Download - [법무법인 민후] 빅데이터의 법적 규제와 실현방안_신기술 경영과 법 컨퍼런스
-
,
-
1.
2.
3-1.
3-2.
3-3.
3-4.
4.
,
INDEX
| www.minwho.kr
2
-
3
1.
-
(Big Data)? , ,
(Big Data) 3V?
| www.minwho.kr
1.
4
Volume
Velocity
Variety
-
| www.minwho.kr
5
OPEN API
1.
-
| www.minwho.kr
98 !
6
, : Wikibon 2015
1.
-
| www.minwho.kr
7
()
1.
-
Google
| www.minwho.kr
()
8
, ,
(CDC)
2 !
1.
-
| www.minwho.kr
9
,
AlphaGo
()
3,000 ,
!
1.
-
| www.minwho.kr
()
10
1 30
,
!
1.
-
11
2.
-
1
2
3
2.
| www.minwho.kr
12
4
-
13
3-1.
-
3-1. ()
| www.minwho.kr
()
14
2 1
""
,
(
)
.
-
3-1. (EU)
| www.minwho.kr
15
Article 4. (1) 'personal data' means any information relating to an identified or identifiable
natural person 'data subject'; an identifiable person is one who can be identified, directly
or indirectly, in particular by reference to an identifier such as a name, an identification
number, location data, online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that person.
() .
, , , (identifier)
(identity)
(directly or indirectly) .
General Data Protection Regulation, 2016()
-
3-1. (EU)
| www.minwho.kr
16
(Personal data) ? - (identified) (identifiable) () (Identifiable) ?
- (identifier) (identity)
- (directly) (indirectly)
General Data Protection Regulation, 2016()
-
3-1. (EU)
| www.minwho.kr
EU 29 ()
17
III. ANALYSIS OF THE DEFINITION OF PERSONAL DATA ACCORDING TO THE DATA PROTE
CTION DIRECTIVE
3. THIRD ELEMENT: IDENTIFIED OR IDENTIFIABLE[NATURAL PERSON]
Means to identify to determine whether a person is identifiable, account should be taken
of all the means likely reasonably to be used either by the controller or by any other person
to identify the said person
, 3
.
-
3-1. (EU)
| www.minwho.kr
EU 29 ()
18
?
-
-
-
!
-
3-1. ()
| www.minwho.kr
19
2 1
, , ()
( [][
] , )
() ()
-
3-1. ()
Consumer Privacy Bill of Rights Act of 2015
| www.minwho.kr
20
SEC. 4. Definitions.
(a) Personal data
(1) In General. Personal data means any data that are under the control of a covered ent
ity, not otherwise generally available to the public through lawful means, and are linked, or
as a practical matter linkable by the covered entity, to a specific individual, or linked to a devi
ce that is associated with or routinely used by an individual, including but not limited to
(A) - (G)
(H) any data that are collected, created, processed, used, disclosed, stored, or otherwise mai
ntained and linked, or as a practical matter linkable by the covered entity, to any of the foreg
oing
-
3-1. ()
| www.minwho.kr
21
(The Privacy Act)
, (identified)
(5 U.S.C. 552a(a)(4))
,
Consumer Privacy Bill of Rights Act of 2015
-
(identified)
3-1. ()
| www.minwho.kr
22
?
(identifiable)
?
-
23
3-2.
-
-
-
3-2.
| www.minwho.kr
24
-
3-2.
| www.minwho.kr
(Identifiable)
25
(Distinguishment)
(Inference)
(Linkability)
(Single-out)
-
3-2.
| www.minwho.kr
26
Personal data
Pseudonymous Data
Anonymous data
De-identification
-
3-2.
| www.minwho.kr
27
Personal Data
, , , : O
Pseudonymous Data
Anonymous data
De-identification
-
3-2.
| www.minwho.kr
28
Personal Data
, , , : O
Pseudonymous Data
Anonymous Data
, , , : X
De-identification
-
3-2.
| www.minwho.kr
29
Personal Data
, , , : O
Pseudonymous Data
: O
, , : X
Anonymous Data
, , , : X
De-identification
-
3-2.
| www.minwho.kr
30
Pseudonymous Data
Single-out, Not linkable
reversible
Anonymous Data
De-Indentifiable,
Irreversible
-
3-2.
| www.minwho.kr
31
9 10 11
-
3-2.
| www.minwho.kr
32
A C B
9 10 11
-
3-2.
| www.minwho.kr
33
Pseudonymous data
!
() https://peepbeep.wordpress.com/2015/03/14/the-council-of-the-eu-and-the-proposed-genaral-data-protection-regulation-and-what-about-pseudonymous-data/
-
18 2 4 ?
- 1 : 18 2 4
( )
- 2 : 18 2 4 ()
,
!
3-2. ()
| www.minwho.kr
34
-
| www.minwho.kr
3-2. () 35
, (2014. 12.)
,
.
-
3-2. ()
| www.minwho.kr
, (2015)
36
-
| www.minwho.kr
3-2. () 37
: 2015. 9. 14. (, 10)
:
- ,( 9 10)
- ( 11)
- 3 ( 12)
- ( 13)
:
-
-
()
-
Article 4 (3b) 'pseudonymisation' means the processing of personal data in such a
way that the data can no longer be attributed to a specific data subject without the
use of additional information, as long as such additional information is kept
separately and subject to technical and organisational measures to ensure non-
attribution to an identified or identifiable person;
pseudonymisation
.
,
..)
3-2. (EU)
| www.minwho.kr
General Data Protection Regulation, 2016 Pseudonymisation
38
-
(23) The principles of data protection should apply to any information concerning an
identified or identifiable natural person. Data which has undergone
pseudonymisation, which could be attributed to a natural person by the use of
additional information, should be considered as information on an identifiable
natural person. () The principles of data protection should therefore not apply to
anonymous information, that is information which does not relate to an identified or
identifiable natural person or to data rendered anonymous in such a way that the
data subject is not or no longer identifiable.
3-2. (EU)
| www.minwho.kr
39
General Data Protection Regulation, 2016 Pseudonymous data, Anony
mous data
-
3-2. (EU)
| www.minwho.kr
40
General Data Protection Regulation, 2016 Pseudonymous data, Anony
mous data
Pseudonymous data . Pseudonymous data
.
, Pseudonymous data ,
( 3-4. )
-
Pseudonymisation is not a method of
anonymisation. It merely reduces the
linkability of a dataset with the original
identity of a data subject, and is accordingly
a useful security measure.
Anonymisation can be a result of
processing personal data with the aim of
irreversibly preventing identification of the
data
Pseudonymisation :
Single out, NOT linkable
Anonymisation :
Irreversible
3-2. (EU)
| www.minwho.kr
EU 29 Pseudonymous data, Anonymous data
41
-
3-2. (EU)
| www.minwho.kr
42
General Data Protection Regulation, 2016 Pseudonymous data, Anony
mous data
Pseudonymous data
Anonymous data
-
2015 9 :
- ()
- 3
- ()
| www.minwho.kr
3-2. () 43
-
3-2. ()
| www.minwho.kr
44
2 9
" "
, .
1. 1 1 : ()
(
)
2. 1 2 :
(
() )
-
. EU GDPR Pseudonymous
data .
EU GDPR Pseudonymous data
, .
3-2. ()
| www.minwho.kr
45
-
The HIPAA Privacy Rule provides mechanisms for using and disclosing health
data responsibly without the need for patient consent. These mechanisms center
on two HIPAA de-identification standards Safe Harbor and the Expert
Determination Method.
[] (PHI) (individually identifiable)
(reasonable basis)
3-2. ()
HIPAA, HIPAA Privacy Rule (De-identified data)
| www.minwho.kr
46
-
3-2. ()
HIPAA, HIPAA Privacy Rule : (De-identified data)
| www.minwho.kr
47
=
:
,
: 18
-
3-2. ()
Consumer Privacy Bill of Rights Act of 2015 De-identified data
| www.minwho.kr
48
SEC. 4. Definitions.
(a) Personal data (2) Exceptions. (A) De-identified data. The term personal data
shall not include data otherwise described by paragraph (1) that a covered entity
(either directly or through an agent) (i) alters such that there is a reasonable basis
for expecting that the data could not be linked as a practical matter to a specific
individual or device;
( ) ""
. (i)
.
-
3-2. ()
| www.minwho.kr
49
: ,
EU : Pseudonymous data( , ) =>
Anonymous data(, ) =>
:
: , EU
Pseudonymous data ,
!
-
50
3-3.
-
| www.minwho.kr
3-3. () 51
()
- , 3 ,
. ,
.
22
- (1)
-
(2)
-
| www.minwho.kr
3-3. () 52
()
,
!
-
| www.minwho.kr
3-3. (EU) 53
EU (EU Directive 95/46/EC, Data Protection)
Article 2(h) 'the data subject's consent' shall mean any freely given specific and
informed indication of his wishes by which the data subject signifies his agreement
to personal data relating to him being processed.
(informed consent)
-
| www.minwho.kr
3-3. (EU) 54
EU (GDPR, 2016)
2012 GDPR
Article 4 (8) 'the data subject's consent'
means any freely given specific,
informed and explicit indication of his
or her wishes by which the data subject,
either by a statement or bya clear
affirmative action, signifies agreement
to personal data relating to them being
processed
2016 GDPR
Article 4 (8) 'the data subject's consent'
means any freely given specific,
informed and unambiguous indication
of his or her wishes by which the data
subject, either by a statement or bya
clear affirmative action, signifies
agreement to personal data relating to
them being processed
-
| www.minwho.kr
3-3. (EU) 55
EU (GDPR, 2016)
2012 GDPR
In the definition of consent, the criterion 'explicit' is added to avoid confusing parall
elism with 'unambiguous' consent and in order to have one single and consistent d
efinition of consent, ensuring the awareness of the data subject that, and to what,
he or she gives consent.
GDPR
(explicit) EU (EU Direc
tive 95/46/EC, Data Protection) , GDPR
(unambiguous)
-
| www.minwho.kr
3-3. (EU) 56
EU (GDPR, 2016)
Explicit consent
Unambiguous consent
Unambiguous consent( ) ,
!
-
57
3-4.
-
| www.minwho.kr
3-4. () 58
()
( 18 1)
( 18 2) 18 1
3
3 . , 5 9
.
1.
4.
-
| www.minwho.kr
3-4. (EU) 59
EU (GDPR, 2016) Article 5 1. (b)
2012 GDPR
Article 5 1. Personal data must be:
(b) collected for specified, explicit and
legitimate purposes and not further
processed in a way incompatible with
those purposes;
2016 GDPR
Article 5 1. Personal data must be:
(b) collected for specified, explicit and
legitimate purposes and not further
processed in away incompatible with those
purposes; further processing of personal data
for archiving purposes in the public interest,
or scientific and historical research purposes
or statistical purposes shall, in accordance
with Article 83(1), not be considered
incompatible with the initial purposes;
-
| www.minwho.kr
3-4. (EU) 60
EU (GDPR, 2016) Article 5 1. (b)
2016 GDPR Article 5 1. (b) further processing of personal data for
archiving purposes in the public interest, or scientific and historical research
purposes or statistical purposes shall, in accordance with Article 83(1), not be
considered incompatible with the initial purposes; (purpose limitation);
GDPR , , ,
Article83(1) ( )
?
?
-
| www.minwho.kr
3-4. (EU) 61
EU (GDPR, 2016) Article 6 3a.
2016 GDPR
Article 6 3a. Where the processing for another purpose than the one for which the
data have been collected is not based on the data subjects consent or on a Union
or Member State law which constitutes a necessary and proportionate measure in a
democratic society to safeguard the objectives referred to in points (aa) to (g) of
Article 21(1), the controller shall, in order to ascertain whether processing for
another purpose is compatible with the purpose for which the data are initially
collected, take into account, inter alia:
-
| www.minwho.kr
3-4. (EU) 62
EU (GDPR, 2016) Article 6 3a.
2016 GDPR Article 6 3a.() (a) any link between the purposes for which
the data have been collected and the purposes of the intended further processing;
(b) the context in which the personal data have been collected, in particular
regarding the relationship between data subjects and the controller;
(c) the nature of the personal data, in particular whether special categories of
personal data are processed, pursuant to Article 9 or whether data related to
criminal convictions and offences are processed, pursuant to Article 9a;
(d) the possible consequences of the intended further processing for data subjects;
(e) the existence of appropriate safeguards, which may include encryption or
pseudonymisation
-
| www.minwho.kr
3-4. (EU) 63
EU (GDPR, 2016) Article 6 3a.
GDPR 6( )
(a) .
(b) .
(c) . 9 .
(d) .
(e) .
!
-
| www.minwho.kr
3-4. (EU) 64
EU (GDPR, 2016) Article 6 3a.
2012 GDPR Article 6 3a.
() Article 6
2. Processing of personal data which is necessary for the purposes of historical, statistical
or scientific research shall be lawful subject to the conditions and safeguards referred to in
Article 83.
4. Where the purpose of further processing is not compatible with the one for which the
personal data have been collected, the processing must have a legal basis at least in one
of the grounds referred to in points (a) to (e) of paragraph 1. This shall in particular apply
to any change of terms and general conditions of a contract.
-
65
4.
-
| www.minwho.kr
4. 66
-
- Pseudonymous data
-
- ,
-
,
!
| www.minwho.kr
4. 67