위치정보의 보호를 위한 형법적 고찰 -범죄수사를 위한 위치정보의 수집 및 활용에 대한 통제방안를 중심으로-

김봉수 전남대학교 법학연구소 2012 법학논총 Vol.32 No.3

As IT technology develops further and the use of smart phones become popular, the potential for utilization of the personal information contained in the location information is increasing. On the other hand, The possibility of misuse of the personal information and location information is also increasing more and more. Some representative examples of information misuse are the collecting and tracking of personal location information without the concurrence of a principal agent of information. Recently, Korea have enacted 「Law on the protection and use of location information」to protect privacy against the leak, abuse and misuse of location information, promote a safe environment for using location information andre invigorate the use of location information, and thus contribute to the improvement of national life and the promotion of public welfare. Especially, the law prohibits from collecting of location information(Article 15) and circumscribe collecting of personal location information within the consent of personal location information subjects(Article 18). But, exceptionally, to protect life and bodies from imminent dangers, the law allows using of personal location information for emergency relief(Article 29). However there’s a limit and vacuum as to the application of this law. First of all,there is no mention of the use and limit of personal location information for a criminal investigation. Today, the investigative agency, using personal information and location information, rides down the suspect and gathers evidence. The collection routes of personal location information for a criminal investigation can be segment broadly into three groups as ① ‘direct-collection method’ , ②‘indirect-collection method’ and ③ ‘personal information-collation method’. Of course, the procedural control methods by a seizure and search warrant in the Criminal Procedure Code can be one of the alternatives. But because of ‘ex-ante’trait of the location tracing and detection by collecting and collating a personal information, the existing procedural control to seize material evidences is not sufficiently complete merely. In my opinion, referencing to communications restriction measures of 「Protection of Communications Secrets Act」, it is keenly necessary to regulate concretely ① the legal grounds, ② the agreement procedure as the requisite of permission, ③ the scope and limits of collecting and collating informations for a criminal investigation and ④ ex-post control devices as the ‘notice system’. 기술-사회의 연동적인 변화 속에서도 우리나라는 「개인정보보호법」, 「위치정보의 보호 및 이용 등에 관한 법률」등의 다양한 입법을 통해서 발빠르게 대응해 왔고, 이는 외국의 입법례와 비교해 봤을 때도 상당히 진보적인 의미를 담고 있다. 하지만 이와 동시에 입법의 신속성 및 진보성만으로는 정보보호의 사회적 요구와 필요를 완전히 충족시킬 수는 없다는 점도 함께 보여주고 있다는 점에서 이에 관한 지속적인 관심과 연구가 필요하다고 판단된다. 특히 ‘수사기관이 개인의 위지정보를 탐지하거나 이를 활용하여 추적하는 문제’와 관련해서는, 내용상의 한계가 지적되고 있다. 이러한 문제의식에서 출발하여 본 논문은 최근 애플의 위치정보 무단 수집사건과 수원살인사건을 계기로 조명되고 있는 ‘위치정보’를 중심으로 (1) 위치정보의 보호와 활용에 관한 국내외의 관련 법제를 비교법적으로 살펴본 후, (2) 위치정보의 이용 및 보호와 관련하여 규범적 공백상태에 놓여있는 ‘수사기관에 의한 위치정보의 탐지 및 수집행위’의 법적 성격을 재탐색해 보고, 수집루트의 유형화 작업을 통해서 현행 관련법규의 규범적 한계를 비판적으로 검토해 보았다. 생각건대, 수사목적으로 위치정보를 탐지·수집하는 수사기관의 행위, 즉 전술한 위치정보를 수사기관이 직접 수집하는 경우(제①유형)나 위치정보사업자 및 위치기반서비스업자를 대상으로 요청하는 경우(제②유형)는 물론 개인정보를 활용하여 위치를 탐지하는 경우(제③유형) 등을 기존의 압수·수색으로 접근하는 것보다는, (현행 통신비밀보호법의 통신제한조치와 유사한) 일종의 ‘정보제한조치’로 규정하고, 지금처럼 포괄적인 협력차원이 아니라 영장발부요건(범죄혐의, 필요성, 보충성 등)에 준하는 허용요건과 절차 그리고 법원에 의한 사후통제장치를 마련하여 정보주체의 권리와 범죄수사의 공익적 목적의 조화를 모색하는 것이 필요하다고 판단된다.

개인정보보호 법제 정합성 강화를 위한 고찰- 정보통신망법과 신용정보법을 중심으로 -

김일환 단국대학교 법학연구소 2018 법학논총 Vol.42 No.1

「Personal information protection act」 as general law stipulates that the relationshipwith other laws shall be subject to the provisions of this Act except as otherwiseprovided in Article 6 of the Act. Accordingly, since 「Personal Information ProtectionAc」t is a general law in this field, the personal information protection regulations in「Act on Promotion of Information and Communication Network Utilization andInformation protection」 are special laws on the protection of personal information. However, the provisions of 「Personal Information Protection Act」 and existingpersonal information protection laws are largely duplicated. As a result, it isconfusing for the intervention of multiple regulatory bodies as well as for the lawsthat apply to the legal applicants. There are many laws and institutions related topersonal information protection in Korea, but it is doubtful that such laws andinstitutions give the personal information processors predictability and protect therights of information subjects. Now, we should think about the direction of enhancingthe normative power of related laws rather than revising or revising new laws. Inorder to do so, we first need to ensure the integrity of personal informationprotection laws. Personal information protection general laws and Personal informationprotection special laws should be reviewed to eliminate unnecessary laws andregulations. I believe that even if unnecessary laws related to personal information exist in accordance with ministry selfishness and various interests, only a lot ofapplication confusion and interpretation mistakes in practice are resolved. If 「Act onPromotion of Information and Communication Network Utilization and Informationprotection」 leave a wide range of privacy regulations intact, ultimately, 「PersonalInformation Protection Act」 is a general law and its meaning is diminished and isbound to be reduced or eliminated. However, there is no theoretical or practicalnecessity to exist as a special law any more, although 「Act on Promotion ofInformation and Communication Network Utilization and Information protection」,which is the most problematic at present, does not abandon its role as a general lawwith the appearance of a special law. Therefore, according to 「Act on Promotion ofInformation and Communication Network Utilization and Information protection」, theprotection of personal information should be deleted and abolished and integratedwith the general corporate personal information protection law. Secondly, 「CreditInformation Use and Protection Act」 should have legislative forms and systems thatregulate the contents to be specifically regulated as a special law, even if thenecessity to regulate personal information in a specific area of credit information isacknowledged to some extent. You should not try to make the appearance of generallaw as it is now. 일반법인 개인정보보호법은 다른 법률과의 관계에 대하여 제6조에서 다른법률에 특별한 규정이 있는 경우를 제외하고는 이 법에서 정하는 바에 따른다고 규정하고 있다. 이에 따라서 개인정보보호법이 이 분야의 일반법이므로 정보통신망법상 개인정보보호규정 등은 개인정보보호에 관한 특별법으로서 해당부문에서는 이러한 법규정들이 우선 적용된다. 하지만 개인정보보호법과 기존의 개인정보보호 관련 개별법들의 규정들이 상당부분 중복되고 있다. 이에 따라서 법적용대상자가 보기에는 적용되는 법률들은 물론, 복수의 규제기구의 개입에 대해서도 혼란을 느끼고 있는 실정이다. 현재 우리나라에서는 개인정보보호 관련 법률과 제도들은 많이 있으나, 그러한 법률과 제도들이 개인정보처리자들에게 예측가능성을 부여하고, 정보주체의 권리를 충분히 보호하고 있는지는 의심스럽다. 이제 새로운 법률의 제⋅개정보다는 관련 법률들의 규범력을 높이는 방향으로 고민해해야 한다. 그러려면 먼저 개인정보보호법제의체계정합성을 확보해야 한다. 개인정보보호 일반법과 특별법들을 검토해서 불필요한 법률이나 규제는 과감히 정비, 폐지해야 한다. 부처이기주의나 각종 이해관계 등에 따라 존재하는 개인정보보호 관련 불필요한 법률들만 정비하더라도 실무계에서 겪고 있는 상당수의 적용상 혼란과 해석상 오류는 해소되리라믿는다. 정보통신망법에 광범위한 개인정보보호규정을 그대로 두게 되면 결국개인정보보보호법은 일반법으로서 그 의미가 퇴색되고 적용대상이나 범위가줄어들거나 없어질 수밖에 없다. 그렇다면 현재 가장 문제가 되고 있는 법률중 정보통신망법은 특별법의 외관을 가진 채 일반법으로서 역할을 포기하지않으려 하고 있지만, 더 이상 특별법으로서 존재해야할 이론적, 실무적 필요성이 존재하지 않는다. 따라서 정보통신망법상 개인정보보호부분은 삭제, 폐지하고 일반법인 개인정보보호법과 통합해야 한다. 다음으로 신용정보법은 신용정보라는 특수한 영역의 개인정보를 규율할 필요성은 일정부분 인정한다 하더라도 특별법으로서 특별히 규율할 내용을 별도로 규정하는 입법형식과 체계를갖추어야지, 지금처럼 일반법의 외관을 갖추려 해서는 안 된다.

개인정보 거버넌스 현안과 법적 쟁점

金呟經 ( Kim Hyunkyung ) 아세아여성법학회 2021 아세아여성법학 Vol.24 No.-

‘Personal Information Governance’ can be broadly defined as a governing act, method or regulatory system necessary to promote policies related to personal information. It includes who determines the agenda and goals in a series of policy activities, such as policy enforcement and resource mobilization, how to reconcile differences and interests between stakeholders in the policy-making process, and how to mobilize necessary resources. And it includes the decision on how to implement the policy, and how to check the implementation process of the policy and evaluate it after completion. Such ‘Personal Information Governance’ is important in the following respects. First, in the public sector, there is a need for an “independent” personal information protection organization to manage and supervise unreasonable misuse of personal information by public authorities. And in the private sector, under the asymmetry of knowledge and expertise between the data subject and the personal information controller, the public management and supervision function must be provided so that the privacy of the data subject is not infringed. In this study, based on the importance of personal information governance, the limitations and improvement methods of the current system were explored as follows. First, Korea’s personal information governance has an integrated 「Personal Information Protection Act」 that regulates both the public and private sectors, and there is also a ‘Personal Information Protection Commission’ that regulates both the public and private sectors. However, as the Financial Services Commission and the Korea Communications Commission still have jurisdiction over personal credit information and location information, our personal information governance is strictly “incompletely integrated.” In view of the convenience of users and the principle of legal clarity, it is reasonable to integrate and unify the regulations within the 「Personal Information Protection Act」 system. Second, since most of the data that is valuable for use is personal information, the bills related to data utilization currently being promoted by the National Assembly inevitably need to be revised so that they can link and cooperate with the Personal Information Protection Commission. In addition, it is also necessary to review a plan to unify the role of the data management agency into the Personal Information Protection Commission or to perform jointly with the Ministry of Science and ICT. Third, since the processing of personal information is based on data analysis technology, personal information governance must secure expertise to respond to the speed of technological change. In addition, specialization and systematization of the personal information supervisory function is required in accordance with the characteristics of the personal information processing area.

개인위치정보의 수집으로 인한 손해배상책임 - 대법원 2018. 5. 30. 선고 2015다251539, 251546, 251553, 251560, 251577 판결

권태상 이화여자대학교 법학연구소 2020 法學論集 Vol.24 No.4

(1) 개인정보자기결정권 침해만으로 바로 비재산적 손해에 대한 배상 책임을 인정 할 수 없다는 견해는, 다른 실체적인 권리에 대한 침해나 위험이 발생하여야 비재산 적 손해에 대한 배상 책임을 인정할 수 있다고 한다. 그런데 이러한 견해에 의하면 개 인정보자기결정권이라는 독립된 권리를 인정하는 의미가 상실될 수 있다. 개인정보가 유출된 경우 그 개인정보는 범죄에 악용될 위험성이 있다. 또한 개인정 보는 단순한 정보라도 다른 정보들과 결합하면 큰 의미를 가질 수 있다. 그러므로 단 순한 개인정보라 하더라도 유출되지 않게 보호할 필요가 있고, 이를 위한 권리로 개 인정보자기결정권이 인정되는 것이다. 인격권에 의하여 보호하려는 것은 사람이 자신과 관련된 사항에 대해서 가지는 자 기결정권이라고 이해할 수 있다. 개인정보자기결정권은 사람이 자신의 개인정보에 대 해서 가지는 자기결정권을 보호하는 권리이다. 초상권, 성명권 등이 실체적 권리인 것과 마찬가지로, 개인정보자기결정권 역시 실체적 권리로 보아야 할 것이다. 그리고 비재산적 손해는 그 성질상 사실적으로 파악하기 쉽지 않으므로 규범적으 로 파악되어야 한다. 개인정보자기결정권이 침해된 경우, 이로 인해 피해자가 어떠한 정신적 고통을 입었는지 또는 어떠한 정신적 이익을 상실했는지 사실적으로 증명할 것을 요구하는 것은 바람직하지 않고, 그러한 권리 침해 자체를 규범적으로 평가하여 비재산적 손해를 인정해야 할 것이다. (2) 개인위치정보는 그 자체가 바로 사생활을 의미하거나 행동의 자유와 관련될 수 있다. 그리고 개인위치정보는 개인의 생명, 신체의 안전이나 사생활과 밀접하게 관련 되는 민감성이 높은 정보이다. 또한 개인위치정보 역시 단순한 정보로 보이더라도 다 른 정보들과 결합하면 큰 의미를 가질 수 있다. 그러므로 설령 개인정보에 대한 자기결정권 침해만으로는 비재산적 손해의 배상책 임을 인정할 수 없다는 입장을 취하더라도, 개인위치정보에 관한 자기결정권이 침해 된 경우는 비재산적 손해의 배상책임을 인정하는 것이 바람직하다. 개인위치정보는 일반적인 개인정보에 비해 강화된 보호를 받아야 할 필요가 있기 때문이다. 대상판결은 개인위치정보가 동의 없이 수집된 경우 그로 인해 바로 손해배상책임 이 인정되지는 않는다는 입장을 취하였다. 그러나 정보주체에게 2차적으로 피해가 발 생하였는지 여부와 무관하게 개인위치정보에 관한 자기결정권 침해로 인한 비재산적 손해배상을 인정하는 것이 바람직하다. (1) If personal information is leaked, the personal information is at risk of being abused in a crime. In addition, personal information, even simple information, can have great meaning when combined with other information. The object to be protected by the personality rights is the right of self-determination. The right to self-determination of personal information is the right to protect the self-determination right that a person has about his or her personal information. Just as portrait right and name right are substantive rights, the right to self-determination of personal information should be viewed as a substantive right. Non-pecuniary loss is not easy to grasp realistically in nature, so it should be identified normatively. If the right to self-determination of personal information is violated, it will be necessary to acknowledge the non-pecuniary loss by normatively evaluating the infringement of such right itself. (2) Personal location information itself can mean privacy or can be related to freedom of action. And personal location information is highly sensitive information that is closely related to personal life, body safety, and privacy. In addition, personal location information can also have great meaning when combined with other information, even if it appears to be simple information. Therefore, personal location information needs to be more protected than general personal information. Supreme Court of Korea took the position that if personal location information was collected without consent, liability for damages would not be recognized immediately. However, it is desirable to recognize non-pecuniary loss caused by infringement of the right to self-determination concerning personal location information, regardless of whether or not secondary damage has occurred.

개인정보보호 체계 발전 방안에 대한 연구

주상현,최병훈,이진용,전삼현,Sang-Hyun Joo,Byoung-Hoon Choi,Jin-Yong Lee,Sam-Hyun Chun 한국인터넷방송통신학회 2024 한국인터넷방송통신학회 논문지 Vol.24 No.4

개인정보 보호를 위한 통합 컨트롤 타워로서 2020년 8월에 개인정보보호위원회가 출범하였으나 개인정보보호 운영 체계상 몇 가지 문제점이 지적되고 있다. 먼저 우리나라의 개인정보 보호 체계는 공공과 민간을 함께 규율하는 통합법 체계를 가지고 있음에도 불구하고 개인신용정보 보호 기능은 금융위원회가 담당하고, 개인위치정보 보호 기능은 방송통신위원회가 그대로 담당하는 등 보호 기능의 불완전한 통합으로 원활한 개인정보 보호 기능을 하기 어렵다는 지적이 있다. 다음으로 공공부문 개인정보 유출 사고가 증가하고 있음에도 이를 효율적으로 조사할 전문성을 갖춘 인력과 전문 지원기관이 부족한 문제가 있고, 디지털 통상시대를 맞이하여 글로벌 IT 기업의 자국 내 개인정보 침해에 대한 효율적인 대응체계가 부족하여 국민의 개인정보 보호가 약화 될 우려가 있다. 이러한 문제를 해결하고자 해외사례와 문헌들을 검토하여 다음과 같은 방안을 제시하였다. 첫째, 신용정보와 위치정보에 대한 개인정보 보호 감독 기능을 개인정보보호위원회로 일원화 할 필요가 있다. 둘째, 공공부문 개인정보 유출 사고에 대응하기 위해 전문인력 확보와 전문기관 설립 등 전문성 확보가 필요하다. 셋째, 디지털 통상시대에 국민의 개인정보보호를 위한 국내 대리인지정제도 활성화와 국제 공조 체계 구축 필요성을 제기하였다. 이와 같은 개인정보 보호 체계 발전 방안으로 한층 체계화된 개인정보보호가 이루어질 것으로 생각한다. The Personal Information Protection Commission was launched in August 2020 as an integrated control tower for personal information protection, but several problems have been pointed out in the personal information protection operation system. First, despite the fact that Korea's personal information protection system has an integrated legal system that regulates both the public and private sectors, it has been pointed out that it is difficult to carry out smooth personal information protection functions due to incomplete integration of protection functions, such as the Financial Services Commission being in charge of personal credit information protection and the Korea Communications Commission being in charge of personal location information protection. Next, despite the increasing number of public sector personal information leakage incidents, there is a lack of personnel with expertise and specialized support organizations to efficiently investigate them, and there is a concern that the lack of an efficient response system to personal information infringement by global IT companies in Korea in the era of digital commerce may weaken the protection of citizens' personal information. In order to solve these problems, I reviewed overseas cases and literature and proposed the following measures. First, it is necessary to centralize the personal information protection supervision function for credit information and location information to the Personal Information Protection Commission. Second, it is necessary to secure expertise by securing specialized personnel and establishing specialized institutions to respond to public sector personal information leakage incidents. Third, it is necessary to revitalize the domestic agency designation system and establish an international cooperation system to protect people's personal information in the digital commerce era. I believe that these measures to develop the personal information protection system will lead to more systematic personal information protection.

The Concept of Personal Information: A Study on Its Interpretation and Scope

( Dae Hee Lee ) 고려대학교 법학연구원 2016 The Asian Business Lawyer Vol.17 No.-

Under the Korea``s legislation for the protection of personal information, the term ‘personal information’ is defined as information that pertains to a living person, including the full name, resident registration number, images, etc., by which the individual in question can be identified, (including information by which the individual in question cannot be identified but can be identified through simple combination with other information). This definition is based upon the term ‘personally identifiable information (PII)’ which means any data that could potentially identify a specific individual. Thus PII is the central concept to decide whether personal data statutes are applicable or not, and define their scope and boundaries of application. Despite its importance in personal data statutes, the concept of PII is ambiguous and it may extend the scope of personal data, resulting both in unreasonably expansive application of personal data protection and in curbing free flow of information. Korean courts tend to have expanded the definition of personal data. From the perspective of striking a balance between the protection of privacy and the free flow of information, this paper argues that the current definition on personal data under the Korea``s legislation be construed rather narrowly. This paper introduces issues raised from the definition and how this definition is construed in the European Union. Finally this paper emphasizes that whether an individual is reasonably identifiable depends on the context and circumstances, and that the scope of personal information not be overly expanded.

개인정보 비식별 조치 가이드라인의 법적 문제와 개인정보보호법제 개선방향

이순환,박종수 한국공법학회 2016 공법연구 Vol.45 No.2

We stand at the dawn of the fourth industrial revolution, in which the promotion of the ICT industry, which includes areas such as cloud computing, big data, and internet of things, can have substantial impact on the future of countries. As the ICT industry grows, so do voices of concern over the privacy risks it may pose on personal information. However, without the utilization of personal information, the ICT industry, which is based on the use of information, cannot seek further development. The Korean legislation has been continuously reinforced after large-scale infringements of personal information, but such reinforcements resulted in hampering the development of the ICT industry. Hence, the Korean government proposed the Guideline on De-identification of Personal Information which provides for the use of effectively de-identified information for conducting big data analysis and other such activities. It is welcome news that the government has proposed a guideline that aims to promote the legitimate utilization of personal information amid excessive regulation. The guideline is also meaningful in that it provides a guide for interpretation for those ambiguous situations where it is unclear whether an information is personal. However, the guideline has its problems: first, the terminology “de-identification” is not clear in substance; second, service providers are overburdened with the obligation to conduct regular monitoring as a form of post management; third, personal information can still be invaded by combination support of de-identified information; and fourth, there it does not stipulate obligations of service providers that corresponds to the use of personal information. Furthermore, it sets down the concept of personal information and the right to consent, which are the core contents of personal information protection legislation, and therefore contravenes the form of law. Countries around the world are setting up their legislation regarding the protection of personal information. Among them, the GDPR of the EU and the Personal Information Protection Act of Japan are full of suggestions. The development of IoT and big data eventually will bring about changes in the protection system of personal information, which builds upon the concept of personal information and the right to consent. In this paper, building on the criticism against foreign legislation and the guideline set forth by the Korean government, will propose a way to improve the personal information protection legislation. The strict opt-in method used for consent shall change, and eventually the responsibilities of the personal information manager shall be fortified in order to protect personal information while at the same time also protecting the value of personal information utilization. 지금은 4차 산업혁명의 시작점으로 이에 기반이 되는 클라우드 컴퓨팅, 빅데이터, 사물인터넷 등 ICT 산업의 진흥은 국가의 미래가 걸린 문제라 할 수 있다. ICT 산업의 발전에 따라 개인정보의 침해 위험의 목소리가 날로 높아지고 있지만, 개인정보의 활용이 뒷받침되지 않고서는 정보를 기반으로 하는 ICT 산업의 발전을 꾀할 수 없다. 우리의 법제는 대규모의 개인정보 침해 사건으로 인해 지속적으로 강화되어 왔으며, 이러한 개인정보 보호법제는 ICT 산업의 발전을 저해하는 요인이 되었다. 이에 정부는 개인정보 비식별 조치에 대한 가이드라인을 제시하여 비식별 정보를 빅데이터 분석 등에 활용할 수 있도록 하고 있다. 과도한 개인정보 규제 상황에서 개인정보의 활용을 도모하기 위한 가이드라인을 제시하였다는 점은 환영할만하다. 그리고 가이드라인은 개인정보인지 여부가 불분명한 경우에 대한 해석지침을 마련해주었다는데 의의가 있다. 하지만 가이드라인은 내용면에서 첫째 ‘비식별’이 개념상 명확하지 않다는 점, 둘째 사후조치로 사업자에게 주기적인 모니터링의 과중한 의무를 부담시키고 있다는 점, 셋째 비식별정보의 결합지원에 의해 개인정보침해가 가능하다는 점, 넷째, 개인정보 이용에 합당한 사업자들의 의무가 없다는 점 등의 문제가 있다. 또한 가이드라인이란 형식으로 개인정보의 개념이나 동의권과 같은 개인정보 보호법제의 핵심적인 내용을 다루고 있어서 법형식면에서 문제가 된다. 세계 각국은 개인정보 보호법제를 정비하고 있다. EU의 GDPR의 제정과 일본의 개인정보보호법 개정은 우리에게 시사하는 바가 크다. 사물인터넷과 빅데이터의 발전은 결국 기존의 개인정보의 개념과 동의권에 기초한 개인정보 보호체계에 대한 변화를 가져올 수밖에 없다. 본고에서는 외국의 입법례와 가이드라인에 대한 비판을 토대로 하여 개인정보의 보호와 활용의 경계에서 개인정보 보호법제의 개선방향을 제시하고자 한다. 엄격한 Opt-in 방식의 동의제도가 변화해야 할 것이며, 궁극적으로는 개인정보처리자의 책임을 강화하여 개인정보의 보호라는 가치와 개인정보 활용의 가치를 균형 있게 보호할 수 있도록 해야 할 것이다.

일본의 개인정보 보호에 관한 논의

김지만(Kim, Ji Man) 충북대학교 법학연구소 2017 과학기술과 법 Vol.8 No.2

In Korea, we have a own personal I.D. And, this personal I.D is able to distinguish one between other people. Especially, in the age of information society, personal information is used for commerce or financial transactions via the internet. Besides, for the using of Internet services, personal information is used as an essential element. But, despite the need for careful management of personal information, the careless management of personal information causes the Personal Information Leak. In other words, companies should manage and protect the collected personal information with the latest care, personal information may be leaked by others in any way or manner due to the failure of companies or the development of IT technology. In the wake of this Internet information age, the damage of personal information leakage is not only a domestic legal problem but also an international problem. So, we must need for comparative legal research for solving the dispute of international regal problems aobut the personal information using. As a first step, this studying examined a personal information protection act in Japan.

근로자 개인정보 처리의 정당성 요건과 한계–종속성의 관점에서

양승엽 노동법이론실무학회 2016 노동법포럼 Vol.- No.18

“Personal Information Protection Act”(PIPA), a general law for personal date protection, guarantee the free exchange as well as the protection of the personal data. That clears the PIPA’s characteristics as the private law. If the personal information manager obtain the consent of the subject of information, the manager can process the personal information unconstrainedly, and The PIPA can admit the employer to process the worker’s personal data including providing a third person and using for any purpose other than intended ones, so long as he gets the worker’s consent. So, the worker’s consent in the PIPA functions as the master-key to obtain the legitimacy to process the personal data. But, due to the worker’s subordination to the employer, the real intention of workers as the subject of information is suspected. Furthermore, the PIPA article 15 (1) 6 should allow the personal information manager, without the consent of the subject of information, to process the personal data, if the manager demonstrate his legitimate interests which is limited to cases. Thus the employer not given the worker’s consent can assert his right to obtain the worker’s personal data for his legitimate interest in the facilities and human resources management. The PIPA has a few blind spot. For example, the PIPA does not have any provisions of the biometrics. The employers use the worker’s biometrics for the facilities security and worker’s job description. The biometrics remain unchanged worker’s whole life, so if the biometrics abused, the damages are incalculable. The PIPA article 23 enacts a provision of the sensitive information (thought, beliefs, health information, etc.). The biometrics should be interpreted analogically as a sort of health information regulated so that it can regulated in the PIPA. Recently, the employer use the GPS and the electronic tag to trace the worker’s location data. The personal location data is regulated in “Act on the Protection, Use, etc., of Location Information”, but this act does not consider the unbalanced relationship of the employer and the worker, so the employer given the worker’s consent can get the worker’s location data freely. The person who has the other party’s information rules those who can’t. If those who can’t is the worker, along with the subordination to the employer, he suffers from the double power-imbalance. To overcome the double imbalance, firstly, the regulations of processing the worker’s personal data should be established in the PIPA. As a role model, the German personal data protection act is in the process of revision, which tries to insert the worker’s data protection part in the act. When the PIPA is changed, the scope of individual object should be expanded. The current law regulates the workers who offer his service to the employers, but the job-seeker, retiree, and contract laborers have to be included. Moreover, in the illegal processing of the worker’s personal data, the workers should have the right of veto and immunity. Secondly, to secure the truth of worker’s consent, in other words, to obtain the equal standing between the employer and the worker, the group decision of the labor-management representatives substitutes for the worker’s individual consent of processing his personal data. For that, the workers can entrust the representative such as the labour union representative with the right of agreement on processing. Finally, on interpreting the legislation concerned on personal data protection containing the PIPA, the regulations should be construed in the principle of being involved in the occupation and of proportion. The principle of being involved in the occupation is relevant to interpret the employer’s legitimate interests on the processing the worker’s personal data, and if the employer’s processing of the worker’s personal data is proved to be involved in the occupation, in addition, the proport...

개인정보자기결정권의 범위와 한계에 관한 고찰 -개인정보보호법 일부개정법률안을 중심으로-

정윤경 경북대학교 IT와 법연구소 2022 IT와 법 연구 Vol.- No.24

As the 4th industrial revolution and the advent of the knowledge information society rapidly progress, the demand for data collection and use in various fields of society is increasing. The European Union passed the General Data Privacy Act (GDPR) in May 2018 Law was enacted. As such, major countries around the world are recognizing the importance of the personal information legal system and are trying to reorganize it. Korea has undergone about 15 amendments to the Personal Information Protection Act since the first enforcement of the Personal Information Protection Act in September 2011. In particular, through the revision of the so-called 3 data law in August 2020, it was evaluated that it increased the economic value of data by providing a legal basis for the use of personal information for statistical preparation, scientific research, and preservation of records for the public interest. However, criticism has been raised as to whether this revision of the law may lead to a reduction in the self-determination right of data subjects by focusing too much on the aspect of data utilization. Accordingly, in September 2021, the government proposed a partial amendment to the Personal Information Protection Act to supplement the previous amendment to the Data Act. However, some NGOs raised criticism that the contents of the above proposal did not adequately protect the rights of data subjects. As a result of this influence, the National Assembly received amendments to the Personal Information Protection Act five times in January 2022. in this regard, this paper matters concerning the introduction of the right to request transmission of personal information, review issues such as restrictions on the use of personal information for purposes other than personal information, rejection of automatic decisions and introduction of the right to request explanation, addition of an exemption clause for consent in the collection and use of personal information, and addition of a clause on overseas transfer of personal information. Then opinions were presented as to whether the content changed due to the amendment of the law is appropriate in terms of the protection of the personal information self-determination right of the information subject, and furthermore, whether it is at a reasonable level compared to the legislative practices of other countries.