가명정보의 활용과 개인정보자기결정권 - 대법원 2025. 7. 18. 선고 2024다210554 판결 -

Article 28-2 of the Personal Information Protection Act in Korea stipulates that "the transactor of personal information may process pseudonymized information without the consent of the data subject for statistics preparation, scientific research, and record of public interest." However, users who recently signed a mobile communication service use contract with the mobile communication company filed a lawsuit requesting the suspension of processing personal information. Their assertion is that in accordance with Article 28-2 of the Personal Information Protection Act, personal information should not be pseudonymized in order to use it for purposes such as statistics preparation. In response, the courts of the first and second trials distinguished between "pseudonymization" and "pseudonymized information processing" and cited the plaintiffs' claims, saying that they could not reject the request for suspension of processing of personal information under Article 28-2. In response, the Supreme Court ruled the opposite of the lower court rulings, saying that pseudonymization is not subject to a request for suspension of processing. In a recent amendment of Personal Information Protection Act, pseudonymization was introduced as a key system to reduce the risk of re-identification by lowering the identification of personal information and to maintain the value of data utilization while mitigating the infringement of personal information. However, in the process of continuously storing, processing, combining, and calculating personal information, the value of information utilization must increase and the possibility of re-identifying the data subject cannot be completely excluded. As a result, how far the data subject can exercise control over his or her personal information in the pseudonymization stage emerges as an important issue. However, under the current legal regulations, it is not clearly defined whether the right to request suspension of processing is recognized even for pseudonymized information, and there is still room for interpretation. The Supreme Court, meanwhile, ruled that the data subject cannot be granted the right to request suspension of processing information under Article 37 of the Personal Information Protection Act, regardless of whether pseudonymization is done of not if special provisions on the processing of pseudonym information are applied in the subject case. 'Pseudonymization' is a functionally inseparable preceding step that enables the utilization of pseudonymized information, and it is not considered appropriate to segment this as an overly logical problem. The EU 'General Data Protection Regulation (GDPR)', which has had a great influence on the revision of Korea’s Personal Information Protection Act, also stipulates only the processing of pseudonyms. In addition, in recent cases (CJEU, EDPS v SRB, C-413/23 P (September 4, 2025)), the European Court of Justice tends to judge pseudonym information as non-personal information based on GDPR. In recent years, when discussing the Right to Informational Self-Determination in Korea and Japan, the main view is that there is no absolute right to protect personal information unconditionally, and that it should be understood in conjunction with the question of how to guarantee individual personal autonomy in a society where information collection, processing, and usage are common. If the processing suspension is admitted, the protection effect may weaken because storage and application of additional information is required on the premise of re-identification. Moreover, the benefit of using pseudonymized information is greater than the benefit of the recognition of processing suspension for the reason of adopting pseudonymized information system is that the use of data is essential in the era of big data. Considering these points, the Supreme Court's judgment is considered very valid.