When Internet services are provided by multiple personal information controllers, exchanging the customer data between them is legal only in either ‘outsourcing’ or ‘provision’ under the current law. In practice, the distinction between the two is as follows. If the personal information is shared or transferred from the controller A to the so-called outsourcing company B to process business of the A, it is ‘outsourcing’ and it is not necessary to obtain the customer’s consent. If personal information was transferred for B’s own benefit, it was a ‘provision’ and had to be consented.
However, it is difficult to be a valid judgment criterion in the field. It is quite ambiguous to distinguish the interests of each of the two personal information controllers whose interests overlapped each other; just like Homeplus case.
Furthermore, in the composition where A and B form a consortium and jointly provide services to customers, there are cases where it is meaningless to decide who is the personal information controller for each operation. In this case, it is not necessary to enforce that the actors of individual processing must be one institution. It is more practical to ensure flawless consumer protection by allowing multiple organizations to control customer information jointly and by imposing joint responsibility on them. Accordingly, in this paper, various cases and foreign legal systems are reviewed while asserting the need for the concept of a personal information co-processor.
In addition, it is proposed to recognize ‘essential processing for the conclusion and implementation of contracts with customers’ (so-called ‘contractual necessity’) as a legitimate reason in providing personal information to a third party. And then, it should be taken into account that there are cases in which it is difficult to expect an outsourcer to manage and supervise outsourcee, such as in the cloud service case. For outsourcees that have obtained ISMS-P or equivalent certification (eg ISO/IEC 27018), it is also proposed to exempt the outsourcer’s responsibility for management and supervision.