PIDMC cases in 2007

Personal Information Dispute Mediation Cases, an annual report published by Pico & KISA, illustrates some noteworthy cases year by year.

Here are summaries of leading cases among 90 cases (statistics) before the Personal Information Dispute Mediation Committee in 2007.

For reference only, USD1.00 is KRW938.20, Euro1.00 is KRW1381.21 at the end of 2007.

See separate articles for the detailed PIDMC cases in the year of 2008, 2009, 2010, 2011 and 2012, respectively.

TM activities performed using an unsubscriber's personal information
Applicant J used the super high-speed services of Respondent H Company for about 7 years from May 2000, but unsubscribed around February 2007, as telemarketing promoting other services of the same company sharply increased from the first half of 2006. Applicant applied for dispute mediation for compensation of 1.5 million won for emotional damage, arguing that Respondent had infringed the personal information of Applicant by continuously using his or her personal information for unlawful activities such as telemarketing even after his or her unsubscription.

In this case, it was recognized that Respondent had continuously carried out telemarketing activities, though Applicant had expressed his or her intention not to receive telemarketing information by unsubscribing from the service. This constituted a violation of Article 24(1) of the Act on Promotion of Information and Communications Network Utilization and Data Protection, etc. (hereinafter referred to as the "ICN Act", 정보통신망 이용촉진 및 정보보호 등에 관한 법률), that prohibits the illegal use of personal information. Accordingly, the judgment was made that the amount of KRW300,000 should be paid to Applicant to compensate for the emotional damage caused.
 * Mediation Decision

Unauthorized consent of a family member of the information owner
Telephoned by D Insurance Company, Applicant H noticed that Respondent P Co., Ltd had offered his or her personal information to D, H's partner. Respondent made it clear that an internet installation engineer had visited him or her and his or her mother consented to the provider's using his or her personal information for PDA services. Applicant argued that Respondent had not complied with the procedures for notice and consent in providing D Insurance Company the personal information without consent.

In this case, Respondent argued that as the subscriber is often away from home, the consent of a family member is regarded as that of the subscriber.
 * Mediation Decision

This was found to be merely business practice engaged in for the sake of convenience of Respondent and is not based on any item in the terms of service use, the consent to the use of personal information, or personal information protection policy.

In addition, even if the terms of use claim that the consent of a family member is regarded as that of the subscriber, it is judged to be contrary to the legislative purpose of the ICN Act, which states that the party involved should consent to the disclosure of his or her personal information to a third party. Therefore, the behavior of Respondent was found not to be part of a legitimate consent gathering procedure.

In conclusion, the judgment was made that Respondent should pay KRW100,000 to Applicant for the emotional damage Respondent caused to Applicant by having the mother of Applicant consent to the use of the personal information of Applicant, thereby violating the duties of notice and consent that enable Applicant to be aware of his or her consent to the fact of the collection and the use of their personal information.

Confidential data breach due to insufficient technical protection measures
In late March and early April of 2007, an acquaintance of Applicant's girlfriend discovered photos and letters, etc of Applicant and his girlfriend while searching the dialogue name (XXXX) of Applicant's girlfriend at the portal site N. Applicant also confirmed that his private life was exposed to the public, something he noticed while searching the cafe name (YXXX). Applicant asked the Committee for dispute mediation, arguing that Respondent had not taken the necessary technical measures to prevent his private life contents from being exposed to the public, causing immeasurable emotional damage. Applicant demanded damages of 5 million won.

Considering that the personal information of Applicant was exposed on the web due to a shortage of technical and administrative protection measures, and that the exposed personal information included confidential private life content, such as the diaries of Applicant and his girlfriend, the judgment was made that Respondent should pay KRW500,000 to Applicant for emotional damage.
 * Mediation Decision

Denial of request to delete or revise personal information
Applicant (Mr. K) subscribed to the RR service, one of the super high-speed Internet services of Respondent on February 1, 2006, and then had one circuit added under the name of KJ (the elder sister of Applicant), with the contact of Applicant recorded in the subscription agreement. Applicant asked the Committee for dispute mediation claiming KRW500,000 for emotional damage, arguing that when telemarketing phones were linked to his contact details in the subscription agreement several times, Applicant asked Respondent to revise the personal information and not to send telemarketing messages, but Respondent did not stop sending telemarketing messages.

The investigation shows that though clearly aware of the request for the personal information revision of Applicant, Respondent did not take any necessary measures and used the personal information of Applicant for telemarketing activities as described several times. The judgment was made that Respondent should pay KRW200,000 to Applicant for the emotional damage the former caused to the latter by sending telemarketing messages several times, despite the latter's request for information revisions.
 * Mediation Decision

Excessive requests for personal information for commercial purposes
Applicant L used his or her credit card to buy one million won worth of a pure gold product from Respondent AG (an on-line shopping site), and allowed Respondent to confirm his or her identity using the authentication certificate.

When selling a specific product of a certain amount or more, Respondent AG additionally asked for documents such as the customer order confirmation, both sided copies of the user’s credit card, and their resident registration number, (hereinafter referred to as the additional documents). Applicant did not submit the additional documents, resulting in the cancellation of the order. Applicant asked Respondent to fulfill the contract and indemnify him or her for the communication charges and time loss that occurred after January 25, 2007, arguing that Respondent requested excessive and unnecessary personal information with additional documents, though the latter had confirmed his or her identity using the authentication certificate.

Respondent posted the matters regarding the use of credit cards at its homepage in order to prevent the unlawful use of credit cards, and applied its strict standards to this case to check whether the transaction was made by the card owner. Therefore, the behavior of Respondent cannot be judged as an act of personal information infringement.
 * Mediation Decision

Insufficient technical measures in case of website integration
Applicant Q asked the Committee for dispute mediation, arguing that he or she had logged onto the website of Respondent A to use the information of Respondent, but had confirmed the exposure of the personal information of a third party, not Applicant, and that Respondent A should explain the reasons therefore, and apologize for the incident.

When integrating its 5 individual sites into one site, Respondent A entrusted B Company with the integration and administration of the homepages. However, B did not locate the same IDs, thus leading to the exposure of a third party’s information when Applicant Q logged in. This is judged to constitute a shortage of technical and administrative measures for the protection of personal information by information communication service providers. However, this case ended in an acceptable compromise, as Respondent quickly took follow-up service steps after the incident by enabling Applicant to unsubscribe from their membership, providing him or her with KRW60,000 worth of cinema tickets.
 * Mediation Decision