PIDMC cases

The Personal Information Dispute Mediation Committee (PIDMC or "Pico") cases (개인정보분쟁조정 사례집/個人情報紛爭調整事例集) refer to the cases dealt with the PIDMC each year.

The 20-member PIDMC at present has three departments in charge of:
 * Disputes in general (8 members);
 * Disputes in public nature (5 members); and
 * Collective disputes (5 members)

During the past few years, there was a big change:
 * 1) As the awareness of data protection and privacy among common people sharply increased right after the implementation of the new Personal Information Protection Act, the number of claims and petitions related with personal information is on the increase.
 * 2) The National ID Clean Center helped citizens to correct or delete misused their Resident Registration Numbers, and the affected citizens have been alert to their privacy protection.
 * 3) Considerable number of claimants or petitioners are oriented to pecuniary compensations. In many cases, standardized amount may be applicable.
 * 4) Since October 2011, the data breach cases in the public sector have been under the jurisdiction of the newly organized PIDMC.

The PIDMC may decide in a whole session or establish a petit panel which is composed of five or less Committee members in order to conduct efficiently the dispute settlement. In this case, the resolution of the petit panel delegated by the PIDMC shall be construed as that of the PIDMC. Article 40(6) of the Act and Article 49 of the Enforcement Decree.

Key words
dispute mediation, personal information, data protection, Pico

Data Breach Claims via KISA Privacy Center
During the past few years, a number of complaints or petitions were reported in relation to data breach to the KISA Privacy Center (개인정보침해신고센터) :

Sources: Pico and KISA, Personal Information Dispute Mediation Cases in 2010, 2011 & 2012, Mar. 2011, Mar. 2012 and May 2013.

Analysis of Statistics
Throughout 2011, claims out of the following factors increased sharply five or six times over the previous year:
 * Damage, infringement or theft of other person's data; and
 * Data leakage out of failure of technical and managerial measures of the data processor, as witnessed in large-scale data breach incidents.

It might be caused by the brisk operations of the National ID Number Clean Center at KISA and the enhanced of awareness of common people. The increasing number of citizens were demanding withdrawal of consent from, or membership in the portal sites in question.

At the same time, a series of large-scale data breach incidents occurred during the year of 2011. Accordingly more and more users found fault with insufficient technical and managerial measures taken by portal site operators. As a result, those Internet service providers (ISPs) have got to know it is inevitable to upgrade their Internet security measures more than usual.

Thus, increasing awareness of the importance of data protection as well as changing mindset of ISPs relating to the Internet security paved the way to the statutory prevention of resident registration numbers in the course of online communications. The newly amended ICN Act, which came into effect on August 18, 2012, allows the use of resident registration numbers (RR numbers) only by:
 * 1) the authentication agencies, designated by the government for the purpose of provision of alternative RR numbers,
 * 2) qualified ISPs permitted by the relevant laws, or
 * 3) ISPs, publicly notified by the Korea Communications Commission, which rely on the collection and use of RR numbers on business.

The above-mentioned amendment is believed to discourage the foreign hackers and phishing scammers to dare to cause massive scale data breach incidents to obtain as many as RR numbers of Koreans. But the enlarged scope of application of the Personal Information Protection Act including non-profit organizations and fraternity associations could increase the occurrence of data breach claims.

Number of Dispute of Mediations performed by PIDMC
Of the above data breach complaints, some cases were brought to the Pico actually for dispute mediation as follows:

Sources: Pico and KISA, Personal Information Dispute Mediation Cases in 2010, 2011 & 2012, Mar. 2011, Mar. 2012 and May 2013.

Actual Dispute of Mediations performed by PIDMC
The PIDMC carried out dispute mediation in accordance with the data protection statutes and the outcome are as stated in the table below.

Sources: Pico and KISA, Personal Information Dispute Mediation Cases in 2010, 2011 & 2012, Mar. 2011, Mar. 2012 and May 2013.

Objects of Dispute Mediation
The PIDMC, established under the Personal Information Protection Act, has kept any kind of infringement upon personal information of a living person, including resident registration number, voice and videos, under its jurisdiction.

In particular, data breach or privacy infringement out of the violation of the Act on Promotion of Information and Communications Network Utilization and Data Protection, etc. (hereinafter referred to as the "ICN Act", 정보통신망 이용촉진 및 정보보호 등에 관한 법률), the Use and Protection of Credit Information Act (신용정보의 이용 및 보호에 관한 법률), the Medical Act (의료법), or the Civil Act (민법) are under the jurisdiction of the PIDMC.

However, the PIDMC may withdraw from the case subject to the resolution of the PIDMC if it is deemed proper and necessary for other institution such as the Financial Supervisory Service to deal with the case.

Noteworthy Cases
The annual report on Personal Information Dispute Mediation Cases illustrates some noteworthy cases year by year.

See the summaries of leading mediation cases in a separate article:
 * PIDMC cases in 2012
 * PIDMC cases in 2011
 * PIDMC cases in 2010
 * PIDMC cases in 2009
 * PIDMC cases in 2008
 * PIDMC cases in 2007.