PIDMC cases in 2009

Personal Information Dispute Mediation Cases, an annual report published by Pico & KISA, illustrates some noteworthy cases year by year.

Here are summaries of leading cases among 145 cases (statistics) before the Personal Information Dispute Mediation Committee in 2009.

For reference only, USD1.00 was KRW1167.60, Euro1.00 was KRW1674.22 at the end of 2009.

See separate Articles for the detailed PIDMC cases in the year of 2007, 2008, 2010, 2011 and 2012, respectively.

Failure of notice on the data usage when obtaining user's consent
When a technician visited his home to install the Internet connection, Plaintiff signed two times on the pad of the PDA carried by the technician. Later Plaintiff found out his signatures were at the three places not knowingly including the document which showed his consent to the collection, use, provision to a third party and use of his personal informationl. So Plaintiff filed mediation with the PIDMC. An Internet service provider (ISP) is required to notify the purpose of collection and use of personal information and obtain the consent of the user pursuant to Article 22 of the Act on Promotion of Information and Communications Network Utilization and Data Protection, etc. (hereinafter referred to as the "ICN Act", 정보통신망 이용촉진 및 정보보호 등에 관한 법률).
 * Mediation Decision

In this case, Plaintiff understood that he signed twice on the pad of the installation technician's PDA for the subscription of the ISP's Internet service and the duly installed devices. He did not know he signed to consent to the collection and use of his personal data. It was because the technician did not fully explain for what Plaintiff had to sign.

Defendant is requested to improve its installation process in a positive manner at its option:

i) to have the subscriber sign after sufficient and plain language explanation by its installation technician; ii) to have the subscriber sign three times on the PDA pad; or iii) to obtain the consent of the subscriber to the collection and use of personal data in a separate document.

Collection of personal data of applicant who did not join the Marriage Club
In April 2008, Plaintiff intended to join the Marriage Club and completed the first stage and waited for the next stage. It took too long, and she stopped there. One hour later, she received a phone call from a club manager that she had been admitted to the club. She argued it was wrong because she stopped before completion, and demanded damages for violating her privacy.

Defendant explained that the Marrigage Club database needs multitude of information and has got such data to be stored stage by stage to avoid program error of total deletion. If any applicant stopped in the middle of process, the club manager called the applicant sooner or later whether he/she still wanted to join the club. If the applicant changed his/her mind not to join the club, Defendant deleted the whole personal information. After a user consented to the terms of service and the privacy policy, the sign-up process started. With the Completed button clicked, the user was deemed to consent to the collection of his/her personal information. Article 5 of the Terms of Service.
 * Mediation Decision

In this case, Plaintiff did not join the the Marriage Clut nor consented to the collection of her personal information even though she failed to complete the sign-up process. Defendant illegally manipulated to collect and use the personal information even though Plaintiff stopped in the middle of the process.

Therefore, the mediation shall be made that Defendant pay damages of KRW300,000 to Plaintiff, and the measures be taken lest the personal information of the users who did not explicitly and definitely join the Marriage Club should be stored.

Unauthorized posting of patient's facial photo before and after plastic surgery
Plaintiff complained that the website of a plastic surgery clinic carried her photos before and after the the operation due to the negligence of a clinic counselor, and suffered enormous mental distress. The owner MD of the clinic confessed that he did not advise Plaintiff to consent to disclose her photos nor knew such posting on the website. The website manager handled the photos by blurring the eyes of Plaintiff to the extent unidentifiable and focusing the spot of plastic surgery. Evidently a person's photo belongs to his/her personal information as defined by law. Plaintiff's photos are so sensitive and recognizable that Defendant's posting of Plaintiff's photos on its website without her consent must be in violation of the privacy law out of grave negligence.
 * Mediation Decision

Accordingly, Defendant is required to pay damages of KRW3,000,000 to Plaintiff.

Out-of-purpose for-profit use of personal data of members who quit
Plaintiff received commercial messages of Defendant in April 2009 after he quit Defendant's site. Plaintiff asked the customer service center of Defendant why he received such advertisement, whether Defendant retained his personal information continuously. So the dispute mediation was filed together with demand for punishment of, and damages from Plaintiff. Article 29 of the ICN Act calls for the destruction of personal information without delay upon the fullfilment of the purpose or the expiry of the retention period unless otherwise provided for by other statutes. Also Article 24 of the ICN Act provides for the prevention of use of personal information for other purpose than that of initial collection thereof.
 * Mediation Decision

In this case, Plaintiff withdrew the use of Defendant's service and no further transaction. So Defendant had no reason to retain Plaintiff's personal information, and was deemed in violation of Article 29 of the ICN Act.

Defendant caused probable damage like abuse or misuse of personal information to Plaintiff. The decision was made that Defendant should pay damages of KRW200,000 to Plaintiff.

Responsibility of the Internet shopping mall vendor who used the data for unauthorized purpose
In May 2009, Plaintiff purchased a product of Defendant B, online shopping mall vendor, through Defendant A, online shopping mall operator, but later received advertisement message from B. In this case, A provided customer's address to B only for the purpose of delivery of goods, but B retained Plaintiff's address for the period of three months and used it for advertisement beyond the initial purpose.

Plaintiff filed the mediation with the PIDMC for damages. Article 20(1) of the Act on the Consumer Protection in Electronic Commerce, etc. (전자상거래 등에서의 소비자보호에 관한 법률) calls for the joint and several obligation of an e-commerce intemediary together with the e-commerce vendor who caused loss to consumer's property out of willful intention or negligence. Pursuant to Article 31 i of the terms of service made between the vendor and the intermediary, the vendor is required not to use the personal information of purchaser for other purpose than that stated in the terms of service.
 * Mediation Decision

In this case, B, e-commerce vendor, retained the personal information of purchaser arbitrarily, and breached such information by using it beyond the prescribed purpose. However, A, online shopping mall operator, did nothing wrong. Therefore, the decision was made that Defendant B should pay damages of KRW200,000 to Plaintiff.

Unauthorized transfer of personal data of users by "Family Site" operator
In March 2009 when Defendant launched B website, it decided to send a promotional message of B website to the members of A website because A's customers could be interested in the contents of B. In other words, Defendant wished to operate B as a family site of A by giving A's customers convenience of the same ID and other benefits to utilizing the contents of B. But it could infringe upon the user's choice with his/her consent deprived of. The PIDMC advised Defendant to notify detailed information of the users how to sign up and submit their personal data to the family site operator and to improve the process for the users to choose consent or not.
 * Mediation Decision