PIDMC cases in 2010

Personal Information Dispute Mediation Cases, an annual report published by Pico & KISA, illustrates some noteworthy cases year by year.

Here are summaries of leading cases among 191 cases (statistics) before the Personal Information Dispute Mediation Committee in 2010.

For reference only, USD1.00 was KRW1138.90, Euro1.00 was KRW1513.60 at the end of 2010.

See separate Articles for the detailed PIDMC cases in the year of 2007, 2008, 2009, 2011 and 2012, respectively.

Financial company's spam messages against user's objection
In December 2008, Plaintiff visited a branch of Defendant bank to carry out a financial transaction, and asked the bank employee not to use his personal data, collected by the bank based on the Customer Due Diligence requirement, for other purposes than financial transactions. In the early 2009, Plaintiff received advertisement spam messages from Defendant and expressed objection to such messages. Notwithstanding his request, Defendant kept sending commercial message.

So Plaintiff filed mediation with the PIDMC for mental damages. There are statutory grounds that no commercial messages should be transmitted to a user contrary to his/her intent:
 * Mediation Decision
 * 1) Pursuant to Article 34(2) of the Use and Protection of Credit Information Act (hereinafter referred to as the "Credit Information Act", 신용정보의 이용 및 보호에 관한 법률), the personally identifiable information such as the name, address, resident registration number, passport number, etc. shall be used within the scope of purpose consented by the data subject.
 * 2) Article 24 of the Act on Promotion of Information and Communications Network Utilization and Data Protection, etc. (hereinafter referred to as the "ICN Act", 정보통신망 이용촉진 및 정보보호 등에 관한 법률) prohibits the information and communication service provider from using the personal information for other purpose than the one consented by the data subject.
 * 3) Article 37(2) of the Credit Information Act provides that the data subject may request the provider or user of the personal information to suspend the communication to the data subject for the purpose of soliciting the introduction of goods or services or the purchase thereof. And such counterparty requested so by the data subject is required to do so pursuant to Article 37(3) of the Credit Information Act.
 * 4) Article 43(1) of the Credit Information Act provides for the responsibility for damages to the data subject of the credit information companies that incurred damage to the data subject in violation the Credit Information Act unless it proved non-existence of willful intention or negligence.

In this case, Plaintiff expressed explicitly rejection of use of his personal information for the purpose of advertisement. But Defendant overrode such rejection of Plaintiff. Notwithstanding repeated rejection of Plaintiff, Defendant did not take necessary measure pursuant to Article 37(2) and (3), and proceeded to send advertisement messages several times more. Although such incidents were caused by the system error of Defendant's computer as it argued unacceptably, it conformed to the accountable negligence of Defendant in violation of Article 34(2) of the Credit Information Act.

Therefore, the mediation decision was made that Defendant should pay KRW200,000 as compensation for mental distress caused to Plaintiff. In addition, Defendant was required to reinforce the customer data management system not to make promotional advertisement against the customer's intention, and to educate the specialized data protection programs for the privacy officers and other employees at the head office and branches.

Telecom company's unauthorized provision of communication records to a third party
Plaintiff argued that in August 2008 when his wife applied for access to call history with her ID card, a certificate of personal seal impression and faked power of attorney, the general manager of a branch Defendant, telecom company, should have informed such fact of him, but made a call to the different number as advised by his wife. In addition, two months later, Plaintiff's wife visited a different branch of Defendant and applied for access to call history by submitting defective documents.

As a result, Plaintiff was accused of adultery with the evidence assisted by Defendant in violation of personal information of Plaintiff. So he applied for mediation with proper damages. However, Defendant objected to Plaintiff's claims by asserting its authentication procedure was duly conducted subject to its internal regulations, and no causation between the call history check and the divorce of Plaintiff could be found. Pursuant to Article 24-4 of the ICN Act, Defendant's provision of call history of Plaintiff to his wife conformed to provision of personal information to a third party strictly subject to the informed consent of the data subject.
 * Mediation Decision

In this case, Defendant failed to take due care in inspecting the documents submitted by Plaintiff's ex-wife, and did not communicate the data subject in person, thus in violation of Article 24-2 of the ICN Act.

With respect to the causation between the call history check and the divorce of Plaintiff, Defendant's provision of Plaintiff's call history was not the only cause of such divorce, but led Plaintiff's ex-wife to divorce and contributed to the court decision in favor of Plaintiff's ex-wife. So it seemed considerable causation existed between Defendant's careless conduct and Plaintiff's mental distress.

Therefore, the mediation decision was made that Defendant should pay damages of KRW5,000,000 to Plaintiff.

P2P business's awkward collection of personal information and onward transfer to a third party
Though Plaintiff quit Defendant's site right after he had been admitted to the site, he received A credit card. Plaintiff argued that his personal information, submitted to Defendant at the time of sign-up, was conveyed to A card company without his consent. Plaintiff filed mediation with PIDMC asking damages from Defendant and the improvement of Defendant's admission process.

Defendant explained that its members were provided with an event to become A card member upon receipt of member's consent thereto. Definitely, it argued, Plaintiff was given a chance to check the solicited messages but skipped them. For the security, Defendant confirmed new member's intention to join the event or not by sending SMS message.

Upon receipt of Plaintiff's claim, Defendant deleted Plaintiff's personal information and withdrew onward provision of his personal data to a third party except the pecuniary compensation. Pursuant to Article 26-2 of the ICN Act, Defendant should have give Plaintiff a specific notice and obtained his consent in a reasonable manner, e.g., through the authentication process via the Internet or in writing.
 * Mediation Decision

In this case, Defendant intentionally manipulated the sign-up page to mislead new members to consent automatically to A card event depriving of any chance to reject. It turned out Defendant did not send any confirmation message to its new members. Defendant seemed ignorant of the compliance of the data protection clauses and the importance of privacy only to pursue its business profit. As Plaintiff argued, Defendant had obscured the consent process intentionally in violation of Article 26 of the ICN Act and Article 12(1) of the Enforcement Decree of the ICN Act. As a result, Plaintiff's personal data were automatically conveyed to A card company, and Plaintiff received unwanted A card.

Therefore, the decision was made that Defendant should pay KRW300,000 as compensation for mental damage to Plaintiff, and improve the awkward consent process so as to ensure informed consent. Defendant was requested to report to the PIDMC how it performed the above mediation decision within a month after its receipt of mediation award.

Online service provider's failure of deletion of user's personal data on the Internet
In September 2009, Plaintiff subscribed to Defendant's online service, and consented to the disclosure of his personal information. Later, Plaintiff found out his real name, place of work, school which he graduated from and photo were on display at Defendant's website, and demanded the deletion of those personal information. But Defendant denied his demand by replying that Plaintiff consented in writing to the disclosure of his personal information when visiting Defendant's office.

So Plaintiff filed mediation with PIDMC asking for deletion of his personal information and the improvement of Defendant's withdral process.

Defendant explained that the disclosure of personal information was important and inevitable its online service, and Plaintiff did informed consent hereto in writing. Defendant argued that Plaintiff's informed consent in writing had nothing to do with the misuse of personal information stated in the privacy law. At first, Plaintiff's photo belongs to personal information as defined by Article 2 vi of the ICN Act.
 * Mediation Decision

However, Defendant's rejection to withdraw Plaintiff's personal information including his photo is in breach of Plaintiff's self-determination of his personal information guaranteed by the Constitution. In May 2005, the Constitutional Court held that data subject's self-determination of his/her personal information is based upon the freedom to the secret of private life (Article 17 of the Constitution) and the freedom of human dignity and pursuit of hapiness (First sentence of Article 10 of the Constitution).

This fundamental rights of citizens are realized by statutes including the ICN Act, as examplified by Article 30(1).

In particular, Article 30(3) of the ICN Act ensures data subject's withdrawal of consent or deletion of his/her personal information at any time in spite of prior informed consent. It means that individual right to self-determination prevails over the business opportunities or profits.

In this case, Defendant's interpretation of its terms of service that Plaintiff's informed consent in writing is irrevocable is evidently in violation of Article 30(3) of the ICN Act. Further, such provision of the terms of service which are unfair and disadvantageous to customers is null and void pursuant to Articles 6 and 17 of the Regulation of Standardized Contracts Act

On the other hand, if Defendant insists on the formation and irrevocability of contract based on the informed consent of the user in writing, the contractual content is evidently in breach of the good morals and other social order (선량한 풍속 기타 사회질서), so to speak, contrary to public policy (공서양속/公序良俗). Therefore, such contract, which cannot evade to the optional provisions as stated in Article 105 of the Civil Act, is null and void subject to Article 103 of the Civil Act.

In conclusion, the adamant denial of Defendant was in violation of Article 30(3) of the ICN Act, Article 17 of the Regulation of Standardized Contracts Act, and such terms of service of Defendant shall be null and void pursuant to Article 103 of the Civil Act.

So the decision was made that all the personal information related with Plaintiff posted on Plaintiff's website shall be deleted immediately, and in addition, Defendant's terms of service and privacy policy shall be modified in line with "Protecting Users' Rights" based upon the relevant privacy laws including the ICN Act, which shall be made public to all members and users of Defendant's website.