PIDMC cases in 2008

Personal Information Dispute Mediation Cases, an annual report published by Pico & KISA, illustrates some noteworthy cases year by year.

Here are summaries of leading cases among 172 cases (statistics) before the Personal Information Dispute Mediation Committee in 2008.

For reference only, USD1.00 was KRW1257.5, Euro1.00 was KRW1776.2 at the end of 2008.

See separate Articles for the detailed PIDMC cases in the year of 2007, 2009, 2010, 2011 and 2012, respectively.

Dispute Mediation cases in 2008
Throught the year of 2008, a variety of voice phishing cases increased sharply in the midst of so many reports of theft of other's personal data.

As the customer databases were getting bigger and bigger due to the rapid change of the web environment, the scale of data breach incidents was increasingly beyond the expectations.

Mobile phone (after-sale service) agent's collection of customers' data without consent
Plaintiff demanded repayment of the proceeds of his phone device when visiting Defendant A Co. by submitting the documents required by A Co. The employee of Defendant, who had found some difference between the price of the phone returned and that recorded in the printout of A Co.'s sales list, inquired without consent, based upon the Plaintiff's personal data, the phone price of the selling agent who had sold it to Plaintiff. Upon confirming the identity of the inquirer, the selling agent informed the employee of the subscription of Plaintiff and the phone price over the telephone.

However, Plaintiff argued that the employee did what he had not ask for, used his personal information without consent, and finally demanded damages for mental distress. It is a rule that only the subscriber of mobile phone service may inquire the personal information and transaction terms.

When a customer submitted the necessary documents for the purpose of repayment of the proceeds of the phone, what the employee inquired the exact phone price of the sales agent based upon the customer's personal data as usual in accordance with business practices is not beyond the intended purpose of collection of such data.
 * Mediation Decision

But it should be noted that an A/S agent like A Co. has not equipped with detailed manual on customers' personal information, and has never educated its employees what and how to do with customers' personal data. Also it would be necessary for A Co. to notify its customer via SMS of any inquiry or other activities based upon customer's data.

So Plaintiff's demand of damages due to mental distress caused by unauthorized use of his personal data by the employee of Defendant is groundless and shall be rejected. But it is strongly recommended that A Co. should make a manual on customers' personal information, and give instructions to its employees as well as A/S agent that any use of customers' personal data should be notified and consent thereto is required.

ISP's onward transfer of personal ID of an unsubscriber to a third party
Plaintiff terminated the high-speed MY-IP service in November 2007 and visited the branch of Defendant to settle the service charges and expemses, and found out that the MY-IP was not terminated but was transfered to a third party in his name.

Plaintiff argued that Defendant allowed Plaintiff's ID to be used by a third party without Plaintiff's consent, and Defendant infringed upon Plaintiff's personal information. So was the application for mediation with reasonable compensation for mental distress filed with the PIDMC.

Defendant explained that Plaintiff's application for termination of service was duly accepted on November 7, 2007, and the change of subscriber's ID was electronically processed for the re-use of the cable, thereby breaching no one's personal information. As a result, the service charge for the period from November 7, 2007 to November 30, 2007 was invoiced to a new subscriber. In addition, the change of subscriber's ID was at the request of the investigation authority.

In this case, the change of subscriber's ID means the succession of the right to use. Also it should be noted that subscriber's ID is effective to identify the subscriber, but useless after the termination of service. For example, if X terminates the subscription agreement and ceases to use ID "ABC", then a new subscriber Y may use ID "ABC" without any encumbrance.

In such a case, a new subscriber's use of the same ID as Plaintiff's does not automatically result in breach of personal information of Plaintiff. It was caused by the misunderstanding of Plaintiff. Subscriber's ID was effective during the service period, and the change of subscriber's ID in this case did not mean the violation of Plaintiff's right to privacy.
 * Mediation Decision

So Plaintiff's application for mediation was rejected.

Provision of personal data to a third party without consent for consolidated service
Plaintiff subscribed to A Co.'s service in 2001, but had nothing to do with B Co. In August 2007, Plaintiff was surprised to find out his ID and password are also effective in using B's service. To his disappointment, his name, resident registration number appeared on the monitor while using B's service. Plaintiff filed mediation with the PIDMC claiming A had provided the personal data to B without his consent.

As a matter of fact, Defendant, wishing to carry out consolidated service with B's online marketplace for joint purchasing, private auction, etc., had arranged its users to easily log in B's service with the ID and password registered with Defendant. In this case, user's personal data appeared on the user's monitor only when the user agreed on the consolidated service. Accordingly, pursuant to the consolidated service agreement between Defendant and B, Defendant was required to make an arrangement to have users' ID and password being used to log in B's service.

For this arrangement, such consolidated service taking advantage of the same ID and password had been included in its term of services in advance, and users' personal data, which appeared on B's web page, still remained only in Defendant's customer database. But any procedure to confirm user's consent to sharing the same ID and password with B did not exist and ordinary users could not understand what's going on between Defendant and B.

The PIDMC gave an advisory opinion that Defendant should notify the followings on its main page so that its users may easily understand how Defendant shares the same ID and password with B:
 * Mediation Decision
 * 1) the purpose of use of the same ID and password;
 * 2) the personal information to be shared with the partner;
 * 3) the process of conveyance of such personal information to the partner;
 * 4) the period of retention and use of such personal information by the partner; and
 * 5) the re-confirmation process of consent to the term of consolidated service for the sharing such personal information with the partner.

When a user logs in the partner's website, Defendant should take necessary measures not to allow user's personal information such as name and resident registration number, etc. to appear on user's monitor prior to user's consent.

Provision of personal data to a third party due to negligent maintenance of wedding invitations
Plaintiff, who once ordered Defendant to print wedding invitations online, introduced Defendant to her friend. She found out that the sample wedding invitation shown to her friend contained her couple's wedding photo. Plaintiff applied for mediation and appropriate damages arguing that Defendant's unauthorized use of her couple's photo for commercial purpose conformed to data breach.

Defendant explained that its sample wedding invitation would not carry customers' wedding photos, and remaining copies of invitations were destroyed in a proper manner. The incident occurred owing to the employee's negligence in dealing with such remaining copies. In addition to the main obligation to print and deliver wedding invitations in time, Defendant is required to have a duty of care and pay attention not to provide customers' personal data including photos to others lest customers' right to portrait and privacy should be infringed upon.
 * Mediation Decision

So it must be a breach of contract as well as privacy that Defendant kept Plaintiff's invitations for more than three months, and provide one of the remaining copies to a third party. The judgment was made that Defendant should pay KRW200,000 to Plaintiff to compensate Defendant's emotional distress. The amount was calculated like this: KRW100,000 for the negligence in keeping the personal data to be destroyed in time, plus KRW100,000 for using such personal data not yet destroyed.

The PIDMC also urged other printers of wedding invitations up to 300 businesses not to use remaining invitations as sample and to destroy the remaining one in a timely manner.

Home shopping company's unauthorized provision of user's personal data to a third party
While watching A Co.'s promotion of cellphone handsets on TV in August 2008, Plaintiff requested purchase of a specified model of handset, but a few days later he received a phone call from a different B Co. how to activate the cellphone. Being suspicious of unauthorized conveyance of his personal information from A Co. to B Co., Plaintiff applied for dispute mediation.

In fact, what Plaintiff received from B Co. was a happy call, as promised by A Co.s show host. A Co. entrusted such happy calls and activation service to B Co. It is generally permitted even without consent by the Act on the Consumer Protection in Electronic Commerce, etc. (전자상거래 등에서의 소비자보호에 관한 법률) for the performance of required service. Therefore, it was not a conveyance of personal information to a third party.

In addition, it is understood that B Co. obtained the resident registration number of the purchaser subject to Article 42(1) [Schedule 3-IV-4-Ga] of the Enforcement Decree of the Electric Communications Business Act. Telling from the home shopping presentations on TV, the PIDMC acknowledged what Plaintiff had requested the purchase of a cellphone handset via ARS order or communications with the call center was showing Plaintiff's intention to change the mobile carrier.
 * Mediation Decision

Based upon the general commercial practices, Plaintiff entered into the purchase agreement with Defendant at the time of purchase request of the cellphone handset. And since then B Co. could obtain legally Plaintiff's personal data, and make a guidance call to Plaintiff. That meant Defendant's provision of Plaintiff's personal data was not deemed violating Plaintiff's privacy. Also mental damages due to emotional distress was groundless on the same account.

However, it would be proper and necessary to make an explanation why purchaser's personal information is needed in the middle of TV presentations and at the time of happy call. Also such explanation is necessary in the ARS communications.

Mandatory consent to the use of personal data in travel contract and improper termination requirement
In July 2008, Plaintiff purchased online travel service from Defendant, who sent an e-mail demanding customer's personal data. Plaintiff requested his personal data to be deleted. On the contrary, Defendant demanded the deletion request form downloaded from Defendant's website and a copy of resident registration card.

Plaintiff found fault with no consent procedure in the collection and use of personal information on the part of Defendant, and applied for mediation to improve the personal information processing system of Defendant. As the Defendant's standard form of travel agreement did not give an opportunity for a customer to agree or not notwithstanding the provision on consent to the collection of personal information, it has become a mandatory consent, and accordingly violated user's right to determine the made-public scope of his/her own personal information.
 * Mediation Decision

To demand a copy of resident registration card for the verification of the applicant would give rise to side effect of identity theft in case of data leakage. So it is proper and necessary to separate non-member customers from member customer, and to store personal information database in a separate file or directory. Most of all, there is better alternative like the SMS verification via a mobile phone. Following the above mediation decision, the PIDMC Secretariat held a series of meetings with travel agents and related travel associations to discuss how to improve the standard travel agreement and the personal information processing system. The resultant improvements should be promoted via websites and encouraged toward travel agents.
 * Postscript

The possibility of data leakage to a third party in a bundled cellphone program
Plaintiff found fault with a address manager program, provided by a cellphone manufacturer, which registers and makes a list of friends without the consent of Plaintiff. He also demanded the program which exposes the personal information of friends to a third party should be modified only to fail.

So a claim was placed before the PIDMC. The PIDMC investigation showed the address manager program allowed its user to have chatting with friends stored in user's cellphone, and operated hand-in-hand with a messenger program, which notified a message "The message to request friendship will be forwarded to the persons listed on the address book" of each user's friend. When registering friendship, such personal information as ID, name, sex, telephone number, date of birth, e-mail address, etc. could be checked and confirmed.
 * Pre-Mediation Agreement

The PIDMC held the above-mentioned messenger program deprived of the notice and consent relating to personal information is in violation of Article 24-2 of the ICN Act. Defendant agreed to modify and improve the address manager program like this: i) to delete the automatic request of friendship, ii) to make a choice of "making public" or "non-disclosure", and, iii) in case of choice of "non-disclosure", to keep all personal data except the name and cellphone number not disclosed.

This case was closed as a pre-mediation agreement when Defendant made an appology to Plaintiff at the recommendation of the PIDMC, and modified the relevant program and system.