Under the data protection act, not only the single information that identifies person, but the information that can be easily combined with other information to identify person as well are regarded as personal information. Therefore the scope of ‘easily combinable information’ determines establishment of personal information. Although it is inevitable that the concept of personal information is not definitively fixed, there is high possibility that the law does not qualify for ‘adequate notification’ of the principle of definiteness as one cannot accurately predict whether the information he or she is dealing with is in fact protected by the data protection act. To avoid violation of constitution, it is necessary to more clearly define personal information articles or to limit the delegation of punitive law in order to prevent its arbitrary implementation. Also expecting too much from the role of ‘consent’, which is a necessary requisite of personal information process, or falling into a dogma of almighty ‘consent’ should be rejected. The consent is expression of allowing use of the data, therefore abiding by general theory of declaration of will is sufficient. However, current administration practice is granting excessive meaning to the term of ‘informed consent’. The criminal penalties against infringement of personal data need to be improved through establishment of distinct standard of action to protect personal data and to adequately use the information.