This article is a contribution by Attorney Jaesik Moon of Choi & Lee Law Firm. If you would like to share quality content for startups in the form of a contribution, please contact the Venture Square editor team at editor@venturesquare.net.
The recent SK Telecom (hereinafter referred to as 'SKT') SIM card information leak incident shocked the public. It brought about anxiety and anger at the fact that our precious personal information was leaked to the outside. Above all, since we have no idea where the leaked personal information went or what purpose it will be used for, we are in a situation where we do not know what kind of damage we may suffer in the future, and the anxiety caused by this is bound to be even greater.
The fact that personal information was leaked in this way clearly means that SKT was at fault. In this episode, we will examine whether users can claim compensation from SKT and how much compensation they can receive.
1. Claims for damages based on general civil law provisions and their limitations
Typically, claims for damages are based on two civil law provisions:
– Article 390 (Non-performance of obligation and compensation for damages) If the debtor fails to perform the obligation in accordance with the terms of the obligation, the creditor may claim compensation for damages. However, this does not apply if the performance became impossible without the debtor’s intent or negligence.
– Article 750 (Contents of illegal acts) A person who causes damage to another person through an illegal act intentionally or negligently shall be liable for compensation for the damage.
Simply put, Article 750 of the Civil Act is the basis for liability for damages caused by a perpetrator's violation of the law or criminal act, and Article 390 of the Civil Act is the basis for liability for damages caused by a breach or nonperformance of a contract in a contractual relationship.
Based on the above civil law provisions, the victims of this incident can also claim compensation for damages. However, in the case of personal information leaks and other personal information-related incidents, it is virtually impossible to prove the requirements of the above civil law provisions, such as the illegal acts or negligence of the actual personal information processor and the resulting damages, so it is difficult to recognize compensation liability based on the above provisions.
2. Claim for damages pursuant to Article 39 of the Personal Information Protection Act
Therefore, the Personal Information Protection Act has specially prepared a provision on the basis of liability for damages that relaxes the requirements of the above Civil Act provisions. First, Article 39 of the Personal Information Protection Act allows the data subject to claim damages from the personal information processor if the data subject suffers damages due to the personal information processor’s violation of the Personal Information Protection Act, and the burden of proof regarding the personal information processor’s intent or negligence (or gross negligence) is borne by the personal information processor, not the data subject. Compared to the above Civil Act provisions, this reduces the burden of proof on the victim. It will be easier to claim damages than based on the above Civil Act provisions.
3. Is it possible to claim compensation even if there is no damage?
However, looking at the provisions of Article 39 of the Civil Act and the Personal Information Protection Act, it is required that damages be caused by a violation by the personal information processor in order to claim compensation. In this case, the fact that personal information was leaked is clear, but since I did not suffer actual damages, is it possible to claim actual compensation?
The Personal Information Protection Act, in preparation for such cases, does not prescribe the occurrence of damage as a requirement, and allows for a claim for compensation of a certain amount of damage even if no damage occurs. According to Article 39-2 of the Personal Information Protection Act, if personal information is lost, stolen, leaked, forged, altered, or damaged due to the intentional or negligent act of the personal information processor, compensation may be claimed for a reasonable amount of damage up to 3 million won.
4. So how much actual compensation can I receive?
If damage occurs, liability for damages will be recognized to the extent that a causal relationship with the personal information leak is recognized, and even if no damage occurs, compensation for damages will be recognized within the range of 3 million won or less in accordance with Article 39-2 of the Personal Information Protection Act. On the other hand, if damage occurs due to the leak of personal information due to the intentional or gross negligence of the personal information processor, punitive damages of up to 5 times the amount of damages may also be recognized in accordance with Article 39, Paragraph 2 of the Personal Information Protection Act.
Then, how much damages were awarded in actual cases? The scope of damages liability is determined at the discretion of the court, taking into account various factors, such as the circumstances in which personal information was leaked, the type and nature of the leaked personal information, the personal information management status of the personal information processor, and the degree of negligence.
Looking at specific cases, in a case where an outsourced employee intentionally leaked card customer information such as the card company's resident registration number, compensation liability of 70,000 won per person was recognized (Seoul High Court Decision 2016na2057183, 2016na2057176, November 28, 2019), and in a case where personal information such as Interpark members' IDs, passwords, and phone numbers were leaked in 2016, compensation liability of 100,000 won per person was recognized. From the perspective of the individuals who suffered damages, this cannot help but be a very regrettable amount, and the courts still seem to be taking a passive stance in recognizing liability for damages.
Personal information leakage is a serious problem that may not cause direct damage to us, but may be the cause of various phishing and fraud crimes. Fortunately, the Personal Information Protection Act opens the way for victims to claim damages in a more favorable structure, but the court's position so far has been somewhat conservative, which is unfortunate. Nevertheless, I think it is necessary to prevent similar incidents from recurring in the future by holding companies accountable through these legal responses. If you have suffered a personal information infringement, you may want to consider actively exercising your rights by getting help from a legal expert.
- See more related columns
You must be logged in to post a comment.