[1] Meaning of “any false or other unlawful means or methods” under Article 72 subparag. 2 of the Personal Information Protection Act, and method of determining whether personal information has been acquired or consented to the management thereof by fraud or other improper means

[2] The meaning of “a third party provision” of personal information under Article 17 of the Personal Information Protection Act and Article 24-2 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc., and the meaning of “entrustment of management” of personal information under Article 26 of the Personal Information Protection Act and Article 25 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc.

[1] In light of the legal nature of the right to self-determination of personal information, the legislative purpose of the Personal Information Protection Act, the principle of personal information protection under the Personal Information Protection Act, and the content of a duty to be observed by a personal information manager in managing the personal information, “any false or other unlawful means or method” under Article 72 subparag. 2 of the Personal Information Protection Act refers to a deceptive scheme used to acquire personal information or obtain consent from the personal information, or other unlawful means by social norms, and thus, it refers to an affirmative or passive act that may affect the decision-making of an owner of the personal information regarding whether to consent to acquire or process the personal information. In addition, determination of whether a personal information manager acquired or consented to the personal information by fraud or other improper means or other wrongful means shall not be made separately on an individual basis, and determination shall be made based on social norms by comprehensively taking into account the motive and purpose of collecting the personal information, the relevance and purpose of collecting the personal information as revealed, the details of the personal information acquired, the scale of the personal information, and whether the personal information was included in sensitive information or personally identifiable information.

[2] In light of the language and purport of Articles 17(1)1, 26, and 71 subparag. 1 of the Personal Information Protection Act, and Articles 24-2(1), 25, and 71 subparag. 3 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (hereinafter “Information and Communications Network Act”), “the provision of personal information to a third party” under Article 17 of the Personal Information Protection Act and Article 24-2 of the Information and Communications Network Act means a case where personal information is transferred for business affairs and interests of the recipient beyond the scope of the original purpose of collecting and using the personal information. On the other hand, “the entrustment of processing” of personal information under Article 26 of the Personal Information Protection Act and Article 25 of the Information and Communications Network Act refer to a case where personal information is transferred for personal information to the truster’s own business affairs and interests related to the purpose of collecting and using the personal information. In the entrustment of processing the personal information, the trustee does not have an independent interest in handling the personal information from the truster’s, but does not fall under Article 172-2 of the Information Protection Act.

On the other hand, whether an act constitutes provision or entrustment of management of personal information shall be determined by comprehensively taking into account the purpose and method of acquisition of personal information, payment or receipt of consideration, actual management or supervision over a trustee, impact on the necessity of protecting personal information of an owner of information or a user, and the actual identity of a person who

[1] Articles 10 and 17 of the Constitution of the Republic of Korea; Articles 1, 3(1), 15, 17(1) and (2), 22(1), 59 subparag. 1, and 72 subparag. 2 of the Personal Information Protection Act; Article 16(1) and (2) of the former Personal Information Protection Act (Amended by Act No. 11990, Aug. 6, 2013); Article 16(3) of the former Act / [2] Articles 17(1)1, 26, and 71 subparag. 1 of the Personal Information Protection Act; Articles 24-2(1) and 25 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc.; Article 16(1) and (2) of the former Act on Promotion of Information and Communications Network Utilization and Information Protection (Amended by Act No. 1408, Mar. 22, 2016)

[2] Supreme Court Decision 2011Do1960 Decided July 14, 201 (Gong2011Ha, 1675)

Defendant 1 and eight others

Prosecutor

Attorneys Son Ji-yol et al.

Seoul Central District Court Decision 2016No223 Decided August 12, 2016

The judgment of the court below shall be reversed, and the case shall be remanded to the Seoul Central District Court. The case name of the court below shall be corrected to “Violation of Personal Information Protection Act.”

1. Summary of the facts charged in this case

A. Violation of the Personal Information Protection Act due to the acquisition, etc. of personal information

(1) Defendants 1, 2, 3, 4, 5, and 6 (hereinafter “Defendant 1, etc.”) concluded a business partnership agreement to sell personal information acquired by Defendant 1, Nonindicted Company 1, Nonindicted Company 2 (hereinafter “Nonindicted Company 1”) and Defendant Company 9 through a gift event to KRW 1,980 per case, and planned and implement a gift event for the purpose of selling it in return for payment to the insurance company by collecting the personal information of customers who expected and subscribed to the gift event.

Defendant 1, etc., despite the fact that Defendant Company’s membership information alone led to an insurance company to hold a gift event because it is impossible to secure sufficient personal information to sell the insurance company, Defendant 1, etc. knew that the purpose of holding the gift event is to acquire personal information of the insurance company by pretending to hold the gift event, Defendant 1, etc., intended to share

Defendant 1, etc., based on this, printed the contents on the collection of personal information and the provision of information to a third party in the form of a bid and made it impossible to read it in fact, so that the subscribers can not read it in fact, the Defendant 1, etc. were fluored on high-priced gift photographs on the site of a premium event in a repairing and repaired manner, so that

In addition, Defendant 1, etc. collected personal information beyond the necessary scope of a gift event, excluded it from a premium lottery without consent, neglected to contact the winner, or failed to prepare or pay premiums, and arranged large volume of personal information that is likely to conclude an insurance contract even if the winner is not a legitimate insurance solicitor, and received the price.

Ultimately, Defendant 1, etc., as executive officers and employees of Defendant Company 9, conspired with the following: (i) to obtain personal information (name, date of birth, cell phone number, and number of children) of customers who subscribed to give free gifts as indicated in the pertinent crime list by false or other unlawful means or means; and (ii) obtained consent to the management thereof (the provision of third party).

① Defendants 2, 3, and 4: From December 201 to August 2012; list of crimes (1-1 to August 1-3); three giveaway events; personal information 2,986,247 cases

② Defendants 3 and 4: From September 2012 to April 2013, 2013; list of crimes (1-4 to April 1-6); three giveaway events; 1,290,125 items of personal information

③ Defendants 1, 3, and 5: From July 2013 to November 2013; list of offenses (1-7 to 1-9); three giveaway events; 1,698,457 items of personal information

④ Defendants 1, 3, and 6: From December 2013 to June 2014; list of crimes (1-10 to June 11, 2014; two giveaway events; 1,146,31 items of personal information;

(2) As indicated in the above Paragraph (1), Defendant Company: (a) the representative or employee of Defendant 1, etc. acquired personal information in connection with the corporate affairs by false or other unlawful means; and (b) obtained the consent on the management thereof.

B. Violation of the Personal Information Protection Act or the Act on Promotion of Information and Communications Network Utilization and Information Protection, Etc. (hereinafter “Information and Communications Network Act”) due to the provision of personal information

(1) A personal information manager is prohibited from providing personal information to a third party without the consent of a subject of information, and a provider of information and communications services is prohibited from providing personal information to a third party without the consent of the relevant user (Prohibition against post-approval).

Defendant 4, Defendant 5, and Defendant 6, etc. provided personal information to an insurance company at will without the consent of the members of the Defendant Company 9’s par cards purchased through their stores or the Internet in accordance with the business policies of Defendant Company 9. However, in order to dilution the illegality of the provision of information to a third party by selecting a suitable person among the relevant insurance companies, Defendant 4, Defendant 5, and Defendant 6, etc. selected members through a call center, such as Nonindicted Company 3, etc., in order to select a suitable person for the recruitment of insurance and then dilution the illegality of provision to a third party

Accordingly, the above Defendants conspired to provide individuals to be provided to Nonindicted Company 1 and Nonindicted Company 2 from among the members of the Insurance Service Team’s life so that they can be downloaded from Nonindicted Company 1 and Nonindicted Company 2 without the consent of the third party’s information provision by ordering them to the life management team Nonindicted 4, Nonindicted 5, and life management team Nonindicted 6, Nonindicted 7, and Nonindicted 8, and Defendant 9 Company’s name and address, including the members’ name and contact, 415, 215, 3275, and 375 of the Act, as stated in the attached crime list (2-1), 201, 3-1, and 3-2, and part (3-2) of the attached list of crimes (a detailed content is omitted) from December 201 to August 2014.

(2) As described in the foregoing paragraph (1) above, Defendant 9, Defendant 4, Defendant 5, and Defendant 6, who are his employees, provided the total of 4,438,632 items of personal information, including names, resident registration numbers, and contact numbers (348 items of online subscription personal information) to Defendant 7 and Defendant 8, etc. without obtaining consent from owners of information or users of information and communications services from December 201 to August 2014.

(3) Defendant 7, Defendant 8, etc. knew of the fact that Defendant Company provided the above personal information without the consent of the data subject or the information and communications service user. Defendant 7, from February 2013 to August 2014, as indicated in [Attachment 2-1] Nos. 1 to 207581, and [Attachment 2-2] Nos. 1,841,585 of the customer information of Defendant Company 9 (personal information purchased online) and Defendant 8, from December 2011 to August 2013, and from August 2013 to August 2014, Defendant 1 to August 358, 2014, Defendant 7, as indicated in [3-1] List of Offenses (2-1 to 3580, 71038, 3108-108-38, 305-1 to 20535-137, 2015-135.

2. As to the violation of the Personal Information Protection Act due to the acquisition, etc. of personal information

A. The judgment of the court below

The lower court upheld the first instance judgment that acquitted this part of the facts charged on the following grounds.

(1) Defendant 1, etc. and Defendant Company indicated all the matters to be notified to the subject of information when obtaining consent to the collection and management of personal information under the Personal Information Protection Act.

(2) It cannot be deemed that Defendant Company has a duty to inform a third party of the fact that it provides personal information to a third party for a fee, and such matters do not seem to have an essential factor affecting the subscriber’s decision on whether to consent.

(3) In light of the fact that approximately 1m of letters on the invitation slip is widely used in various places, such as lottery tickets, medicine usage manual, etc., and that the subscribers were also able to read them, it is difficult to view that the defendant company intentionally small the size of writing and interfered with the contents so that they can not read it, and it is reasonable to view that the subscribers have consented to their personal information for marketing purposes under the circumstance that they can sufficiently be aware that their personal information is provided to the insurance company.

(4) The evidence submitted by the prosecutor alone is insufficient to recognize that Defendant 9 had obtained consent to the collection, etc. of personal information by deceiving the subscribers without the intent to give free gifts, and it is difficult to accept all other prosecutor’s assertion.

B. Judgment of the Supreme Court

(1) The general personal rights derived from the first sentence of Article 10 of the Constitution, which provides for the right to pursue happiness, and the right to self-determination of personal information, derived from the privacy and freedom under Article 17 of the Constitution, are the right in which an owner of information can decide to what extent he/she would know and use. All acts such as investigating, collecting, keeping, processing, and using personal information constitute a limitation on the right to self-determination of personal information in principle (see, e.g., Supreme Court Decisions 2012Da49933, Jul. 24, 2014; 2014Da235080, Aug. 17, 2016).

The Personal Information Protection Act (amended by Act No. 10465, Mar. 29, 201; Act No. 10465, Sept. 30, 201; Act No. 10465, Sept. 30, 201; hereinafter referred to as the “Personal Information Protection Act”) provides for the duty to comply with when a personal information manager collects, possesses, uses, provides, etc. personal information to operate personal information files for the purpose of his/her duties. In other words, a personal information manager shall collect the minimum amount of personal information necessary for the purpose of collection, and shall not refuse the provision of goods or services to a subject of information on the ground that the subject of information does not consent to collection of personal information other than the minimum necessary information (Article 16(1) and (2)). In addition, where a personal information manager provides personal information to a third party, the recipient of the personal information, the recipient’s purpose of use of personal information, items of personal information provided, etc. to the subject of information.

In addition, Article 59 Subparag. 1 of the Personal Information Protection Act prohibits a person who manages or manages personal information by fraud or other improper means or means, or obtains consent to the management thereof (Article 59 Subparag. 1). Article 59 provides that “a person who acquires personal information by fraud or other improper means or means, or obtains consent to the management of personal information, by fraud or other improper means, and a person who knowingly receives personal information for profit or other improper purposes shall be punished by imprisonment for not more than three years or by a fine not exceeding 30 million won (Article 72 Subparag. 2).

In light of the legal nature of the right to self-determination of personal information, the legislative purpose of the Personal Information Protection Act, the personal information protection principle under the Personal Information Protection Act, and the content of the duty to be observed by the personal information manager in the course of managing the personal information, it is reasonable to deem that “any false or other unlawful means or method” under Article 72 subparag. 2 of the Personal Information Protection Act refers to the affirmative or passive act that may affect the decision-making of the owner of the personal information regarding whether to obtain or consent to the acquisition or management of the personal information, as it is recognized as a deceptive scheme used to obtain or consent to the management of the personal information, or other unlawful means by social norms. In addition, in determining whether the personal information manager acquired or consented to the management of the personal information by fraud or other improper means, the personal information manager should not separately determine whether the personal information manager obtained or consented to the management of the personal information, taking into account the motive and purpose of collecting the personal information, the relevance and method of collecting the personal information as revealed, the details and scale of the personal information acquired, and whether the personal information is included in social norms.

(2) Review of the reasoning of the lower judgment and the evidence duly admitted by the lower court reveals the following facts.

① From around 2000, Defendant Company collected membership information while recruiting Defendant 9’s members, and began to provide information on customers who agreed to provide personal information to a third party to an affiliated card company from around 2003. From around 2007, Defendant Company sold personal information of its customers.

② Defendant 9 Company planned to collect and sell personal information for insurance companies due to changes in the form of Defendant Company’s application form for subscription to the Plaintiff’s par card holders through free events under the supervision of the new distribution service headquarters. Accordingly, since around 2009, Defendant Company started to hold free gifts events for customers.

③ Around October 27, 2011, around June 17, 2010, the Defendant Company entered into a business partnership agreement with Nonindicted Company 1 and Defendant 9 to sell personal information of its customers at KRW 1,980 per case and KRW 1,980. Then, the Defendant Company: (a) held gift events (hereinafter “instant gift events”) from December 201 to June 201; and (b) collected approximately KRW 7120,000 cases in total (including name, date of birth or resident registration number, cell phone number, number of children, and whether parents live with Nonindicted Company 2; and (c) received approximately KRW 6 million from among them to sell the personal information of its customers to Nonindicted Company 1,980.

④ 이 사건 경품행사는 벤츠 승용차, 다이아몬드 반지 등을 경품으로 내걸었고, 피고인 9 회사 매장을 방문하거나 물건을 구매하지 않는 사람도 응모할 수 있도록 되어 있다. 피고인 9 회사는 전단지, 인터넷 홈페이지, 물품구매 영수증 등을 통해 경품행사를 광고하였는데(이하 ‘이 사건 광고’라고 한다), 위와 같은 광고와 응모권(15cm×7cm크기) 앞면에는 경품 사진과 함께 커다란 글씨로 ‘창립 14주년 고객감사 대축제’, ‘그룹 탄생 5주년 기념’, ‘브라질 월드컵 승리 기원’, ‘피고인 9 회사가 올해도 10대를 쏩니다’ 등의 문구가 기재되어 있고, 응모권 뒷면과 인터넷 응모 화면에는 [개인정보 수집, 취급위탁, 이용동의]라는 제목하에 ‘수집/이용목적’은 ‘경품 추첨 및 발송, 보험마케팅을 위한 정보 제공, 피고인 9 회사 제휴상품 소개 및 제휴사에 대한 정보 제공 동의 업무’ 등이, [개인정보 제3자 제공]이라는 제목하에 ‘개인정보를 제공받는 자’는 ‘공소외 1 회사, 공소외 2 회사 등’이, ‘이용목적’은 “보험상품 등의 안내를 위한 전화 등 마케팅자료로 활용됩니다.”라는 내용 등이 약 1mm 크기의 글씨로 기재되어 있으며, 말미에는 “기재/동의 사항 일부 미기재, 미동의, 서명 누락 시 경품추첨에서 제외됩니다.”라는 사항이 붉은 글씨로 인쇄되어 있다.

(3) We examine the above facts in light of the legal principles as seen earlier.

① 이 사건 경품행사의 기획 및 실시 경위 등을 살펴보면, 이 사건 경품행사의 목적은 피고인 9 회사 고객들의 매장 방문을 유도하여 매출을 증대하는 데 있다기보다 처음부터 고객들의 개인정보를 수집하여 이를 보험회사에 대가를 받고 판매하는 데 있었음을 알 수 있다. 그럼에도 이 사건 경품행사를 광고하기 위한 수단인 전단지, 인터넷 홈페이지 등에는 ‘창립 14주년 고객감사 대축제’, ‘그룹 탄생 5주년 기념’, ‘브라질 월드컵 승리 기원’, ‘피고인 9 회사가 올해도 10대를 쏩니다’ 등의 문구를 경품사진과 함께 큰 글씨로 전면에 배치하여 경품행사를 광고하고 있을 뿐이고, 피고인 9 회사가 소비자의 개인정보를 수집하고 이를 제3자에게 제공한다는 점에 관한 기재가 누락되어 있다. 따라서 일반적인 소비자가 이 사건 광고를 접하게 되는 경우 소비자들은 오로지 고객에 대한 사은행사의 일환으로 경품행사를 실시하는 것으로 받아들일 가능성이 크다. 그런데 소비자의 입장에서는 이 사건 경품행사가 아무런 대가 없이 이루어지는 단순 사은행사인지 아니면 자신의 개인정보를 수집하여 보험회사 등 제3자에게 제공하는 대가로 경품을 제공하는 행사인지 여부가 이 사건 경품행사에 응모할지 여부에 영향을 미치는 중대한 요소라고 보인다. 따라서 피고인 9 회사가 이 사건 경품행사를 진행하면서 위와 같은 목적을 은폐하고 광고한 것은 ‘표시·광고의 공정화에 관한 법률’ 제3조 제1항 제2호 에서 말하는 ‘소비자를 속이거나 소비자로 하여금 잘못 알게 할 우려가 있는 광고 행위’에 해당한다.

② It is highly probable that customers who subscribed to the instant premium event may be deemed necessary to proceed with a premium event, such as “collection of personal information and consent to provide a third party” on the back of the subscription ticket and the Internet screen. However, according to the invitation ticket, information on privacy, such as “the gender, number of children, and whether a third party living together,” which is not related to the personal information necessary to notify the invitation of a premium ticket, and even if collecting personally identifiable information such as resident registration number, and failing to give consent thereto, the said information is not subscribed or shall be excluded from a premium drawing. This is in violation of the principle of personal information protection (Article 3(1) of the Personal Information Protection Act) and the provisions of the Personal Information Protection Act.

③ Moreover, it is difficult for consumers to read the content of the consent given in the invitation slip used for the instant premium event in a size of about 1m. Moreover, from the customer’s standpoint who misleads the subject through the instant advertisement as a simple private event and participated in the premium event, it seems difficult to accurately understand the contents of the invitation slip or enter the subscription screen in a short time. Such measures violate the duty under the Personal Information Protection Act to ensure that when a personal information manager obtains the consent of a subject of information, the subject of information can clearly understand the contents of the consent.

As seen above, it is reasonable to view that the Defendants’ act constitutes “a person who acquires personal information or obtains consent to the management of personal information by fraud or other improper means or by other improper means” as stipulated under Article 72 subparag. 2 of the Personal Information Protection Act, in full view of the following: (a) the Defendants’ act of hiding the principal purpose of the instant advertisement and the instant give rise to misunderstanding of consumers; and (b) the Defendants provided it to a third party; (c) the Defendants breached the principle of the protection of personal information under the Personal Information Protection Act and the duty to protect personal information; (d) the information collected by the Defendants was included in the information on privacy; and (e) the size of the personal information collected by the Defendants and the profits accrued from sales to a third party.”

(4) Nevertheless, the lower court rendered a not guilty verdict on this part of the facts charged solely on the grounds indicated in its reasoning. In so doing, the lower court erred by misapprehending the legal doctrine on “the act of acquiring personal information by false or other unlawful means or methods, or obtaining consent to the management thereof,” as prescribed by Articles 59 subparag. 1 and 72 subparag. 2 of the Personal Information Protection Act, and failing to exhaust all necessary deliberations, thereby adversely affecting the conclusion of the judgment. The

3. As to the violation of the Personal Information Protection Act due to the provision of personal information and the Information and Communications Network Act (Leakage of personal information)

A. The judgment of the court below

The Defendants asserted that Defendant 9’s provision of personal information database to Nonindicted Company 1 and Nonindicted Company 2 as stated in this part of the facts charged does not correspond to the provision of personal information necessary for the consent of the subject of information, but merely entrusted the management of Defendant 9’s business to the said insurance company, which selects the subject of the so-called distribution protocol among the personal information database, to the said insurance company. The lower court upheld the first instance judgment that accepted the Defendants’ aforementioned assertion and acquitted the Defendants on this part of the facts charged on the following grounds.

In light of the following: (a) so-called fashion call services or services incidental thereto; (b) pre-perception services are Defendant Company 9’s business; (c) economic benefits arising from pre-perception only accrue to Defendant Company 9, which could save time and expenses incurred in the spread; and (d) Nonindicted Company 1 and Nonindicted Company 2 cannot be deemed to have obtained significant economic benefits through pre-perception. In addition, in light of the fact that the said insurance company simply shot the personal information database transferred for the purpose of preventing a pre-perception within its intended scope, and simply shot the said database within its intended scope and did not use it for other purposes, Nonindicted Company 1 and Nonindicted Company 2 have the status of a trustee who provided part of the pre-perception services for Defendant Company 9, and cannot be deemed to have the status of “third party” as provided for in Article 17 of the Personal Information Protection Act and Article 24-2 of the Information and Communications Network Act.

B. Judgment of the Supreme Court

(1) The reasoning of the first instance judgment maintained by the lower court and the evidence duly admitted by the lower court reveal the following facts.

① The Defendant Company: (a) purchased personal information collected through a premium event and customer’s personal information with consent to the provision of personal information to a third party by Defendant Company 9; (b) provided a third party with personal information; and (c) provided a third party’s consent to the provision of personal information (hereinafter “non-indicted 3”) to an insurance company, including Nonindicted Company 1 and Nonindicted Company 2 (hereinafter “non-indicted 3”); (d) provided a third party’s insurance company with personal information database with Defendant Company 9; (b) compared and analyzed the personal information database with the personal information database owned by each of the above insurance companies; (c) provided customers with each of the above insurance companies with consent to the provision of personal information to a third party; and (e) provided a third party with the insurance company’s insurance coverage with the insurance company; and (e) provided a specific insurance company’s insurance coverage with each of the above insurance companies, including those who had already concluded an insurance trading contract with each of the above insurance companies; and (e) provided a person whose insurance premium remains after the insurance company’s termination or termination of the insurance policy.

② Defendant Company: (a) entrusted the call service to Nonindicted Co. 3; and (b) paid KRW 1,700 per customer who obtained consent to the provision of personal information to a third party as a fee; (c) however, Defendant Company did not pay a fee for personal information generated through a pening by an insurance company.

③ Defendant Company entered into a business partnership agreement with Nonindicted Company 1 and Nonindicted Company 2 on February 27, 2009, a business partnership agreement attached to the business partnership agreement dated October 1, 2009, and a business partnership attached agreement attached to the business partnership agreement dated June 11, 2010, and concluded a subsidiary agreement attached to the business partnership agreement with Nonindicted Company 2 and Nonindicted Company 2 on June 20, 2011. Each of the above contracts or agreements was stipulated as “business of supporting insurance telemarket” necessary for the business of the insurance company’s telemarket. The specific content was that Nonindicted Company 1 and Nonindicted Company 2 were allowed to engage in insurance telemarket marketing against Defendant Company 9. The Defendant Company confirmed whether it intended to receive insurance-related consultation from the said insurance company and agreed to provide personal information to its customers and provided personal information to the said insurance company at KRW 2,800 per case, but excluded the above insurance company’s personal information on which it had already entered into an insurance contract or agreed to provide the customer’s call within three to six months.

④ According to the method of calculating fees, Defendant 9 made efforts to reduce the rate of personal information that an insurance company gets coming through the cryping among the spread DB provided to the insurance company. However, the ratio of remaining effective database after the cryping to the cryping has gradually deteriorated, such as that the ratio of the cryping to the cryping has increased. Accordingly, Defendant 9 suggested the so-called cryping to Nonindicted Company 2 and Nonindicted Company 1. From the standpoint of Defendant 9, the previous insurance company’s implementation of the cryping procedure after obtaining a third party’s consent from its customers, which would result in the reduction of unnecessary cryping procedure, and the insurance company, as well as Nonindicted Company 12, upon receiving the aforementioned request, requested Nonindicted Company 2 to implement cryping prior to the implementation of cryping procedure.

⑤ Accordingly, Defendant 4, Defendant 5, and Defendant 6 provided personal information as indicated in this part of the facts charged from around December 2011 to August 2014 for the advance pening. Nonindicted Company 1 and Nonindicted Company 2 opened the personal information database provided through Defendant Company’s web 9 to the said web gate, which was then opened to the said web gate. Defendant Company provided the said insurance company with the personal information of the customers who obtained consent after putting up the database and putting it back to the said web gate. Meanwhile, Nonindicted Company 1 and Nonindicted Company 2 opened the personal information database that completed the advance pening to the Defendant Company’s Web 9, and deleted it from all of their systems.

(2) Article 71 Subparag. 1 of the Personal Information Protection Act provides that a person who provides a third party with personal information without the consent of a subject of information in violation of Article 17(1)1 and a person who knowingly received such personal information shall be punished by imprisonment with prison labor for not more than five years or by a fine not exceeding 50 million won. Article 71 Subparag. 3 of the Information and Communications Network Act provides that a person who provides a third party with such personal information without the consent of the relevant user in violation of Article 24-2(1) and a person who knowingly received such personal information for profit or for an illegal purpose shall be punished by imprisonment with prison labor for not more than five years or by a fine not exceeding 50 million won. Meanwhile, Article 26 of the Personal Information Protection Act and Article 25 of the Information and Communications Network Act provide for matters concerning the entrustment of the management of

In light of the language and purport of the above provisions of the Personal Information Protection Act and Article 24-2 of the Information and Communications Network Act, “the provision of personal information to a third party” means a case where personal information is transferred for the performance of duties and interests of the recipient of the information beyond the scope of the original purpose of collection and use of personal information. On the other hand, “the entrustment of management” of personal information under Article 26 of the Personal Information Protection Act and Article 25 of the Information and Communications Network Act refers to a case where personal information is transferred for the performance of duties and interests of the truster himself/herself related to the purpose of collection and use of personal information. In the entrustment of management of personal information, the trustee does not have an independent profit with respect to the management of personal information, except for the payment for entrusted duties by the truster. Thus, it does not constitute “the third party” under Article 17 of the Personal Information Protection Act and Article 24-

On the other hand, whether an act constitutes provision or entrustment of management of personal information shall be determined by comprehensively taking into account the purpose and method of acquisition of personal information, payment or receipt of consideration, actual management or supervision over a trustee, impact on the necessity of protecting personal information of an owner of information or a user, and the actual identity of a person who

(3) Examining the aforementioned facts and the following circumstances in light of the aforementioned legal principles, it is reasonable to view that Nonindicted Company 1 and Nonindicted Company 2 constitute “third party” who received personal information from Defendant Company 9 to conduct its own interest and business affairs, not merely as a trustee, and that the act of Defendant 4, Defendant 5, and Defendant 6 transferred personal information to Defendant 7 and Defendant 8 in advance to conduct pening constitutes an offer of personal information under the Personal Information Protection Act and the Information and Communications Network Act.

① Personal information, such as the name, resident registration number, and contact address of Defendant 9’s par Card Members, indicated in this part of the facts charged, is practically necessary for Nonindicted Company 1 and Nonindicted Company 2 to carry on the insurance marketing business.

② In short, Nonindicted Co. 1 and Nonindicted Co. 2’s single pening are designed to enhance the efficiency of insurance telemarket by selecting persons, etc. who are listed in the above insurance company’s insured or black list. In that context, it is difficult to deem that the aforementioned insurance company’s business has changed in the purpose or character of the instant pening business even in the case of advance pening. In addition, in light of the specific content of the above spread call, etc., it is difficult to view it as Defendant Co. 9’s business even if it is considered as an incidental business of the above insurance company, since it is difficult to view it as an exclusive business of the above insurance company, since the advance pening business is also a part of the above insurance telemarketing business. Accordingly, it is difficult to view it as an exclusive business of Defendant Co. 9, even if it is a prior pening business of Defendant Co. 9.

③ The employees in charge of Nonindicted Company 1 and Nonindicted Company 2, once once they received personal information database necessary for the advance pening from each other’s computer for their own business purposes, they could freely copy, edit, use, and transmit it. Defendant Company 9 appears not to have managed and supervised it, and it does not seem that Defendant Company 9 established a clear pening criteria for the said insurance companies.

(4) Nevertheless, the lower court rendered a not-guilty verdict on this part of the facts charged solely based on its reasoning. In so doing, the lower court erred by misapprehending the legal doctrine on the distinction between “the provision of personal information to a third party” and “management entrustment” as prescribed by the Personal Information Protection Act and the Information and Communications Network Act, and failing to exhaust all necessary deliberations, thereby adversely affecting the conclusion of the judgment

4. Determination ex officio as to the part on which the list of crimes was submitted by a document in electronic form among the facts charged in the instant case

A. In a case where a prosecutor prepares a crime list, which is part of the facts charged, in an electronic form, through a computer program (hereinafter referred to as “electronic document”), and then submits the storage device itself, in which an electronic document is stored, without printing it out in a paper document, along with the written indictment, the indictment shall be deemed lawful only for the portion indicated in the written indictment. Therefore, in a case where a prosecutor institutes a public prosecution using an electronic document or a storage device, the court shall determine the facts charged only with the portion indicated in the written indictment, excluding the part stored in the storage device. If the facts charged are not specified, the prosecutor must specify the facts charged; however, if the prosecutor does not specify, the prosecution shall be dismissed (see, e.g., Supreme Court Decision 2015Do3682, Dec. 15, 2016).

B. A prosecutor attached a list of crimes (1-1) to (11), (2-1), (2-2), (3-1), (3-2), and CDs in the indictment. However, the CDs are stored in the form of X-cell files, respectively, and the number of personal information (victim's name, date of birth, contact number, etc.) recorded in the indictment is written in each X-cell file. On the other hand, a paper document is accompanied only by the first two heads and the last two copies of the list of crimes.

C. First, the CD attached to the indictment or the X-cell file stored in the CD cannot be deemed as the “written indictment” as part of the indictment, and thus, the pertinent X-cell file cannot be deemed as having been lawfully prosecuted even to the portion indicated in the above X-cell file.

Next, the crime of violation of the Personal Information Protection Act and the crime of violation of the Information and Communications Network Act, in principle, constitute separate crimes for each subject of information or each user of information and communications services, respectively. Therefore, the part on which each subject of information and the details of personal information are stated in the indictment attached to the indictment of this case, shall be deemed to have been specified in the indictment. However, the remaining part of the indictment of this case, i.e., the time and completion period of the crime, the type and number of personal information acquired or provided, and the part on which the list of crimes is submitted only in CD, cannot be said to have been identified in the indictment since it is entirely impossible for the subject of information or

If so, the lower court demanded that the prosecutor specify the portion not specified in the facts charged in the instant case, and, if the prosecutor does not specify it, dismissed the prosecution. Nevertheless, the lower court did not take such measures and determined the substance of this part. In so doing, the lower court erred by misapprehending the legal doctrine on the method of prosecution and the specification of the facts charged, thereby adversely affecting the conclusion of the judgment.

5. Conclusion

Of the judgment of the court below, there are reasons for ex officio destruction on the part of which the facts charged are not specified, and there were errors such as misapprehending the legal principles on the Personal Information Protection Act or the Information and Communications Network

Therefore, the judgment of the court below is reversed, and the case is remanded to the court below for further proceedings consistent with this Opinion. Since it is evident that the judgment below has erroneous entries, it is corrected in accordance with Article 25 of the Regulations on Criminal Procedure. It is so decided as per Disposition by the assent of all participating

Justices Park Poe-dae (Presiding Justice)