A Study on the Data Protection Measures in line with EU Directive

A Study on the Data Protection Measures in line with EU Directive

SUMMARY 1. Subject A Study on the Data Protection Measures in line with EU Directive 95/46/EC 2. Purpose and Significance of the Study Nowadays world-wide use of the Internet and explosive data flows across borders give rise to the increasing misuse and alteration of, and unauthorized access to and transfer of, personal data encroaching on the privacy of data subjects. As a result, the issue of data protection are discussed more often than not on the global scale. There are several major models for privacy protection. First, some countries including many of the EU Member States have a comprehensive general law that governs the collection, use and dissemination of personal information by both the public and private sectors. An oversight body ensures compliance. Second, other countries, such as the United States, have avoided enacting general data protection rules in favor of specific sectoral laws governing financial privacy, etc. Accordingly, there is a lack of an oversight agency. In some countries, for example, the United States and Japan, data protection can also be achieved through various forms of self-regulation, in which companies and industry bodies establish codes of practice and engage in self-policing. It should be noted that the EU has established full-fledged data protection rules under the OECD guidelines for data protection and requires its Member States to ban data transfer to the third country which fails to ensure an adequate level of data protection. Therefore, in order to promote Internet-based electronic commerce, Korea should be regarded as a country which ensures an adequate level of protection in conducting trans-border data flows with Europe. It is prerequisite for Korea to reinforce its IT power and to set standards in the Asia-Pacific Region.

This study delves into the current status of the Korean legislation with respect to data protection in view of the EU directives. Later on the preparatory works should be done for any discussion with the EU Commission in this regard. 3. Contents and Scope of the Study This study is based upon the EU Directive and other Community laws in defining the data protection. To conduct this study, Researchers visited Belgium and met with a number of specialists including one Commissioner of the EU Commission and several experts at the Research Center of Information and Law (CRID), the University of Namur, who have been involved in the research project on data protection methodology committed by the EU Commission. Also the 23rd International Conference of Data Protection Commissioners, which was held in Paris during September 24 through 26, 2001, was highly useful for Researchers to collect information on the latest developments of data protection in Europe. In the first part of this study, the data protection laws of Korea both in the public sector and the private sector will be examined. It is believed that the relevant Korean laws have incorporated the OECD privacy guidelines on data protection in line with the prevailing global standards. However, there seems more or less insufficient regulations on the matter of transparency, onward transfer and the independence nature of the supervisory agency. So it is suggested that a general law on data protection is advisably to be established for a standard and reference to various special laws in the private sector. Japan is now making a comprehensive law on the same subject matter. Also it is true that it takes burdensome preparatory works and considerably long time to effect new legislation. In this context, it is advisable to resort to the industry self-regulation or contractual solutions in order to supplement any discrepancy in Korean laws against the backdrop of the EU directives. In doing so, we can expect undisturbed information flows with EU Member States or other countries.

4. Result of the Study The conclusion of this study calls for preparing for future negotiations with the EU Commission in the manner in which immediate safeguards with respect to on-line data protection are necessary and important rather than the amendment to, or establishment of, laws which is time-consuming for national consensus. In the United States, the self-regulation approach is turned out to be questionable in the issues of the representative nature of associations, the level of general compliance, the enforceability of dispute resolutions, and any moral hazard of their members. So it is recommendable for Internet service providers to declare their own data protection policy and to conclude standard contracts ensuring privacy issues. For the decision of the adequate level of protection in the third country, the EU Commission, in collaboration with the EU Data Protection Working Party, usually collects and analyse general information on data protection through data protection supervisory body of Member States, local specialists, professors, lawyers, EU representatives, etc. It is necessary and important to fully explain and persuade the EU negotiators that the level of data protection in Korea is sufficiently adequate because: - the relevant Korean laws are based upon the OECD privacy guidelines giving attention to the EU data protection directives; - any problem or complaint of data subjects is thoroughly investigated and mediated by an independent body with possible remedies; - a private association of information and telecommunication service providers is going to implement privacy mark labeling; - industry-wide self-regulation instruments and general terms incorporating an EU standard contract on data protection are discussed for early implementation; and - the authorities concerned are staging a nation-wide campaign to respect personal information in general.

5. Practical Usage of the Study This study presents various useful approaches to the preparation for the future negotiations with the EU Commission which adheres to a kind of reciprocity in data protection. It calls for a division of efforts between the government and the private sector in order to introduce the current status of Korean legislation on data protection to the EU representatives, and refer to the case studies which involve major countries including Canada, Australia and Japan. At the same time, it is necessary to implement industry-wide self-regulation instruments and contractual solutions. 6. Expected Benefits This reveals that the future negotiations with EU are not beyond our capacity. Therefore, stepped-up public relations, in particular, with overseas data protection bodies and counterparts, establishment of independent supervisory body and, in the long run, new legislation based upon global standards will be helpful to ensure the adequate level of data protection.

:.,,

(1)

(2) (3)

(4)

(1)

(2)

(3) (4)

1998. 7. 24

(1)

: 15. (2). 3,...,,..,...

(1)

(2)

(3) (4)

(1)

(2)

(3) (4)

2001. 9. 3

EU 개인정보보호지침 준상호주의 이행방안 연구 2001년 11월 인쇄 2001년 11월 발행 발행인: 조 휘 갑 발행처: 한국정보보호진흥원 서울시 송파구 가락동 78번지 IT 벤처타워 서관 Tel: (02) 4055-114 인쇄처: 호정씨엔피 Tel: (02) 2277-4718 <비매품> 1. 본 연구보고서는 정보통신부의 출연금으로 수행한 정보통신 연구개발 사업의 연구결과입니다. 2. 본 연구보고서의 내용을 발표할 때에는 반드시 정보통신부의 정보통신 개발사업의 연구 결과임을 밝혀야 합니다. 3. 본 연구 보고서는 한국정보보호진흥원이 판권을 소유하고 있으며, 당 진흥원의 허가 없이 무단 전재 및 복사를 금합니다.