,

1.

2.

3-1.

3-2.

3-3.

3-4.

4.

,

INDEX

| www.minwho.kr

2

3

1.

(Big Data)? , ,

(Big Data) 3V?

| www.minwho.kr

1.

4

Volume

Velocity

Variety

| www.minwho.kr

5

OPEN API

1.

| www.minwho.kr

98 !

6

, : Wikibon 2015

1.

| www.minwho.kr

7

()

1.

Google

| www.minwho.kr

()

8

, ,

(CDC)

2 !

1.

| www.minwho.kr

9

,

AlphaGo

()

3,000 ,

!

1.

| www.minwho.kr

()

10

1 30

,

!

1.

11

2.

1

2

3

2.

| www.minwho.kr

12

4

13

3-1.

3-1. ()

| www.minwho.kr

()

14

2 1

""

,

(

)

.

3-1. (EU)

| www.minwho.kr

15

Article 4. (1) 'personal data' means any information relating to an identified or identifiable

natural person 'data subject'; an identifiable person is one who can be identified, directly

or indirectly, in particular by reference to an identifier such as a name, an identification

number, location data, online identifier or to one or more factors specific to the physical,

physiological, genetic, mental, economic, cultural or social identity of that person.

() .

, , , (identifier)

(identity)

(directly or indirectly) .

General Data Protection Regulation, 2016()

3-1. (EU)

| www.minwho.kr

16

(Personal data) ? - (identified) (identifiable) () (Identifiable) ?

- (identifier) (identity)

- (directly) (indirectly)

General Data Protection Regulation, 2016()

3-1. (EU)

| www.minwho.kr

EU 29 ()

17

III. ANALYSIS OF THE DEFINITION OF PERSONAL DATA ACCORDING TO THE DATA PROTE

CTION DIRECTIVE

3. THIRD ELEMENT: IDENTIFIED OR IDENTIFIABLE[NATURAL PERSON]

Means to identify to determine whether a person is identifiable, account should be taken

of all the means likely reasonably to be used either by the controller or by any other person

to identify the said person

, 3

.

3-1. (EU)

| www.minwho.kr

EU 29 ()

18

?

-

-

-

!

3-1. ()

| www.minwho.kr

19

2 1

, , ()

( [][

] , )

() ()

3-1. ()

Consumer Privacy Bill of Rights Act of 2015

| www.minwho.kr

20

SEC. 4. Definitions.

(a) Personal data

(1) In General. Personal data means any data that are under the control of a covered ent

ity, not otherwise generally available to the public through lawful means, and are linked, or

as a practical matter linkable by the covered entity, to a specific individual, or linked to a devi

ce that is associated with or routinely used by an individual, including but not limited to

(A) - (G)

(H) any data that are collected, created, processed, used, disclosed, stored, or otherwise mai

ntained and linked, or as a practical matter linkable by the covered entity, to any of the foreg

oing

3-1. ()

| www.minwho.kr

21

(The Privacy Act)

, (identified)

(5 U.S.C. 552a(a)(4))

,

Consumer Privacy Bill of Rights Act of 2015

(identified)

3-1. ()

| www.minwho.kr

22

?

(identifiable)

?

23

3-2.

-

-

3-2.

| www.minwho.kr

24

3-2.

| www.minwho.kr

(Identifiable)

25

(Distinguishment)

(Inference)

(Linkability)

(Single-out)

3-2.

| www.minwho.kr

26

Personal data

Pseudonymous Data

Anonymous data

De-identification

3-2.

| www.minwho.kr

27

Personal Data

, , , : O

Pseudonymous Data

Anonymous data

De-identification

3-2.

| www.minwho.kr

28

Personal Data

, , , : O

Pseudonymous Data

Anonymous Data

, , , : X

De-identification

3-2.

| www.minwho.kr

29

Personal Data

, , , : O

Pseudonymous Data

: O

, , : X

Anonymous Data

, , , : X

De-identification

3-2.

| www.minwho.kr

30

Pseudonymous Data

Single-out, Not linkable

reversible

Anonymous Data

De-Indentifiable,

Irreversible

3-2.

| www.minwho.kr

31

9 10 11

3-2.

| www.minwho.kr

32

A C B

9 10 11

3-2.

| www.minwho.kr

33

Pseudonymous data

!

() https://peepbeep.wordpress.com/2015/03/14/the-council-of-the-eu-and-the-proposed-genaral-data-protection-regulation-and-what-about-pseudonymous-data/

18 2 4 ?

- 1 : 18 2 4

( )

- 2 : 18 2 4 ()

,

!

3-2. ()

| www.minwho.kr

34

| www.minwho.kr

3-2. () 35

, (2014. 12.)

,

.

3-2. ()

| www.minwho.kr

, (2015)

36

| www.minwho.kr

3-2. () 37

: 2015. 9. 14. (, 10)

:

- ,( 9 10)

- ( 11)

- 3 ( 12)

- ( 13)

:

-

-

()

Article 4 (3b) 'pseudonymisation' means the processing of personal data in such a

way that the data can no longer be attributed to a specific data subject without the

use of additional information, as long as such additional information is kept

separately and subject to technical and organisational measures to ensure non-

attribution to an identified or identifiable person;

pseudonymisation

.

,

..)

3-2. (EU)

| www.minwho.kr

General Data Protection Regulation, 2016 Pseudonymisation

38

(23) The principles of data protection should apply to any information concerning an

identified or identifiable natural person. Data which has undergone

pseudonymisation, which could be attributed to a natural person by the use of

additional information, should be considered as information on an identifiable

natural person. () The principles of data protection should therefore not apply to

anonymous information, that is information which does not relate to an identified or

identifiable natural person or to data rendered anonymous in such a way that the

data subject is not or no longer identifiable.

3-2. (EU)

| www.minwho.kr

39

General Data Protection Regulation, 2016 Pseudonymous data, Anony

mous data

3-2. (EU)

| www.minwho.kr

40

General Data Protection Regulation, 2016 Pseudonymous data, Anony

mous data

Pseudonymous data . Pseudonymous data

.

, Pseudonymous data ,

( 3-4. )

Pseudonymisation is not a method of

anonymisation. It merely reduces the

linkability of a dataset with the original

identity of a data subject, and is accordingly

a useful security measure.

Anonymisation can be a result of

processing personal data with the aim of

irreversibly preventing identification of the

data

Pseudonymisation :

Single out, NOT linkable

Anonymisation :

Irreversible

3-2. (EU)

| www.minwho.kr

EU 29 Pseudonymous data, Anonymous data

41

3-2. (EU)

| www.minwho.kr

42

General Data Protection Regulation, 2016 Pseudonymous data, Anony

mous data

Pseudonymous data

Anonymous data

2015 9 :

- ()

- 3

- ()

| www.minwho.kr

3-2. () 43

3-2. ()

| www.minwho.kr

44

2 9

" "

, .

1. 1 1 : ()

(

)

2. 1 2 :

(

() )

. EU GDPR Pseudonymous

data .

EU GDPR Pseudonymous data

, .

3-2. ()

| www.minwho.kr

45

The HIPAA Privacy Rule provides mechanisms for using and disclosing health

data responsibly without the need for patient consent. These mechanisms center

on two HIPAA de-identification standards Safe Harbor and the Expert

Determination Method.

[] (PHI) (individually identifiable)

(reasonable basis)

3-2. ()

HIPAA, HIPAA Privacy Rule (De-identified data)

| www.minwho.kr

46

3-2. ()

HIPAA, HIPAA Privacy Rule : (De-identified data)

| www.minwho.kr

47

=

:

,

: 18

3-2. ()

Consumer Privacy Bill of Rights Act of 2015 De-identified data

| www.minwho.kr

48

SEC. 4. Definitions.

(a) Personal data (2) Exceptions. (A) De-identified data. The term personal data

shall not include data otherwise described by paragraph (1) that a covered entity

(either directly or through an agent) (i) alters such that there is a reasonable basis

for expecting that the data could not be linked as a practical matter to a specific

individual or device;

( ) ""

. (i)

.

3-2. ()

| www.minwho.kr

49

: ,

EU : Pseudonymous data( , ) =>

Anonymous data(, ) =>

:

: , EU

Pseudonymous data ,

!

50

3-3.

| www.minwho.kr

3-3. () 51

()

- , 3 ,

. ,

.

22

- (1)

-

(2)

| www.minwho.kr

3-3. () 52

()

,

!

| www.minwho.kr

3-3. (EU) 53

EU (EU Directive 95/46/EC, Data Protection)

Article 2(h) 'the data subject's consent' shall mean any freely given specific and

informed indication of his wishes by which the data subject signifies his agreement

to personal data relating to him being processed.

(informed consent)

| www.minwho.kr

3-3. (EU) 54

EU (GDPR, 2016)

2012 GDPR

Article 4 (8) 'the data subject's consent'

means any freely given specific,

informed and explicit indication of his

or her wishes by which the data subject,

either by a statement or bya clear

affirmative action, signifies agreement

to personal data relating to them being

processed

2016 GDPR

Article 4 (8) 'the data subject's consent'

means any freely given specific,

informed and unambiguous indication

of his or her wishes by which the data

subject, either by a statement or bya

clear affirmative action, signifies

agreement to personal data relating to

them being processed

| www.minwho.kr

3-3. (EU) 55

EU (GDPR, 2016)

2012 GDPR

In the definition of consent, the criterion 'explicit' is added to avoid confusing parall

elism with 'unambiguous' consent and in order to have one single and consistent d

efinition of consent, ensuring the awareness of the data subject that, and to what,

he or she gives consent.

GDPR

(explicit) EU (EU Direc

tive 95/46/EC, Data Protection) , GDPR

(unambiguous)

| www.minwho.kr

3-3. (EU) 56

EU (GDPR, 2016)

Explicit consent

Unambiguous consent

Unambiguous consent( ) ,

!

57

3-4.

| www.minwho.kr

3-4. () 58

()

( 18 1)

( 18 2) 18 1

3

3 . , 5 9

.

1.

4.

| www.minwho.kr

3-4. (EU) 59

EU (GDPR, 2016) Article 5 1. (b)

2012 GDPR

Article 5 1. Personal data must be:

(b) collected for specified, explicit and

legitimate purposes and not further

processed in a way incompatible with

those purposes;

2016 GDPR

Article 5 1. Personal data must be:

(b) collected for specified, explicit and

legitimate purposes and not further

processed in away incompatible with those

purposes; further processing of personal data

for archiving purposes in the public interest,

or scientific and historical research purposes

or statistical purposes shall, in accordance

with Article 83(1), not be considered

incompatible with the initial purposes;

| www.minwho.kr

3-4. (EU) 60

EU (GDPR, 2016) Article 5 1. (b)

2016 GDPR Article 5 1. (b) further processing of personal data for

archiving purposes in the public interest, or scientific and historical research

purposes or statistical purposes shall, in accordance with Article 83(1), not be

considered incompatible with the initial purposes; (purpose limitation);

GDPR , , ,

Article83(1) ( )

?

?

| www.minwho.kr

3-4. (EU) 61

EU (GDPR, 2016) Article 6 3a.

2016 GDPR

Article 6 3a. Where the processing for another purpose than the one for which the

data have been collected is not based on the data subjects consent or on a Union

or Member State law which constitutes a necessary and proportionate measure in a

democratic society to safeguard the objectives referred to in points (aa) to (g) of

Article 21(1), the controller shall, in order to ascertain whether processing for

another purpose is compatible with the purpose for which the data are initially

collected, take into account, inter alia:

| www.minwho.kr

3-4. (EU) 62

EU (GDPR, 2016) Article 6 3a.

2016 GDPR Article 6 3a.() (a) any link between the purposes for which

the data have been collected and the purposes of the intended further processing;

(b) the context in which the personal data have been collected, in particular

regarding the relationship between data subjects and the controller;

(c) the nature of the personal data, in particular whether special categories of

personal data are processed, pursuant to Article 9 or whether data related to

criminal convictions and offences are processed, pursuant to Article 9a;

(d) the possible consequences of the intended further processing for data subjects;

(e) the existence of appropriate safeguards, which may include encryption or

pseudonymisation

| www.minwho.kr

3-4. (EU) 63

EU (GDPR, 2016) Article 6 3a.

GDPR 6( )

(a) .

(b) .

(c) . 9 .

(d) .

(e) .

!

| www.minwho.kr

3-4. (EU) 64

EU (GDPR, 2016) Article 6 3a.

2012 GDPR Article 6 3a.

() Article 6

2. Processing of personal data which is necessary for the purposes of historical, statistical

or scientific research shall be lawful subject to the conditions and safeguards referred to in

Article 83.

4. Where the purpose of further processing is not compatible with the one for which the

personal data have been collected, the processing must have a legal basis at least in one

of the grounds referred to in points (a) to (e) of paragraph 1. This shall in particular apply

to any change of terms and general conditions of a contract.

65

4.

| www.minwho.kr

4. 66

-

- Pseudonymous data

-

- ,

,

!

| www.minwho.kr

4. 67