The Supreme Court has ruled that the electronic prescription service, which SK Telecom launched in 2010 but discontinued due to personal information leakage controversies, does not violate the Personal Information Protection Act or the Medical Service Act.
According to the legal community on the 9th, the Supreme Court's 2nd Division (Presiding Justice Lee Dong-won) upheld the lower court's verdict acquitting SK Telecom as a corporation and its responsible executives, who were indicted on charges of violating the Personal Information Protection Act and the Medical Service Act, by confirming the verdict of not guilty or dismissal of the indictment.
The court explained the reason for dismissing the prosecutor's appeal, stating, "There is no error in the lower court's judgment that violated logic and the rules of experience, exceeded the limits of free evaluation of evidence, or misinterpreted the law regarding the establishment of offenses of violating the Personal Information Protection Act, violating the Medical Service Act, aiding violation of the Personal Information Protection Act, or the specification of the charges."
SK Telecom started the 'Smart Health Electronic Prescription Service' business in December 2010, which digitized prescriptions entered by doctors at hospitals and transmitted them to the desired pharmacies.
A barcode was printed at the bottom of the paper prescription issued by the hospital, and when the pharmacy receiving the prescription from the patient entered the barcode, the doctor's prescription information was automatically entered into the pharmacy's computer network.
SK Telecom acted as an intermediary, storing the hospital's prescription information on its server in encrypted form and transmitting it as is when the pharmacy entered the barcode.
However, after the enforcement of the Personal Information Protection Act in 2014, suspicions arose that SK Telecom had transmitted and stored prescription information sent from hospitals to pharmacies on its company server without authorization, raising concerns about the potential leakage of prescription information. Consequently, in December of the same year, the prosecution conducted a search and seizure and launched a forced investigation, leading SK Telecom to discontinue the service in March 2015.
In July 2015, the prosecution indicted SK Telecom and Mr. A, then head of the healthcare business division, on charges of violating the Personal Information Protection Act and the Medical Service Act. The charges alleged that SK Telecom illegally collected and stored sensitive patient prescription information and leaked it to pharmacies without patients' consent.
However, the first-instance court ruled that the actions of SK Telecom and Mr. A did not constitute violations of the Personal Information Protection Act or the Medical Service Act and acquitted them. The court dismissed the charges where the identity of the data subjects (patients) was unclear.
Regarding the dismissal of the indictment, the court cited Supreme Court precedents, stating, "Article 254, Paragraph 4 of the Criminal Procedure Act stipulates that 'the statement of charges must specify the date, place, and method of the crime to allow the facts to be identified.' The purpose is to limit the scope of the trial to improve efficiency and speed and to specify the scope of defense to facilitate the defendant's exercise of the right to defense." The court added, "Therefore, even if it is unavoidable to provide a general indication of the time and place of the crime considering the nature of the offense, the prosecutor must specify these as much as possible based on evidence at the time of indictment or amendment of the indictment. Failure to do so, which practically hinders the defendant's exercise of the right to defense, means the indictment does not meet the requirement of specifying concrete facts as prescribed in Article 254, Paragraph 4 of the Criminal Procedure Act."
Regarding this case, the court stated, "The charges in this part, which are recorded only with numbers, only specify the period and end of the alleged violations of the Personal Information Protection Act by the defendants, and the types and numbers of personal information collected, stored, held, or provided without legal grounds or patient consent. However, they do not properly indicate who the data subjects are or the specific content of the personal information collected, stored, held, or provided without legal grounds or patient consent. Therefore, from the defendants' perspective, it is impossible to verify whether the data subjects actually exist or whether the content of the personal information belongs to the data subjects by combining it with other information, making it difficult to consider the charges as specified," explaining the reason for dismissing the indictment.
Regarding the remaining charges related to other patients' information against SK Telecom and Mr. A, the court stated, "The defendants temporarily stored the prescription information in encrypted form and transmitted it to the pharmacies as is, so they did not acquire the content. It is difficult to see that they intended to use the prescription information for purposes other than delivering it to the pharmacies. The server storage was merely a means to transmit the prescription information," adding, "It is difficult to consider the encrypted prescription information as sensitive information."
The court also noted, "The prescription information transmitted by the defendants is identical to the content written on the paper prescription that the patient presented to the pharmacy," and judged, "Simply transmitting the prescription information electronically to the pharmacy, which already possesses the paper prescription, cannot be deemed as leaking personal information contained in the electronic prescription."
The court cited the following as grounds for the acquittal: ▲ SK Telecom only acted as a simple intermediary transmitting prescriptions from hospitals to pharmacies, so it is difficult to see that SK Telecom collected, stored, held, or provided sensitive information from hospitals to pharmacies for processing; ▲ hospital prescriptions were transmitted to SK Telecom's intermediary server in encrypted form, and patients submitted the paper prescriptions they received from hospitals to the pharmacies where they wanted to be dispensed medication. Only when the pharmacy entered the 'SK Telecom Electronic Prescription Issue Number' printed at the bottom of the paper prescription submitted to the pharmacy was the encrypted electronic prescription information transmitted to the pharmacy and decrypted (converted from encoded data to a human-readable form), so the information held by SK Telecom does not correspond to 'sensitive information' in the prescription information; ▲ SK Telecom merely transmitted the received encrypted information to the pharmacies without detecting or acquiring its content, and it is difficult to recognize this electronic transmission as leaking personal information contained in the electronic prescription.
Meanwhile, regarding the charges of aiding violation of the Personal Information Protection Act against the representatives of the electronic chart program companies who were also indicted, the court acquitted them based on ▲ the difficulty in considering that the programs were installed arbitrarily without doctors' consent ▲ and that aiding violation of the Personal Information Protection Act requires that they 'provided' personal information to a third party, but they only 'entrusted' the processing of personal information and cannot be seen as having 'provided' it.
The prosecution appealed, but the second-instance court's judgment was the same.
The court judged that SK Telecom merely acted as an intermediary in the process of transmitting prescriptions from hospitals to pharmacies, so it cannot be seen as collecting, storing, holding, or providing sensitive information or performing 'processing' under the Personal Information Protection Act.
Additionally, the court reasoned that the encrypted prescriptions cannot be considered sensitive information, and it is difficult to evaluate SK Telecom's mere transmission of them as 'detection' or 'leakage' of personal information under the Medical Service Act.
The prosecution appealed again, but the Supreme Court also found no problem with the second-instance court's judgment.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
