[Asia Economy Reporter Eunmo Koo] KT and ESTsoft, which violated personal information protection regulations by failing to fulfill safety obligations stipulated by law, resulting in personal information leakage, have been re-imposed fines totaling 148 million KRW.
The Personal Information Protection Commission (PIPC) held its 19th plenary session on the 24th and announced that it resolved to re-impose fines on the two businesses whose fine imposition orders were canceled by the Supreme Court’s final ruling, based on the legal violations recognized by the court ruling.
Previously, the fines of 70 million KRW imposed on KT by the Korea Communications Commission (KCC) on June 26, 2016, and 112 million KRW imposed on ESTsoft on March 28, 2018, were both canceled by the Supreme Court’s final rulings in August and September of this year, respectively. Regarding the KT case, the Supreme Court did not recognize legal violations for three of the four reasons initially cited by the KCC, stating that “technical protective measures reasonably expected by social norms at the time were implemented.” In the ESTsoft case, the court differentiated between the ‘installation obligation’ and ‘operation obligation’ of the intrusion prevention and detection system, ruling that “even if a personal information protection system is built using open-source software, it is lawful if the quality is objectively recognized,” and thus did not recognize a violation for the installation obligation. The Supreme Court canceled all fine imposition orders, considering that the parts where violations were not recognized affected the original fine calculations.
The PIPC re-imposed fines of 50 million KRW on KT, reduced by 20 million KRW from the original order, and 98 million KRW on ESTsoft, reduced by 14 million KRW. This Supreme Court ruling is significant in confirming that ‘partial safety measures or incomplete system operation constitute legal violations.’ Through the KT ruling, it was clarified that simply deleting the accounts of retired employees does not constitute sufficient safety measures, and that complete deletion of access rights down to the URL information is required for lawful measures. In the ESTsoft ruling, it was held that even if a personal information protection system is installed, failure to properly operate it to detect and block inappropriate access by hackers constitutes a legal violation.
Song Sang-hoon, Director of the Investigation and Coordination Bureau at the PIPC, stated, “This re-imposition is due to differing views between the court and the PIPC regarding the obligation of personal information safety measures. We will continue to supplement the obligations for personal information safety measures by gathering industry opinions on the intent of the ruling and the current technological level.”
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
