. . . . 1.
2. ( , , , )
3.
4.
V.
* , . .(
.)
: 2014. 5. 30. / : 2014. 6. 20 / : 2014. 6. 25
.
2014
. 2013 3.0
,
, (safety), (security) .
.
,
“ ”1) . ,
, ,
.
.
( ) 24
, 300 ,2)
1)
( ,
? ,
http://openlectures.naver.com/contents?rid=253&contents_id=55661).
2) ,
. 32 2( )
32 300
.
.
.
.
.
,
.
.
, , ,
, .
. , ,
, ICT
, Privacy ,
. (public interest)
.
. 1.
, 2. · ·
.
.
2011.9.29.
,
.
,
. ,
,
.3) .
, (
)
,
.
3) ,
, ,
,
.
< >
< >4)
4) , , 2012.4.
, ,
, .
,5)
. CCTV,
.
.
5)
. , “
”, 41 , , 2013; , “
-
-”, ; , , , 2014.
.
.
“
( )
”6) “
”7)
.
.
.
. (rationalization) , ,
, (efficiency)
.
,8) .
6) , : , , 1992, 18-24 .
7) , “ ”, , 38 , 1990, 136-141 .
8) , “ ”, 32 4 , 2004, 4-5 .
.
, ,
.
,
.9)
,
(feasibility), ICT Privacy
,
.10)
1)
Global Standard , 2)
, 3) , 4)
9) .
. ,
.
, ,
· . ,
( , “
”, , 47 3 , , 2006, 13-14 )
10) 1973 (Fair Information Practice
Principles:FIPPs)
(notice and comment)
(Timothy J. Toohey, The Balance Between Data Flow and Privacy: a United States Perspective, Journal of Law & Economic Regulation, Vol. 6. No. 1, 2013.5, pp. 7-33).
2012 Consumer Data Privacy in a
Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy ,
(www.whitehouse.gov/sites/default/files/privacy-final.pdf).
, 5) .
.
.
, (
) .11)
“ ”
.
“ ” . , ‘ ’
‘ ’
, ,
, ,
, ,
.
. ‘ ’
,
IMEI ( ), USIM
11) 2 1 6 , 2 1 .
. IMEI USIM ,
, ,
. ( )
“ ”
.12)
. 4
,
, ,
4 .13)
.
A
(random number)
B , B ·
A , B
.
, ,
, .
,
12) 2011. 2. 23. 2010 5343 .
13) 2013.8.9. 2013 17 .
. B
A
, (1)
(2)
A ,
.
B A
A
, B
A
.
, ,
· .
‘
(personal data' shall mean any information relating to an identified or identifiable natural person) ‘
, ‘Opinion
4/2007 on the concept of personal data’ “ ,
” “
” “
, ,
” .14)
(identifiable)
, ,
(consumer data that can be reasonably linked to a specific consumer,
computer, or other device) , ,
3 .
, (de-identification) ,
, (re-identification)
, ,
.15)
‘ ’ 2 1 ‘ ’
, ,
(
) . ‘ ’ ,
( )
,
‘
’ .16)
14) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on
the free movement of such data. EU
EU Directive 95/46/EC
DPD .
15) FTC, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers, March 2012, pp. 18-21.
( )
. .
.
.
. ,
,
(entity)
. ,
. ,
.
.
( , , ),
.
.
16) , 3 , , 2009, 33-34 .
. ,
, , ,
,
.17)
.
· ( 15 ),
3 ( 17 ), · ( 18 )
.
· , 3
. 1995 EU (Processing)
· · ,
,
3 .18)
17) , ,
, 2014, 71-88 .
18) DPD Article 7:Member States shall provide that personal data may be processed only if:
(a) the data subject has unambiguously given his consent; or (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or (c) processing is necessary for compliance with a legal obligation to which the controller is subject; or (d) processing is necessary in order to protect the vital interests of the data subject; or (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to
· , 3 ,
· ,
3
. 1995 EU
3 (recipients)
(categories) .19)
3 .
risk .
.
. (i)
, (ii)
, (iii)
. .
.
whom the data are disclosed; or (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).
19) DPD 10 .
. ,
, ,
.
.
, , ,
.
.
( 26 ).
,
. 1
,
compliance . , ·
· ,
,
.
. ,
,
.
.20) ,
. ,
, ,
, . ,
,
. ,
, ,
. 2
, · .21)
3
( 17 3 ).
3 .22)
. ,
20) EU .
21) , 3
, , , 2014, 233-248
.
22) .
.
, ,
.
3 ,
.
, compliance
. 3
,
. ,
, . EU
, EU
(adequate level of protection)
, 3 ,
,
.23)
, Global
23) DPD 25 , 26 . EU
(contractual clause), (Binding Corpoare Rules:BCRs)
200.7. Safe Harbor Principle
(Christopher Kuner, European Data Protection Law, Corporate Compliance and Regulation, Second Edition, Oxford University Press, 2012. pp. 180-232).
. Global
, EU
.
24)
.
,
. ,
.
1) , 2)
( multi-national
), 3)
.
, ( / ),
24) 2 2( )
.
,
,
.
. ,
.
. /
, / (
)
. /
.
. 6
,
.
. ,
,
. ,
.25)
,26) 95
EU ,
25)
. .
26) Columbia Pictures v. Bunnell, 2007 U.S. Dist. LEXIS 46364 (C.D. Cal. June 19, 2007), Gucci America, Inc. v. Curveal Fashion, 2010 WL 808639 (S.D.N.Y. Mar. 8, 2010).
.27) EU ,
,
(equipment) ,
.28)
,
. ,
. ( )
,
.
.
27) (Data Protection Act) Ian J. lloyd, Information
Technology Law, 6th Edition, Oxford University Press, 2011, pp. 3-121 . 28) DPD 4 (1) (b) the controller is not established on the Member State's territory, but
in a place where its national law applies by virtue of international public law; (c) the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community.
, , ,
.
, , ,
.
y y y
y y
y y y
y y
y y
, .
2 1 ‘ ’
,
, ,
,
( 2 1 ;
2 1 ). ‘ ’
( 2 2 ;
2 2 ).
,
, .29)
. ,
.
,
, 3
, “ ” ( 15 ).
( 4 2 ),
(
25 ) . “
”( 2 7 )
.
, .
( 48 2 1 ).
( 48 2 2
29) , , , ,
, , , “ ” ,
, , , , , ,
, , “ ” (
2 1 1 ).
). ‘ ’ ( 45
1 ), ‘ ’ , ( 4
1 2 ). 19 2
32 .
, ,
( 48 2 4 ).
.
, ( · ) ·
. “ ”
“ ” ,
“ ”
.30) ( )
34
.31) ,
30)
, ,
( , ,
, 2014, , 471-473 ), .
31) 23 2 2012. 8. 18.
, 24 2 2014. 8. 7.
, 34
.
· .
. ,
· . ,
33 ( ) ·
·
, , , ,
.32)
,
, 33) /
/ 3
.
.
.
(opt-out) .34)
32) , 2014,5
3 .
33)
. ,
.
34) , “ ”, '
' , 2014.3.21, 10-12 .
, ,
.35)
.
( 18 1 , 2 ),
( 24 ).
. ,
.36)
V.
2005. 5.
, 2006.9. SK (
) , 2008.1
. ,
515,206 SC
.
35) , “ 48 2 ”,
, 2014.2.24, 20-28 .
36) 2014 5
, ,
( 48 2 1 · 2 ) ,
,
( 48 2 4 72 1 6 ) .
, ‘ ’
‘ ’
3
, .
2008 40 , KT, 30 LG
25 .
,
2011 9
.37)
10 ,
,
.
.
. Global Standard
, ,
, ,
, ,
. ,
,
37)
,
10 Advocate
.
.
. ,
.
.
.38)
,
, ,
.
.39)
.
. ,
.
38) Priscilla M. Regan, The United States, Global Privacy Protection, The First Generation, edited by James B. Rule and Graham Greenleaf, Edward Elgar, 2010, pp. 74-76. Regan
.
.
39) ,
.
, “ ”, 뺸G 32 4 , , 2004.
, 48 2 ,
, 2014.2.24.
, “ ”, ,
2013, 41 , .
, “ ”, 38 , 1990.
, “ -
”-, , , 2014.
, , 3 ,
, , 2014.
, , ,
, 2014.
, ,
, , 2014.
, , '
' , 2014.3.21.
, : , , 1992.
, “ ”, 47 3 ,
, 2006.
, 3 , , 2009.
Christopher Kuner, European Data Protection Law, Corporate Compliance and Regulation, Second Edition, Oxford University Press, 2012.
European Union, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
Ian J. lloyd, Information Technology Law, 6th Edition, Oxford University Press, 2011.
Timothy J. Toohey, “The Balance Between Data Flow and Privacy: a United States Perspective”, Journal of Law & Economic Regulation, Vol. 6. No.
1, 2013.
The White House, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (February 2012).
Priscilla M. Regan, The United States, Global Privacy Protection, The First Generation, edited by James B. Rule and Graham Greenleaf, Edward Elgar, 2010.
FTC, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers, March 2012.
< >
2014
.
.
.
, ,
,
, .
. , , ,
, ICT
, Privacy ,
. (public interest)
.
10 ,
,
. ,
. Global Standard
, ,
, , ,
,
. ,
,
.
, , ,
.
.
Abstract
A Study on the Rationalization of Personal Data Regulation for Harmonization between the Use and Protection of Personal
Information under the new Technology Environment
Lee, Seong-Yeob*40)
Credit card company's private information leakage events and Seweolho ship sinking events which happened in the first half of 2014 foretell the tremendous changes in the role and status of administrative regulations of our society.
The creation and strengthening of appropriate regulation for promoting public safety and national security rather than neo-liberal policies through regulatory innovation or deregulation to improve businesses energy and achieve the growth of the national economy has become buzzword
More and more powerful privacy regulations are being made and enhanced. But even now there are a large number of privacy laws, as well as duplication and conflict between the statutes, the lack of precedent and interpretation cases, the conservative law interpretation and enforcement of regulatory agencies, the overlapping law enforcement of a number of regulatory agencies. These make people lost sheep who does not know the right way. After all, the effectiveness of privacy regulation can be gradually weakened.
Personal information has a constitutional value of right to privacy. At the same time the use of personal information is related to the enhancement of social benefit and provision of customer service of company. In particular, the company's new ICT environment, such as big data, cloud, Internet of things, search engines, dramatically increases productivity of enterprise. Further, it creates a revolutionary change in quality of human life. But privacy and copyright issues derived from it can not be overlooked. The regulation of protection and use of personal information will need to be harmonized under the achievement of public interest as higher value.
As I retrospect administrative privacy regulatory affairs, legal theory and practice for about 10 years, it is regrettable regulation has been complex and strengthened whenever the leakage events of personal information happen. In addition, as
* Member of the New York Bar, Kim & Chang, Ph.D. in Law
Journal of Legislation Research / 46th Issue
:
regulatory agencies and the courts also have made only strict and conservative interpretation of the law, the possibility of the law enforcement and legal compliance has bee weakening.
Even now urgently to meet global standard regarding privacy and switch resonable regulation, comprehensive agreement and opt-out agreement need to be introduced as personal information is collected, used and provided. In order to increase the availability of personal information and use it for the purpose of academy and statistics, non-identifying and anonymous personal information can be excluded from the scope of personal information. However, rather than the agreement is formal agreement, it should be substantial protection of self-information determination rights. It should allow a clear recognition of the notice and consent items by information subject. For this consent items should be minimized and simplified. Above all, the end of the project which should be urgently resolved immediately is setting the relationship among Privacy Act, Information Network Act and Credit Information Act and separation and clarification of concept of information and the category of information subject.
It is now an issue of coordination between regulatory agencies, not mid and long term issues, because it does not require organizational changes.