PIDMC cases in 2011

Personal Information Dispute Mediation Cases, an annual report published by Pico & KISA, illustrates some noteworthy cases year by year.

Here are summaries of leading cases among 126 cases (statistics) before the Personal Information Dispute Mediation Committee (PIDMC or Pico) in 2011.

For reference only, USD1.00 was KRW1153.30, Euro1.00 was KRW1494.10 at the end of 2011.

See separate Articles for the detailed PIDMC cases in the year of 2007, 2008, 2009, 2010, and 2012, respectively.

Liability of on-line photo album maker who conveyed client's photo on line without her consent
Plaintiff made an order in March 2011 via a wedding photo website (www.OOOOO.co.kr) operated by Defendant to make a frame of her wedding photo. Several months later, she was told by her friend that her wedding photo was being displayed on the website of Defendant. Plaintiff visited the site, confirmed her photo was posted as a sample, and finally filed a petition with the PIDMC. Defendant violated Article 24 of the Act on Promotion of Information and Communications Network Utilization and Data Protection, etc. (hereinafter referred to as the "ICN Act", 정보통신망 이용촉진 및 정보보호 등에 관한 법률) by posting Plaintiff's photo, an important personal information by law, at the website without consent of Plaintiff. Therefore, the decision was made to pay 300 thousand won to Plaintiff as compensation for mental distress.
 * Mediation Decision

PIDMC also advised Defendant to set up a rule to obtain the prior consent of the data subject when posting photos of someone else on the website.

Liability of on-line service provider who exposed personal data to the Internet search engine owing to failure of technical measures
Plaintiff searched his ID (forcemi○○○○) at a portal site in February 2011, and found an Excel file containing personal information of 231 users including himself at the web administration page. Plaintiff filed a petition with the PIDMC that Defendant failed to take technical and managerial measures to keep users' personal information in safety, and demanded mental damages. Exposure of personal information on the web search site is usually caused by the failure to take technical measures in administering the website. This incident occurred presumably due to the failure of the website managing company to take necessary technical and managerial measures for data protection.
 * Mediation Decision

In this case, Defendant failed to take necessary technical and managerial measures for data protection required by law, and let the sensitive data of Plaintiff be exposed to the search website. Therefore, the decision was made that Defendant should pay Plaintiff KRW200,000 as compensation for mental distress. Also Defendant was required to improve its personal information management system as well as security policy for the safe maintenance of members' personal information.

Hospital's negligence to expose patient's medical records to Google owing to failure of technical measures
The daughter of Plaintiff found her father's personal information (name, resident registration number, etc.) and medical records were posted on a web search site in October 2010. She filed a dispute mediation representing her father with the PIDMC for emotional damages.

Defendant explained that Plaintiff's medical doctor had preserved patient's medical records with extraordinary treatment in his personal servor for the purpose of academic research and management of research performances not knowing the possibility of data exposure to the Google search engine. Data, exposed to Google owing to insufficient technical measures to prevent Google from searching inside, included Plaintiff's personal information and such medical records in detail as patient's symptoms, treatment journal, operation records, CT image files, and so on.

Defendant is a medical institution subject to Article 3(1) of the Medical Act, and Article 67(1) of the ICN Act shall apply to this quasi-information and communications service provider, who is required to take necessary technical and managerial measures to keep the personal information in a safe manner. The medical institution became a quasi-information and communications service provider in July 2009 when the Enforcement Rule of the ICN Act was amended. Defendant is required to maintain the personal information and sensitive medical records of patients with duty of due care to prevent such data from being leaked, abused or misused. However, Defendant failed to take necessary technical and managerial measures to keep the personal information in a safe manner, and allowed them to be maintained in a personal computer, thereby causing most of such data to be exposed to the search site.
 * Mediation Decision

So it was acknowledged that Defendant is responsible for grave mental distress owing to the possibility of abuse or misuse of such data. The decision was made that Defendant should pay KRW2,000,000 to Plaintiff as mental damages. Also Defendant was required to improve its personal information management system as well as security policy as a whole for the safe maintenance of patients' personal information and medical records.

Franchisor's responsibility for illegal retention of client's data
In October 2008, Plaintiff posted a grievance on the customer center of Defendant's website. Upon receipt of Plaintiff's address and phone number, Defendent sent a gift certificate to Plaintiff's residence. In June 2011, Plaintiff inquired some defects of a product of the customer center, Defendant promised to send a gift certificate to Plaintiff's address in its customer list.

Plaintiff argued that she was not a constant member of Defendant, and her personal information should have been destroyed upon the fulfilment of the purpose in 2008. Plaintiff filed mediation with the PIDMC for wrongful retention of unencrypted personal information and damages for emotional distress. Under the Act on the Consumer Protection in Electronic Commerce, etc. (전자상거래 등에서의 소비자보호에 관한 법률), e-Commerce venders are required to preserve transaction records including any representation, advertisement, contractual obligation for a considerable period of time (Article 6(1) of the Act), and in terms of consumer's grievance and legal dispute, for three year (Article 6(1)iv of the Enforcement Decree of the Act).
 * Mediation Decision

In this case, Defendant is believed to keep the personal information at issue legally, and Plaintiff's petition is groundless. So is it rejected.

Telecom Company's unauthorized provision of combined services without customer's consent
Plaintiff used wired telephone service for years in his name, and a broadband Internet service in his mother's name, respectively. In September 2009, Plaintiff discovered he had been admitted to use the combined wired telephone and Internet service in better terms than usual. In December 2009, he filed a complaint with the customer center of Defendant, and Defendant arbitrarily terminated the combined service to his disappointment. Defendant expressed apology for its arbitrary termination of combined services, and promised to pay additional charges, and exempt early termination charge in addition to KRW200,000 as compensation.
 * Pre-mediation Agreement

Plaintiff agreed on such suggestion of Defendant, and the case was closed.

Dispute over data breach on the part of public institutions
Plaintiff filed several civil petitions relating resort facilities with X County Office, but was dissatisfied with with the outcome. Plaintiff again filed a new petition with Y Province Office, which requested X County officials to send the materials related with Plaintiff's civil petition.

Y Province officials posted their answer on Y Province website with attachments provided by X County. Unfortunately Y Province officials did not pay attention to the file attached thereto, which contained the personal information of Plaintiff including the name, sex, age, address, telephone number and incident records, and exposed them to the public. It is acceptable that X County provided the incident records and Plaintiff's personal information to Y Province officials in order to solve the civil petition pursuant to the Act on the Solution of Civil Petitions. Therefore, X County officials were not in violation of Article 10 of the Act on the Protection of Personal Public Institutions Maintained by Public Agencies (now repealed, 공공기관 개인정보보호법).
 * Mediation Decision

However, it was carelessness on the part of Y Province that Plaintiff's personal information was disclosed on the website, and the technical and managerial measures were not operative at all. Therefore, mediation is made that Y Province should check its technical and managerial measures and educate public officials and relevant employees lest the personal information should be disclosed again in the future.

Mandatory membership data exposed to Google's search robot
Plaintiff found his personal information including name, company, department and position was exposed to Google search page in September 2011, and those personal data had been submitted when signing up at the homepage of Defendant, which was related with a recruiting portal site, and easily detected by Google search engine. It should be noted that such personal information exposed to Google was exactly same as that which was to be open to the public, so that any one may recognize such information on the Internet. Therefore, it does not amount to infringement upon the privacy of Plaintiff. In addition, it is difficult to acknowledge the mental distress of Plaintiff because special members of Defendant may access with ease, Defendan cannot be benefitted from exposure of its members' personal information, Defendant took swift countermeasures to reduce any damage to Plaintiff's privacy.
 * Mediation Decision

Now that it is difficult to assess the mental distress of Plaintiff, and Defendant has taken necessary measures, Plaintiff's demand of damages for mental distress and improvement of the relevant system shall be rejected.