable for the advancement of AI, indiscriminate collection and use of personal data entail serious risks to informational self-determination, intensifying the tension between technological innovation and the protection of fundamental rights. In this context, on 12 June 2025, a Korean court ruled that the use of personal data without the data subjects’ consent in the training of the AI chatbot Irudaviolated the Personal Information Protection Act. This judgment is the first Korean case to clarify how data protection law applies to the processing of personal data for AI training, and therefore carries significant legal importance. AI training involves large-scale, repetitive data processing, the use of unstructured data beyond the original purposes of collection, and an increased risk of re-identification, all of which place AI training data at the center of contemporary data protection challenges. Meanwhile, in 2024 Korea enacted the Framework Act on the Development of Artificial Intelligence and the Establishment of a Trust-Based Foundation, creating a comprehensive legal framework governing the development, deployment, and use of AI. Internationally, the relationship between AI training data and personal data protection has also become a major regulatory issue: the European Union operates the GDPR alongside the AI Act, while the United States relies primarily on sector-specific regulation and case law. Korea, like the EU, adopts a dual-track structure combining a general data protection law with a comprehensive AI statute. Against this background, this article undertakes a comparative analysis of Korean and EU law on the protection of personal data in AI training, using the Iruda case as a focal point.
Abstract
The development of artificial intelligence technologies presupposes the large-scale collection, analysis, and use of data, among which personal data functions as a core resource that directly affects the performance of AI systems. In particular, with the rapid diffusion of generative AI and large language models, diverse forms of personal data—such as web posts, images, voice data, and location information—are increasingly used as training data. This development raises a fundamental question as to whether existing data protection regimes are capable of adequately regulating AI training environments. While data utilization is indispensable for the advancement of AI, indiscriminate collection and use of personal data entail serious risks to informational self-determination, intensifying the tension between technological innovation and the protection of fundamental rights. In this context, on 12 June 2025, a Korean court ruled that the use of personal data without the data subjects’ consent in the training of the AI chatbot Irudaviolated the Personal Information Protection Act. This judgment is the first Korean case to clarify how data protection law applies to the processing of personal data for AI training, and therefore carries significant legal importance. AI training involves large-scale, repetitive data processing, the use of unstructured data beyond the original purposes of collection, and an increased risk of re-identification, all of which place AI training data at the center of contemporary data protection challenges. Meanwhile, in 2024 Korea enacted the Framework Act on the Development of Artificial Intelligence and the Establishment of a Trust-Based Foundation, creating a comprehensive legal framework governing the development, deployment, and use of AI. Internationally, the relationship between AI training data and personal data protection has also become a major regulatory issue: the European Union operates the GDPR alongside the AI Act, while the United States relies primarily on sector-specific regulation and case law. Korea, like the EU, adopts a dual-track structure combining a general data protection law with a comprehensive AI statute. Against this background, this article undertakes a comparative analysis of Korean and EU law on the protection of personal data in AI training, using the Iruda case as a focal point.
- 발행기관:
- IT와 법연구소
- 분류:
- 기타법학