"Penalty Calculation Standard is Total Sales... Second Trial Judgment is Wrong"
"Penalty Amount Excessively Large, Conclusion of 'Discretionary Power Exceeding and Abuse' is Reasonable"
Wemakeprice, an online shopping mall that was fined approximately 1.8 billion KRW due to a customer information leak during an event, has won the final lawsuit requesting the cancellation of the fine imposition.
The Supreme Court's 3rd Division (Presiding Justice Ahn Cheol-sang) on the 12th upheld the lower court ruling that ordered the cancellation of the fine imposed on Wemakeprice by the Personal Information Protection Commission in a lawsuit filed by Wemakeprice seeking to cancel the corrective order and fine imposition.
Wemakeprice held a 'Black Price Day' event on November 1, 2018, distributing 50% credit vouchers to customers who purchased specific items worth more than 100,000 KRW.
At that time, Wemakeprice deployed a new cache policy applied only to the event page accessible via mobile web, separate from the cache policy applied to the shopping mall homepage accessible through the general web page.
However, during this process, the personal information of 20 shopping mall users was exposed to 29 other users.
On November 2, 2018, the day after the event, Wemakeprice reported to the Korea Communications Commission that when logging into the event page via mobile web, users were logged into other people's accounts, allowing access to specific pages (My Page, Purchase Information), resulting in the exposure of personal information of 20 customers.
The Korea Communications Commission, together with the Korea Internet & Security Agency, conducted an on-site investigation and concluded that Wemakeprice violated the Information and Communications Network Act, deciding to impose a fine of 1.852 billion KRW and a corrective order.
Subsequently, the personal information protection duties within the Korea Communications Commission were succeeded by the Personal Information Protection Commission. Wemakeprice filed a lawsuit against the Personal Information Protection Commission seeking cancellation of the corrective order and fine imposition.
Earlier, the first and second trials ruled in favor of Wemakeprice.
The court stated, "Considering the circumstances and details of the incident and the extent of the damage, the amount of the fine is excessively high," and judged that "the fine imposition in this case is illegal due to abuse and deviation of discretion."
It also pointed out that it was wrong for the Personal Information Protection Commission to base the fine calculation on the total sales of the entire shopping mall, which was unrelated to the event.
The court explained, "According to the Information and Communications Network Act, sales unrelated to the violation cannot be considered in imposing fines, but the Korea Communications Commission calculated the fine based on the annual sales of the entire shopping mall rather than sales from the event, which is excessive."
The Supreme Court found issues with the lower courts' judgment regarding the sales calculation criteria. However, it agreed that the fine imposition should be canceled due to exceeding discretionary authority.
The court stated, "When calculating the relevant sales amount for imposing fines, the scope of 'services directly or indirectly affected by the violation' should be determined based on the scope of services holding and managing the personal information involved in the leakage incident."
The court further explained, "The personal information leaked through the event page was from the database containing information of the shopping mall users, and this personal information is collected and managed for the overall operation of the shopping mall service, not solely for the services provided by the event page. Therefore, the relevant sales amount for calculating the fine should be considered as the total sales of the shopping mall service that holds and manages the personal information database."
It added, "The lower court's judgment limiting the relevant sales amount for the fine to sales from the event misunderstands the legal interpretation of relevant sales under the Information and Communications Network Act."
The court also noted, "Even considering that the fine amount was calculated within the statutory upper limit and that the plaintiff's sales are relatively large, the fine amount excessively emphasizes the punitive nature and is disproportionately high compared to the degree of illegality of the violation."
However, the court stated, "The amount of fines imposed for violations of personal information protection obligations should be determined comprehensively considering the cause and type of the violation, the scale of leaked personal information, the degree of compliance with preventive measures, and fine amounts in similar cases. If the fine amount is excessively high compared to the violation content and loses social reasonableness, such fine imposition should be deemed illegal due to abuse and deviation of discretion."
It concluded, "Therefore, although the lower court erred in limiting the relevant sales amount to sales from the event, its conclusion that the fine imposition involved abuse and deviation of discretion is justified," and dismissed the appeal.
A Supreme Court official stated, "This ruling is the first to specify the scope of 'relevant sales' used as the basis for calculating fines in cases of personal information leakage and the factors to consider when determining the fine amount."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
