오늘날 개인정보 이용의 활성화와 개인정보의 보호를 어떻게 조화롭게 균형을 이루어나갈 것인가 하는 것과 더불어 데이터의 국외이전과 관련하여 국제적 정합성을 고려해야 하는 문제는 우리가 해결해야 할 어려운 과제라고 할 수 있다. 이러한 상황에서 최근 주요 국가들은 이러한 과제의 해결에 초점을 두고 개인정보보호 법제를 정비해 나가고 있다. 그 대표적인 예로서 EU의 2016년 ‘일반 데이터 보호규정’(GDPR), 미국의 ‘캘리포니아 소비자보호법(CCPA, 2020년 1월 발효), 그리고 일본의 2015년과 2020년의 ‘개인정보보호법’ 개정 등을 들 수 있으며, 우리나라도 2020년 2월에 이른바 ‘데이터 3법’을 개정하여 동년 8월부터 시행하고 있다.
일본은 2015년에 개인정보보호법을 전면 개정하여 단계적으로 시행하면서, 2019년 EU와 상호 적정성 평가 인정을 함으로써 국제적 정합성 측면에서 개정의 효과를 입증받았으며, 이 평가 과정에서 지적된 사항을 2020년 개정법에서 보완하는 모습을 보이고 있다. 우리나라도 개인정보보호 법제의 정비방향에 있어서 미국이나 EU의 법제의 변화에 따른 국제적 정합성을 고려하면서 개인정보의 보호와 활용을 위한 적정한 기준을 정립하고자 하는 점에서 일본과 거의 동일하며, 이러한 점에 비추어보면 향후 EU의 적정성 평가를 받아야 하는 우리나라로서는 일본의 법제 정비상황을 세부적으로 검토해 볼 필요가 있다.
그래서 본 연구는 일본의 개인정보보호법 제정과정, 2015년 개정법의 주요내용, 2020년 개정법의 내용 등을 살핀 후 그 시사점을 바탕으로 우리 법제의 정비 방향을 제시하고 있다. 특히 일본법상 법의 역외적용 및 개인정보의 국외이전에 관한 규정, 사업자의 책무 강화 및 자주적 개인정보보호 활동을 위한 사업자단체 인증제도 등은 우리 법제에 도입하는 것이 바람직하다. 그리고, 일본의 개인정보보호위원회는 개인정보보호법의 개정 등에 필요한 준비작업을 지속적으로 하고 법개정 등에 필요한 제언을 하고 있는 것도 참고할 만하다.
Today, in terms of personal information, we are facing very difficult tasks to solve such as how to harmoniously maintain balance between vitalization of personal information use and personal information protection, and consideration of international consistency in relation to cross-border transfer of data. Under this circumstance, recently, the major countries are improving the personal information protection laws by focusing on the solution of those tasks. The representative examples are the ‘General Data Protection Regulation(GDPR)’ of the EU in 2016, ‘California Consumer Privacy Act (CCPA: Effective from January 2020)’ of the United States, and the revision of ‘Personal Information Protection Act’ of Japan in 2015 and 2020. Korea also revised so-called ‘Data 3 Act’ in February 2020, which has been enforced since August 2020. After fully revising the Personal Information Protection Act in 2015, Japan has enforced it by phases. Through the mutual evaluation of appropriateness with the EU in 2019, the effects of revision were proved in the aspect of international consistency. The items pointed out in this evaluation process were complemented in the revised law in 2020. Regarding the improvement direction of personal information protection laws, Korea also aims to establish the appropriate standard for personal information protection/use by considering the international consistency according to legislative changes in the United States or EU, which is almost the same as Japan. For this reason, it would be necessary to closely review the improvement of laws in Japan as Korea also has to get the evaluation of appropriateness from the EU in the future. Thus, after examining the enactment process of Personal Information Protection Act, the main contents of revised law in 2015, and the contents of revised law of Japan in 2020, this study presents the improvement direction of Korean laws based on the implications. Especially, it would be advisable to introduce some contents of Japanese laws to Korean laws, such as regulations of extraterritorial application of law and cross-border transfer of personal information, and the business association certification system for strengthening the duties and independent personal information protection activities of businesses. This study suggests that the Personal Information Protection Commission of Korea should refer to the roles of Personal Information Protection Commission of Japan established earlier than Korea, for establishing all sorts of guidelines related to personal information protection/use, by reviewing and analyzing them.
Today, in terms of personal information, we are facing very difficult tasks to solve such as how to harmoniously maintain balance between vitalization of personal information use and personal information protection, and consideration of international consistency in relation to cross-border transfer of data. Under this circumstance, recently, the major countries are improving the personal information protection laws by focusing on the solution of those tasks. The representative examples are the ‘General Data Protection Regulation(GDPR)’ of the EU in 2016, ‘California Consumer Privacy Act (CCPA: Effective from January 2020)’ of the United States, and the revision of ‘Personal Information Protection Act’ of Japan in 2015 and 2020. Korea also revised so-called ‘Data 3 Act’ in February 2020, which has been enforced since August 2020. After fully revising the Personal Information Protection Act in 2015, Japan has enforced it by phases. Through the mutual evaluation of appropriateness with the EU in 2019, the effects of revision were proved in the aspect of international consistency. The items pointed out in this evaluation process were complemented in the revised law in 2020. Regarding the improvement direction of personal information protection laws, Korea also aims to establish the appropriate standard for personal information protection/use by considering the international consistency according to legislative changes in the United States or EU, which is almost the same as Japan. For this reason, it would be necessary to closely review the improvement of laws in Japan as Korea also has to get the evaluation of appropriateness from the EU in the future. Thus, after examining the enactment process of Personal Information Protection Act, the main contents of revised law in 2015, and the contents of revised law of Japan in 2020, this study presents the improvement direction of Korean laws based on the implications. Especially, it would be advisable to introduce some contents of Japanese laws to Korean laws, such as regulations of extraterritorial application of law and cross-border transfer of personal information, and the business association certification system for strengthening the duties and independent personal information protection activities of businesses. This study suggests that the Personal Information Protection Commission of Korea should refer to the roles of Personal Information Protection Commission of Japan established earlier than Korea, for establishing all sorts of guidelines related to personal information protection/use, by reviewing and analyzing them.