Currently, South Korea s data protection law can be characterized as a rigid protection system focused on criminal punishment based on prior consent of data subject. It is known as the world s most powerful and strict regulatory legislation. Compared to the European Union s General Data Protection Regulation(GDPR), Korea s data protection law is considered one of the strictest privacy regulations in the world. Many say that the current protection model in Korea has lost its balance of protection and utilization. It requires prior consent of the data subject in order to collect, use, and provide personal data on the premise that personal data must be protected like a private secret. And it imposes excessive administrative fines and criminal penalties for violations. This article was written with the aim of providing clues as to how Korea s data protection law should find a reasonable balance between protection and use in the future. Fortunately, the Personal Data Protection Act, which was revised in February 2020, can be positively evaluated as a legislative attempt to find a reasonable balance between protection and utilization. Similar to the European Union s GDPR, the revised law permits the change of purpose to the extent reasonably related to the purpose of collection. And it introduced the concept of pseudonymized data to increase the possibility of using pseudonymized data, and integrated the enforcement system into the Personal Data Protection Committee to secure the expertise and independence of the data protection agency. This can be assessed as a step closer to global standards. Nevertheless, Korea s data protection law still has a rigid protection model from the perspective of global standards. This article presents three urgent legislative tasks to be improved. First, as in the European Union s GDPR, the six grounds of lawfulness for collection, use, and provision of personal data must be acknowledged, and in principle, the same grounds must be applied in the field of information and communications networks. Second, the requirements for the exercise of the right to the protection of personal data, reasons for defense, and exceptions must be prepared in a reasonable manner. Third, excessive criminal punishment should be reorganized. Like Germany or the UK, criminal sanctions should be imposed only for serious violations of the law, or, as in Japan, criminal sanctions should be imposed for violations of corrective orders of the Personal Data Protection Committee.