독일의 개인정보 보호 법제에 관한 연구

Privacy Law of Germany

Compared to Korea, Germany seems to have a stronger regulation system and the practices regarding Personal Information Protection Act(PIPA). By comparing two countries' legislations all around, the issues on German PIPA can be summarized as follows. First of all, it is very appropriate that Korean PIPA applies to civilians. However, if the information processing is not business based, the act is not applied to them anymore. In other words, the application is excepted if it is one-time collection and processing. Therefore, it is advisable that they revise it a little. For example, the relevant clause in German Federal Privacy Act(Bundesdatenschutzgesetz / BDSG) only excludes its application if the personal information is collected, processed, and used for personal or family needs. In the case of the requisites to collect personal information, Korean PIPA lists too many items that are unnecessary. Especially, some of the parts in the legislation such as 'when it is acknowledged as needed for the benefit of the information subject or the third person's life, physical asset but difficult to obtain the prior consent from him' does not seem to be needed. Therefore, the requisites for the collection of personal information should be simplified following German BDSG as its model. What is missing from Korean PIPA is the notice system. Similar to communication monitoring, collection of the personal information usually happens without the subject realizing it. This is quite detrimental to the efficient protection of the right to informational self-determination. Thereby, the notice system must be included in the act when revising. Also, the form of obtaining consents from the subjects of the personal information collection is way too simplified in Korea. In many cases, simple electronic consent on the internet is enough to permit access to everything. In addition to this simple step, the types and quantity of personal information that are required to provide is too much that it also raises problems. The PIPA that is newly being legislated must regulate this. The most proper method will be to set 'obtaining written consent' as a ground rule and simple consent through web-sites should be used very exceptionally as that of German BDSG. Moving forward, giving disadvantage by not granting the membership should the person does not consent to the collection of his information should be prohibited. Current Korean practice is that one is obliged to provide his personal information in order to obtain the membership. The people who want to operate an automated personal information processing system should also be obligated to get an inspection by supervisory authority. In Korea, such regulation does not exist and sometimes the personal informations leak as a result of security breaches to the system. Korea is trying to legislate the personal information manager system. Germany has been operating this system for more than 20 years and it would be very wise for Korea to observe and learn how it has actually been operated from them. Lastly, Korea must also adapt a system where Federal Commissioner for Data Protection and Freedom of Information(Bundesbeauftragte für den Datenschutz und die Freiheit / BfDI) checks for any violations of the law in place of a person if one wants to access his personal information kept in the prosecutor's office, police station, tax office, and etc, rather than not permitting it unilaterally. It is because one still has the right to informational self-determination may he be a criminal suspect or subjected to tax investigation and it should definitely be protected.