CONTENTS
- 1. Personal Information Litigation | Definition and Dispute Structure From a Corporate Perspective
- - The Scope of Personal Information That Companies Must Manage
- 2. Personal Information Litigation | Key Dispute Types Companies Face
- - Civil Damages
- - Administrative Sanctions and Disputes
- - Criminal Proceedings
- 3. Personal Information Litigation | A Company's Early Response Strategy
- - Prevention Is the Best Defense
1. Personal Information Litigation | Definition and Dispute Structure From a Corporate Perspective
Personal information litigation refers to a series of procedures in which a company (the personal information controller) is held legally accountable by a data subject, a supervisory authority, or an investigative agency based on the assertion that it has violated laws related to personal information protection.
In practice, the procedures below may proceed individually or in parallel, and because a single case can spread simultaneously across civil, criminal, and administrative tracks, an integrated response strategy is needed.
Category | Key Content | Corporate Risk |
Breach Report and Fact-Finding | Filing with the KISA report center, requests for submission of materials, on-site inspections | Detection of violations, induced corrective action, possibility of follow-up sanctions |
Dispute Mediation | Mediation proposal from the Personal Information Dispute Mediation Committee | Deemed accepted if no notice of acceptance is given within 15 days |
Civil Litigation | Claims for damages and statutory damages | Burden of proof, risk of an expanded scope of compensation |
Criminal Procedure | Accusation, investigation, indictment, and criminal trial | Criminal liability of executives, employees, and the corporation, reputational risk |
Administrative Litigation | Administrative adjudication and administrative litigation against corrective orders, administrative fines, and penalty surcharges | Prolonged sanctions and disclosure risk |
The Scope of Personal Information That Companies Must Manage
Personal information refers to information about a living individual that falls under one of the following (Article 2, Item 1 of the Personal Information Protection Act).
Category | Content |
Identifying Information | Information by which an individual can be recognized, such as name, resident registration number, and video footage |
Combinable Information | Information that is difficult to identify on its own but can be readily combined with other information to identify an individual |
Pseudonymized Information | Information processed so that a specific individual cannot be recognized without additional information |
A company should classify in advance whether the data it holds and processes falls within the above categories, and it should establish an internal control system that also accounts for the possibility of combination and the risk of re-identification.
2. Personal Information Litigation | Key Dispute Types Companies Face
Personal information litigation begins with a breach report and has a complex structure that can spread in stages or in parallel into civil damages, administrative sanctions and litigation, and criminal procedure.
Depending on the nature of the case, a company must respond by accurately distinguishing the legal standards, burden of proof, and level of sanctions that apply in each procedure.
It must also carry out integrated risk management so that one response strategy does not work to its disadvantage in another procedure.
Civil Damages
Under the Personal Information Protection Act, a data subject who suffers harm due to a violation of the Act by a personal information controller may claim damages.
In such cases, a company can hardly avoid liability unless it proves the absence of intent or negligence.
In other words, the structure of the litigation places the substantial burden of proof on the company.
In addition, if personal information is lost, stolen, leaked, forged, altered, or damaged, the data subject may claim statutory damages of up to 3 million won, and this may be recognized regardless of the actual amount of loss.
Going further, where intent or gross negligence is recognized, liability for damages may be expanded up to five times the amount of loss.
Category | Key Content | Impact on the Company |
General Damages | A claim for damages is available when loss arises from a violation of the Act | Liability is borne if the company fails to prove the absence of negligence |
Statutory Damages | An amount of up to 3 million won may be recognized in cases of leakage, damage, and the like | A risk of damages exists regardless of actual loss |
Multiplied (Punitive) Damages | Where intent or gross negligence is recognized, the amount is calculated within a limit of five times the loss | The scope of damages rises sharply where there are management gaps |
In particular, courts comprehensively consider factors such as the degree of awareness of intent, the scale of harm, the economic benefit obtained, the period and number of violations, and efforts to remedy the harm and prevent recurrence, so a company must be able to prove not only its response after an incident but also the soundness of its routine operating systems.
A company should design its defense strategy around the following elements.
Key Issue | Evidence the Company Should Prepare |
Whether the Act Was Violated | Records of the basis for processing, consent procedures, and compliance with purpose limitation |
Absence of Negligence | Access control policies, permission management records, and security review and patch history |
Loss and Causation | Analysis of the scope and route of the leakage, and review of any secondary harm |
Limitation of the Scope of Damages | Records of blocking, recovery, notification, and recurrence-prevention measures taken after the incident |
Rather than organizing materials after a dispute arises, it is important to build a structure in which the routine operating system itself can serve directly as evidence.
Administrative Sanctions and Disputes
When a supervisory authority conducts a fact-finding investigation after a complaint or report of infringement is filed, administrative dispositions such as corrective orders, administrative fines, and penalty surcharges may be imposed.
A company may contest such a disposition through an administrative appeal or administrative litigation if it considers the disposition unlawful or improper.
Because the materials and statements submitted during this process can also affect civil and criminal proceedings, a strategic response is needed.
Stage | Key Issues | Corporate Response Points |
Fact-finding investigation | Requests for materials, assessment of whether a violation occurred | Organizing a consistent timeline of logs, policies, contracts, and operational records |
Disposition stage | Imposition of corrective orders and penalty surcharges | Reviewing the specificity of the grounds for the disposition, and whether there was an abuse of discretion |
Administrative appeal | Contesting the revocation or reduction of the disposition | Reviewing a stay of execution, and a strategy to minimize the impact on the business |
Administrative litigation | Claim for revocation of an unlawful disposition | Establishing an integrated strategy that considers the links with civil and criminal proceedings |
A response at the administrative stage should be approached from the perspective of “managing the facts,” going beyond reducing the sanction to also account for the risks of later litigation and investigation.
An administrative disposition can also spread into secondary business risks, such as public disclosure, media coverage, and a decline in investor confidence, so a prompt response is needed.
Criminal Proceedings
Wrongfully acquiring personal information, providing it to a third party without consent, or divulging or leaking personal information learned in the course of one’s duties may be subject to criminal punishment.
Relevant Provision | Main Violations | Penalty Level |
Personal Information Protection Act, Article 71 | Provision to a third party without consent | Imprisonment for up to 5 years or a fine of up to 50 million won |
Divulging personal information learned in the course of one’s duties | ||
Unauthorized leak, forgery, or alteration | ||
Personal Information Protection Act, Article 72 | Acquisition by false or wrongful means | Imprisonment for up to 3 years or a fine of up to 30 million won |
Use beyond the intended purpose | ||
Arbitrary manipulation of an image data processing device |
In criminal proceedings, factors such as intent, organized involvement, and whether there was a commercial purpose become key issues, and the direction of the initial statements and submitted materials can significantly affect the later outcome of the trial.
3. Personal Information Litigation | A Company's Early Response Strategy
If you have received contact from an investigative agency, a notice of investigation, a proposed mediation, or service of a complaint in connection with personal information litigation, you should activate the following procedures without delay.
Stage | Key Action | Materials to Secure |
Establishing the Facts | Identifying the scope, period, and route of the breach | System logs, access records |
Preserving Evidence | Demonstrating that internal controls were in place | Policies, inspection records, outsourcing management materials |
Controlling External Response | Operating a single point of contact | Official statement |
Implementing Corrective Measures | Preventing the spread of harm | Records of access revocation and strengthened security |
In mediation procedures in particular, if you do not respond as to whether you accept the proposed mediation within 15 days of receiving it, you may be deemed to have accepted it, so managing this deadline carefully is very important.
Prevention Is the Best Defense
Personal information litigation is a matter of demonstrating the adequacy of a company's ordinary operating structure.
Inspection Item | What to Confirm | Materials to Submit in a Dispute |
Managing the Legal Basis for Processing | Clarifying the basis in consent, contract, or statute | Mapping table of processing bases |
Access Control | Minimum privileges, records of privilege revocation | History of privilege changes |
Outsourcing Management | Inspection of subcontractors | Outsourcing contracts and inspection reports |
Log Preservation | Keeping logs in a readable state | Log preservation policy |
Incident Response System | Procedures for notification, containment, and recurrence prevention | Incident response report |
AI Data Management | Adequacy of pseudonymization, prevention of re-identification | Documentation of pseudonymization and data combination procedures |
Daeryun Law Firm provides a comprehensive strategy that covers investigation response, administrative disputes, defense of damages litigation, and criminal risk management through a one-team system in which attorneys specializing in corporate, criminal, civil, and administrative law collaborate.
In addition, through its digital forensics and electronic evidence analysis infrastructure, the firm supports the securing of integrity for logs and electronic documents as well as data flow analysis, helping companies minimize the scope of their liability on the basis of an explainable compliance and security operating system.
Together with an AI attorney, you may wish to review whether your company's data processing structure is designed to remain explainable even in a dispute situation.
