2020 Highest 1404 Act on Promotion of Information and Communications Network Utilization and Information

(Violation of Information and Communications Network) Violation of Personal Information Protection Act

A, 1983 G, South and North Korea

Residence

Reference domicile

Charge, Kim fixed-time (public trial)

Attorney Kim Jong-soo

June 18, 2021

A defendant shall be punished by imprisonment for not less than eight months.

except that the execution of the above punishment shall be suspended for two years from the date this judgment becomes final and conclusive.

Criminal facts

The Defendant produced, maintained, and repaired the website of the Company B (hereinafter referred to as the “instant company”) from December 18, 2015 to May 25, 2018. A person who accessed and managed the current status of the registration of students by a branch office nationwide, and the victim C is the representative director of the instant company.

1. Violation of the Act on Promotion of Information and Communications Network Utilization and Information;

No one shall intrude into an information and communications network without access authority or beyond permitted access authority.

Around July 19, 2018, the Defendant: (a) accessed the Defendant’s residence in Ulsan-gu, Ulsan-gu, and the Defendant’s office located in the same district with his/her mobile phone and computer without any authority to access the instant company’s management site; (b) created the new manager F of the said site and the victim’s new manager account; (c) opened several times from that time to May 26, 2019 through the manager’s account to access the instant company management site; (d) accessed the victim’s student status, settlement data, and student information; and (b) opened the instant management file and password to ascertain the details of the access to the management site and account details on May 26, 2019; and (c) installed the management file and password of the Defendant’s hacking with the manager’s authority to delete the pertinent management file and password; and (d) obtained all of the pertinent management file and password from the manager’s private teaching institute without any authority to delete the instant hacking access.

Accordingly, the Defendant, without legitimate access authority, intruded on the information and communications network by accessing the instant company management site without permission.

2. Violation of the Personal Information Protection Act;

No person who has managed or processed personal information shall acquire personal information or obtain consent to the management thereof by fraud or other improper means.

On May 26, 2019, the Defendant, using a program to hacking the access password of the manager of the management site of the instant company at the location of the Defendant located in Ulsan-gu, Ulsan-gu, as described in paragraph (1) at the Defendant’s residence, by using the computer as described in paragraph (1), discovered and connect the access password of the manager of the management site of the instant company, and received 34,389 settlement information (hereinafter collectively referred to as the “settlement information of the instant case”), including the student’s ID, name, telephone number, password, date of birth, gender, etc. as listed in attached Table 1, and 2, including the student’s ID, settlement method, settlement amount, credit card, approval number, and serial number (hereinafter referred to as the “settlement information of the instant case”) from the above management site, as listed in attached Table 1.

As a result, the defendant, who managed personal information, acquired personal information of victims who were students by improper means or methods.

Summary of Evidence

(Omission)

Application of Statutes

1. Article applicable to criminal facts;

Articles 71(1)9 and 48(1) of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (including unauthorized intrusion of information and communications networks); Article 72 Subparag. 2 and Article 59 Subparag. 1 of the Personal Information Protection Act (the acquisition of personal information by fraud or other improper means or means)

1. Commercial competition;

Articles 40 and 50 of the Criminal Act (Mutual Violation of the Personal Information Protection Act)

1. Selection of punishment;

Each Imprisonment Selection

1. Aggravation for concurrent crimes;

Article 37 (former part of Article 37, Article 38 (1) 2, and Article 50 of the Criminal Act / [Aggravation of concurrent crimes committed in violation of the Act on Promotion, etc. of Information and Communications Network Utilization and Communications Network Utilization and Information Protection (Violation

1. Suspension of execution;

Article 62(1) of the Criminal Act (The following consideration of favorable circumstances among the reasons for sentencing):

Judgment on the argument of the defendant and defense counsel

1. Summary of the assertion

A. It constitutes “personal information” under the Personal Information Protection Act, which only part of the instant student information and settlement information acquired by the Defendant.

B. It is true that the Defendant received, without authority, the instant student information and settlement information at the instant company management site without authority, as stated in paragraph (2) of the facts constituting the crime in the judgment of the Defendant. However, since the Defendant did not affect the decision-making of the victims who are data subjects, it does not constitute an act prohibited under Article 59 subparag. 1 of the Personal Information Protection Act.

2. Determination

A. According to the evidence duly adopted and examined by the court below, the student information of this case includes all or part of the ID, name, telephone number, password, registration date, affiliated center, date of birth, and gender of the pertinent student. The settlement information of this case includes all or part of the pertinent student's office, name, ID, registration date, settlement method, settlement amount, date of commencement, date of completion, card company, approval number, and deposit number. The student information of this case can be sufficiently identified if combined with the student information of this case and settlement information of this case. Thus, the student information of this case and settlement information of this case can be seen as personal information.

B. Article 72 Subparag. 2 of the Personal Information Protection Act provides that “A person who acquires personal information or obtains consent to the management of personal information by fraud or other improper means, in violation of Article 59 Subparag. 1 of the Personal Information Protection Act, and a person who knowingly receives personal information for profit or for any other wrongful purpose, shall be punished.” Article 59 Subparag. 1 of the Personal Information Protection Act provides that “A person who knowingly manages or manages personal information shall not acquire or obtain consent to the management of personal information by fraud or other improper means.”

In this regard, the defendant and his/her defense counsel can apply Article 72 subparagraph 2 and Article 59 subparagraph 1 of the Personal Information Protection Act only when a person who has managed or processed personal information uses false or other unlawful means or methods to obtain consent from the data subject in order to obtain personal information, thereby obtaining consent to the acquisition of personal information. In cases where a person who has managed the personal information, as the defendant, intruded the information network without authority through hacking program and acquired the personal information by downloading the information network without authority, the data subject cannot be punished by applying Article 72 subparagraph 2 and Article 59 subparagraph 1 of the Personal Information Protection Act because there is no separate consent to the acquisition of personal information.

However, as seen earlier, Article 72 Subparag. 2 and Article 59 Subparag. 1 of the Personal Information Protection Act does not use the phrase “the act of obtaining consent or processing of personal information by fraud or other improper means,” or “the act of obtaining consent to the acquisition or processing of personal information by false or other unlawful means or methods,” but rather uses the phrase “the act of obtaining consent to the acquisition or processing of personal information by false or other unlawful means or methods, or obtaining consent to the management of personal information by means of fraud or other improper means.” The literal meaning of such phrase appears to be punishable by any act of obtaining personal information by false or other unlawful means or methods, regardless of whether a subject of information has formally consented, and also by obtaining the formal consent of the subject of information regarding the management of personal information by fraud or other improper means or methods.

In addition, there is no reason to allow a person who has processed personal information as the defendant to obtain his personal information by intrusion on an information and communications network without authority through a hacking program. Accordingly, the acquisition of personal information by such a method constitutes an act contrary to the presumption intention of the data subject concerning the acquisition of personal information, and the necessity of punishment is much greater when the data subject compared with the case where the data subject makes a wrong decision and obtains consent to the acquisition of personal information by using a false or other unlawful means or method against the data subject in the process of obtaining consent to the acquisition of personal information from the data subject in order to acquire the personal information. Therefore, even if a person who has handled the personal information as the defendant without authority without authority, applying Article 72 subparag. 2 and Article 59 subparag. 1 of the Personal Information Protection Act to punish a person who has processed the personal information, such as the defendant, without authority, by applying the hacking program, is in line with the legislative intent that enacted the Personal Information Protection Act in order to protect the personal freedom and rights of an individual and to realize the dignity and value of an individual.

In full view of these circumstances, it is determined that the act of the accused, such as the statement in Paragraph 2 of the crime in the judgment, is "an act of acquiring personal information by fraud or other improper means or by other improper means," and is included in the subject of punishment stipulated in Item 2 of Article 72 and Article 59 subparagraph 1 of the Personal Information Protection Act.

C. Therefore, we cannot accept each of the above arguments of the defendant and his defense counsel.

Reasons for sentencing

In light of the following circumstances and the Defendant’s age, environment, character and conduct, motive, means and consequence of the crime, all of the sentencing factors as shown in the instant pleadings, including the circumstances after the crime, the sentence shall be determined as ordered and the execution of the sentence shall be suspended.

○ Unfavorable Circumstances: Taking into account the fact that the nature of the offense, such as the installation of hacking programs or deletion of its access records in order to commit or conceal each of the crimes in this case, is not weak, and that the amount of personal information acquired by the Defendant illegally downloaded is considerable, etc.

Considering the fact that the Defendant was the primary offender, that the Defendant did not provide or divulge personal information acquired through each of the instant crimes to a third party, and that it appears that the economic benefits derived from each of the instant crimes were not significant.

Judges Yang Sung-sung