A person who used illegally obtained personal data of others to operate a gambling website must also bear legal responsibility for the leakage and misuse of such information, the Supreme Court ruled.
The court determined that exempting someone from being classified as a personal data controller simply because the data was illegally obtained would create a gap in victim protection.
According to legal sources Wednesday, the first division of the Supreme Court, with Justice Seo Kyung-hwan as the presiding judge, upheld the lower court's decision sentencing defendant A to one year in prison on charges of opening a gambling space and violating the Personal Information Protection Act.
A illegally acquired 796 records of personal data while setting up an illegal gambling website with B. To check whether the gambling site's deposit, withdrawal, and game functions worked properly, A registered these individuals as members of the site without their consent and tested the deposit, withdrawal, and betting functions. A was subsequently indicted for violating the Personal Information Protection Act.
The first and second trials sentenced A to one year in prison, finding that the crime had already been completed since the gambling site's functions actually operated. Regarding the Personal Information Protection Act violation, the first trial ruled it as "use without legitimate authority," while the second trial considered A a personal data controller and found him guilty only of "use exceeding the scope of consent."
The Supreme Court maintained the lower court's one-year prison sentence. "If we conclude that someone is not a personal data controller simply because they illegally obtained the data, this would result in exempting those most likely to infringe on personal information in the most dangerous manner from strict management duties, obligations to respond to requests for access and deletion, and liability for damages," the court said. "This runs directly counter to the law's purpose of protecting personal information and creates a serious gap in victim protection."
However, the court reinterpreted the legal reasoning. It also recognized the establishment of the "use without legitimate authority" charge under the Personal Information Protection Act. The court found that the provision concerning personal data controllers and the provision on "use of personal information without legitimate authority" are not in a special relationship but constitute independent elements of the offense. Nevertheless, the court determined that the lower court's ruling did not affect the outcome, as there was no difference in the range of punishment or the actual sentence imposed.
