개인데이터의 보호 대(對) 자유로운 국제이동: 국제법의 현재와 미래 (Protection of Personal Data v. Free International Flowing: the Present and Future of International Law)

Today, called the digital age or the big data era, offers new possibilities and opportunities to humanity. In the era of world trade liberalization and global digital networks, the trade in Internet-based international services and products is rapidly increasing. The free flow of information across borders now contributes more to global economic growth than commodity trade.
However, side effects of infringement or leakage of personal data are inevitably involved in a series of data collection, accumulation, and transaction, and in particular, they may be subject to data theft or theft by third parties. In general, companies focus on the usefulness of big data and emphasize market efficiency through low barriers to data transactions, while individuals are concerned about unauthorized collection and use and leakage of personal data.
In this situation, the EU has established an effective privacy protection legislation, but the international community has yet to adopt a global multilateral agreement on the protection and use of personal data.
The EU personal data legislation regulates privacy as one of the basic and a priori human rights related to privacy and applies strict protection under the GDPR. Given the mighty EU market power, the entry into force of the GDPR has virtually no room other than multinational or non-European private companies as well as EU trading partners. Therefore, the current GDPR cannot be denied that it has become the basis for new privacy practices worldwide in the digital age. However, as one of the fundamental rights, the protection of personal data needs to be limited and possible. The guarantee and limitation of the right to protect personal data should be based on the balance of the information processing economic interests of ISPs and data-intensive companies with the interests of data subjects. The flow of free cross-border information that contributes more to global economic growth than trade in goods should be secured to the maximum possible under the same and reasonable standards.
The key to the issue of personal data transfer abroad is to find a rational balance between the economic benefits of free transfer and information protection. In the short term, the GDPR should be implemented and operated in a direction that ensures free cross-border information flow in the short term, and in the long term, it should be improved to mitigate international data transfer barriers.
In order to correct the unilateral factors of the GDPR EU, such as changing the WTO multilateral stage to an EU-focused bilateral stage, decisions on the adequacy of the protection level of the third country, which is subjected to the Commission, could be changed to go through a negotiation between the EU and the third country under the conciliation of WTO.
The cost of the GDPR implementation and its effect on international trade need to be more clearly calculated based on objective data. In view of the cost of implementing the GDPR, the international community should look for a “less trade-regulating alternative” that is reasonably available. Here, the 'less trade-regulating alternative' is a way for WTO member countries and the international community to achieve a reasonable level of privacy protection goals at a lower cost than the GDPR implementation and additional technical burden.
In addition, the flow of free information is gradually expanded if some of the economic benefits obtained from the reduction of barriers on the flow and the penalty surcharge imposed for violations of protection obligations are used to remedy victims of information leakage and strengthen the national infrastructure for cyber security.
It is difficult to expect the above-mentioned improvement measures to be realized only by international practices that embrace the EU-led GDPR. Therefore, I think it is necessary to adopt the “Convention of Personal Data” as a global multilateral treaty, reflecting the existing sources of international law concerning the protection of personal data.

Today, called the digital age or the big data era, offers new possibilities and opportunities to humanity. In the era of world trade liberalization and global digital networks, the trade in Internet-based international services and products is rapidly increasing. The free flow of information across borders now contributes more to global economic growth than commodity trade.
However, side effects of infringement or leakage of personal data are inevitably involved in a series of data collection, accumulation, and transaction, and in particular, they may be subject to data theft or theft by third parties. In general, companies focus on the usefulness of big data and emphasize market efficiency through low barriers to data transactions, while individuals are concerned about unauthorized collection and use and leakage of personal data.
In this situation, the EU has established an effective privacy protection legislation, but the international community has yet to adopt a global multilateral agreement on the protection and use of personal data.
The EU personal data legislation regulates privacy as one of the basic and a priori human rights related to privacy and applies strict protection under the GDPR. Given the mighty EU market power, the entry into force of the GDPR has virtually no room other than multinational or non-European private companies as well as EU trading partners. Therefore, the current GDPR cannot be denied that it has become the basis for new privacy practices worldwide in the digital age. However, as one of the fundamental rights, the protection of personal data needs to be limited and possible. The guarantee and limitation of the right to protect personal data should be based on the balance of the information processing economic interests of ISPs and data-intensive companies with the interests of data subjects. The flow of free cross-border information that contributes more to global economic growth than trade in goods should be secured to the maximum possible under the same and reasonable standards.
The key to the issue of personal data transfer abroad is to find a rational balance between the economic benefits of free transfer and information protection. In the short term, the GDPR should be implemented and operated in a direction that ensures free cross-border information flow in the short term, and in the long term, it should be improved to mitigate international data transfer barriers.
In order to correct the unilateral factors of the GDPR EU, such as changing the WTO multilateral stage to an EU-focused bilateral stage, decisions on the adequacy of the protection level of the third country, which is subjected to the Commission, could be changed to go through a negotiation between the EU and the third country under the conciliation of WTO.
The cost of the GDPR implementation and its effect on international trade need to be more clearly calculated based on objective data. In view of the cost of implementing the GDPR, the international community should look for a “less trade-regulating alternative” that is reasonably available. Here, the 'less trade-regulating alternative' is a way for WTO member countries and the international community to achieve a reasonable level of privacy protection goals at a lower cost than the GDPR implementation and additional technical burden.
In addition, the flow of free information is gradually expanded if some of the economic benefits obtained from the reduction of barriers on the flow and the penalty surcharge imposed for violations of protection obligations are used to remedy victims of information leakage and strengthen the national infrastructure for cyber security.
It is difficult to expect the above-mentioned improvement measures to be realized only by international practices that embrace the EU-led GDPR. Therefore, I think it is necessary to adopt the “Convention of Personal Data” as a global multilateral treaty, reflecting the existing sources of international law concerning the protection of personal data.