Main Issues and Holdings
[1] The meaning of leakage of personal information protected by the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc., and in a case where personal information was managed and controlled by a communications service provider and was not accessed or approached by a third party, whether it can be viewed that personal information was leaked simply because the third party was in a situation where he/she was capable of accessing personal information stored by the provider (negative)
[2] In a case where “C” et al., who are members of “B” corporation (whose mobile communication service provider is “A”) received a temporary ID and password from B for the purpose of website system inspection, then following the inspection B did not delete the ID and password, resulting in a situation where a member’s personal information was transferred from the server if his/her mobile phone number was entered into the aforementioned website, to which C et al. sought damages from B et al. for leaking personal information, the case holding that C et al.’s personal information was not in a situation where they were accessible to third parties for not being under B’s management and control
Summary of Decision
[1] Leakage of personal information protected by the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. refers to a situation where personal information is no longer under the relevant communications service provider’s management and control, causing its contents to be accessible to a third party. Thus, a case where a certain personal information is under a communications service provider’s management and control without actually being accessed or approached by a third party does not necessarily reach the point where personal information is not under the service provider’s control, and thus, accessible to a third party, even if the service provider’s technological and management protection measures were insufficient and the personal information stored by the provider was in a situation where it was accessible to a third party.
[2] “C” et al. who are members of “B” corporation (whose mobile communications service provider is “A”) received a temporary ID and password from B for the purpose of website system inspection, then following the inspection B did not delete the ID and password, leaving the members’ personal information vulnerable to being transferred from the server at the input of his/her mobile phone number into the aforementioned website. Against this backdrop, C et al. sought damages from B et al. for leaking personal information. The court held that C et al.’s personal information was not accessible to third parties merely for not being under B’s management and control, on the following grounds: entering C et al.’s mobile phone number into the aforementioned webpage is the only way the information can be leaked; before any mobile phone number is entered, the personal information remains stored in the 2G server and cannot be approached; B used its management and control authority to block the website and the server’s interoperability, thus eliminating the possibility of access to and transmission of C et al.’s personal information; and thus, although the website and the server kept interoperability in this case where no input of phone number in the webpage is confirmed, it cannot be viewed that C et al.’s personal information were lost from Defendant B’s control and became accessible to third parties.
Reference Provisions
[1] Articles 3(1), 28(1), and 32 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. /
[2] Articles 3(1), 28(1), 32 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc.
Article 3 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (Responsibilities of Providers and Users of Information and Communications Services)
(1) Every provider of information and communications services shall contribute to protection of rights and interests of users and enhancement of abilities to use information by protecting personal information of users and providing information and communications services in a sounder and safer way.
Article 28 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (Protective Measures for Personal Information)
(1) Every provider of information and communications services or similar shall, when it handles personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, alteration, or mutilation of personal information:
1. Establishment and implementation of an internal control plan for handling personal information in a safe way;
2. Installation and operation of an access control device, such as a system for blocking intrusion to cut off illegal access to personal information;
3. Measures for preventing fabrication and alteration of access records;
4. Measures for security by using encryption technology and other methods for safe storage and transmission of personal information;
5. Measures for preventing intrusion of computer viruses, including installation and operation of vaccine software;
6. Other protective measures necessary for securing safety of personal information.
Article 32 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (Compensation for Damages)
Every user may, if he/she suffers any damage caused by a violation of any provision of this Chapter by a provider of information and communications services or similar, claim the provider of information and communications services or similar to compensate for such damage. In such cases, a provider of information and communications services or similar may not be discharged from liability, unless it proves that there was no intentional act nor negligence on its part.
[This Article wholly amended by Act No. 9119, Jun. 13, 2008]
Plaintiff-Appellant As indicated in the Plaintiff List (Law Firm Eutteum, Attorney Park Jin-shik, Counsel for plaintiff-appellant)
Defendant-Appellate LG Uplus Co., Ltd. et al. (Attorneys Son Ji-yol et al., Counsel for defendant-appellate)
Judgment of the court below Seoul High Court Decision 2009Na 119131, 119148 decided February 10, 2011
Disposition All appeals are dismissed. The costs of the appeal are assessed against the Plaintiffs.
Reasoning
The grounds of appeal are examined (to the extent of supplement in case of any supplementary appellate briefs not timely filed).
1. Regarding ground of appeal No. 1
Leakage of personal information protected by the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. refers to a situation where personal information is no longer under the relevant communications service provider’s management and control, causing its contents to be accessible to a third party. Thus, a case where a certain personal information is under a communications service provider’s management and control without actually being accessed or approached by a third party does not necessarily reach the point where personal information is not under the service provider’s control, and thus, accessible to a third party, even if the service provider’s technological and management protection measures were insufficient and the personal information stored by the provider was in a situation where it was accessible to a third party.
According to the facts finalized by the court below and the records of this case, the following facts are acknowledged. On October 2005, in order to inspect whether the M-shop website (“M-shop”) system, interoperable with the 2G server of Defendant corporation LG Uplus (“Defendant LG Uplus”), is functioning normally, corporation Codinus (“Codinus”) — Defendant LG Uplus’ Contents Provider (CP) — temporarily provided corporation Feelink (“Feelink”) with Codinus’ ID and password “○○○○○○” which is interoperable with the said 2G server; using the ID and password, Feelink confirmed that the 2G interoperability system was successfully set up, but failed to delete the ID and password after inspection, ending up prolonging the interoperability between M-shop and the 2G server; the aforementioned interoperability is organized so that when a certain mobile phone number is entered into M-shop’s “Access Telephone Information” page and sent to the 2G server, the mobile phone user’s personal information, such as resident registration number, date he/she signed up for the phone service, the mobile phone model, and mobile phone service provider, is transmitted back from the 2G server to M-shop, which can then be viewed by analyzing the URL transmitted on March 21, 2008, when Non-Party analyzed M-shop’s “Access Telephone Information” page, made an “Access Mobile Telephone Information” page on his server (URL address omitted), and when the resident registration numbers of 583 members of Defendant LG Uplus appeared on screen on March 25, 2008, Defendant LG Uplus had Codinus change the password so as to make the said personal information inaccessible from M-shop’s “Access Telephone Information” page; the Plaintiffs are members of Defendant LG Uplus service; apart from Plaintiff 130 who entered his mobile phone number in M-shop’s “Access Telephone Information” page and had his personal information transmitted, there were no other confirmed cases where any of the Plaintiffs’ mobile phone number was entered into M-shop’s “Access Telephone Information” page and his/her personal information were transmitted from Defendant LG Uplus’ 2G server to M-shop.
According to these factual relations, entering Plaintiffs’ mobile phone number into M-shop’s “Access Telephone Information” page and receiving the personal information from the 2G server is the only way the information can be leaked; before any mobile phone numbers are entered, the personal information remains stored in the 2G server and inaccessible; Defendant LG Uplus used its management and control authority to block the interoperability between M-shop and the 2Gserver, thereby eliminating any possibility of access to and transmission of the Plaintiffs’ personal information; even if M-shop and the 2G server maintained interoperability, given the absence of any confirmed instance of inputting phone number into M-shop’s “Access Telephone Information” page, it cannot be viewed as a situation where the Plaintiffs’ personal information was lost from Defendant LG Uplus’ control and became accessible to third parties.
The lower court’s determination to the same purport is justifiable. Contrary to the allegations in the grounds of appeal, there were no errors by misapprehending the legal principles on the leakage of personal information stored by a communications service provider, nor by reasoning insufficiently.
2. Regarding grounds of appeal Nos. 2 to 5
A. As examined above, it cannot be deemed that the Plaintiffs’ personal information was leaked through M-shop’s “Access Telephone Information” page. Therefore, the grounds of appeal arguing that the court below did not acknowledge the Plaintiffs’ emotional distress due to the leakage is without merit, as it is based on the premise that the Plaintiffs’ personal information was leaked.
It may be true that the Defendants failed to perform their duty to manage and take technological protective measures or to secure safety of personal information, or trespased Defendant educational foundation Soongseon Academy’s 2G server by Codinus provision of M-shop with the CP ID and password, its failure to delete them immediately, and there by leaving M-shop and the 2G server interoperable for a period. Mowever, inasmuch as the Plaintiffs’ personal information leakage through M-shop’s “Access Telephone Information” page cannot be acknowledged, nor can it be viewed that the Plaintiffs’ privacy and freedom of personal life were infringed upon. Therefore, the lower court’s determination not to grant the Plaintiffs’ claim for damages to the same purport is justifiable. Contrary to the allegation in the grounds of appeal, there were no errors of violation of the rules of evidence, insufficient or contradictory reasoning, or omission of judgment.
B. While it can be argued that Plaintiffs 130 and 214’s personal information were leaked inasmuch as their resident registration number was accessed via the Non-Party’s “Access Mobile Telephone Information” page, they did not appear to have suffered emotional distress to the extent of requiring monetary compensation, considering the following circumstances known from the body of evidence duly admitted by the court below: Plaintiffs 130 and 214 are the Non-Party’s friends, and Plaintiff 130 first notified the Non-Party that resident registration numbers were accessible on the “Access Mobile Telephone Information” page; and Plaintiff 214 even filed a petition with the investigative agency for the Non-Party. Therefore, the lower court’s determination to the same purport is justifiable. Contrary to the allegation in the grounds of appeal, there were no errors by misapprehending the legal principles on emotional distress caused by the leakage of personal information, or by violating the rules of evidence, or the pleading principle.
3. Regarding ground of appeal No. 6
According to the reasoning of the judgment below, the lower court rejected the Plaintiffs’ allegation that Defendant LG Uplus provided the Plaintiffs’ personal information to Codinus without consent, thereby infringing upon the Plaintiffs’ freedom and privacy of personal life and causing emotional distress, on the following grounds: although it is true that Codinus received the ID and password giving it access to Defendant LG Uplus’ 2G server, and that the server was interoperable with the 2G server, rendering vulnerable the Plaintiffs’ resident registration numbers stored in the 2G server to a possible exposure to Codinus, the said identifying numbers were not in fact exposed to Codinus.
Upon examination of the matter in light of the records, the lower court’s such determination is justifiable and acceptable. Contrary to the allegation in the grounds of appeal, there were no errors by misapprehending the legal principles on rights infringement or emotional distress caused by a non-consensual provision of personal information, or by violating the rules of evidence.
4. Conclusion
Therefore, all appeals are dismissed, and the costs of the appeal are assessed against the losing party. It is so decided as per Disposition by the assent of all participating Justices.
[Appendix] List of Plaintiffs: omitted
Justices
Lee Sang-hoon (Presiding Justice)
Shin Young-chul
Kim Yong-deok
Kim So-young (Justice in charge)