header
published quarterly by the university of borås, sweden

vol. 22 no. 4, December, 2017



Mismanagement of personally identifiable information and the reaction of interested parties to safeguarding privacy in South Korea


Dong Hyun Song , and Chang Yong Son.


Introduction This article examines data management practices in the private sector, identifying failures in the management of personally identifiable information. While analysing the changing big data policies in Korea, the work will also critically scrutinise customer data management practices.
Method The policy surrounding privacy was examined. Five incidents relating to the management of personally identifiable information were selected for the analysis. Interviews with policymakers, corporate members and civil rights activists were also conducted.
Analysis. Government policies on customer data and privacy management are being loosened to boost big data uses in society. However, some ways of dealing with issues in the management of personally identifiable information, which have been noted in the commercial sectors, have raised serious concerns. These are categorised as three main issues: (1) illegal trade in customer data; (2) employee supervision failure; and (3) data management failure.
Results. The moral hazard is prevalent in the corporate sector regarding personally identifiable information management and trade. The current policy on personal information protection is effectively regulating personal information, but personally identifiable information management practice is poor and corporations are not following the data protection protocols.
Conclusion. The Korean government has relaxed laws on the use of such information and allowed the expansion of big data services. This paper shows that those involved believe that customer data management is inadequate and, therefore, new measures to safeguard their use of personally identifiable information are needed.

Introduction

This paper examines the protection and management practices relating to personally identifiable information in South Korea. According to the United States government’s latest definition, personally identifiable information refers to ‘information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked’ (US. Executive Office of the President, 2017, p.8). The researchers empirically investigate recent successive incidents of privacy breaches of personally identifiable information, resulting from information management failure in corporations. These incidents occurred while the Korean government was relaxing its laws on the use of personally identifiable information (for simplicity, hereafter referred to as 'personal data') to support the use of big data by corporations. Civil society groups have expressed concerns about such policy changes, in particular because customer data security has not been guaranteed in Korean society. One civil rights activist argues that the changing regulation of personally identifiable information will further erode its safety, unless corporations' protection systems for this information are guaranteed (Respondent 5, 13 September 2016). This research is situated within this landscape and it aims to suggest a solution for the information management issues at stake.

It is important to contextualise what illegal customer data trade and data leak refer to in this paper because these are the main issues underpinning the work. When checking the legitimacy of corporations’ information management practices regarding personally identifiable information, data leak refers to a process resulting from customer data mismanagement, such as employees having illegal access to the corporations' main server and stealing the customer data for trade. In this context, data leak does not include discussion of hacking incidents. Such incidents are a mundane business issue (Galbraith, 2013; Trautman, Triche and Wetherbe, 2013) because ‘a state of zero risk remains unachievable’ has become the cyber security norm (Spiekermann, Acquisti, Böhme and Hui, 2015, p. 162). Based on the Korean Personal Information Protection Act (Korea Data Protection Authorities, 2016), illegal customer data trade refers to a corporation's trading of customer data with third parties without notification to, and approval of. the customers (the providers of the information).

Situating big data issues within a Korean context

Big data refers to ‘large amounts of data produced very quickly by a high number of diverse sources’ (European Commission, 2017, para. 2). 'Big data' is no longer just an innovative technology (Heudecker, 2015, para. 2), because it stimulates the development of new technologies and facilitates their adoption in society. As Carbonell (2016) points out, big data has become ‘a tool for revealing hidden patterns’ and the core of a new ‘predictive model’ (p.2) in both the public and commercial sectors. Corporations are increasingly paying attention to data collection, data aggregation, and data analysis techniques, because data driven decision-making generates new opportunities for developing securely-sustainable business expansion. Policymakers across nations are becoming aware of the critical role of big data and personal data in contemporary society (US. Executive Office of the President, 2014). Alongside this, the World Economic Forum has urged stakeholders to build a more secure personal data ecosystem thorough legal and technical structures to govern the interactions of participants (World Economic Forum, 2016, para.9).

Policymakers and government agencies held concerns regarding the spread of big data technology in different industries without appropriate legal guidelines and possible data manipulation by these sectors. A communication by the European Commission entitled ‘Towards a thriving data-driven economy’ argued that European Union states will exercise their power by developing a state-centric framework to control non-state actors’ use of personal data, repurposing data, and data minimisation (European Commission. Policy and Legislation, 2014). The United States also published a white paper, ‘Big data: seizing opportunities, preserving values’ (US. Executive Office of the President, 2014) along the same lines as the EU, in that they proclaimed their willingness to enforce a security law to control data uses and to preserve privacy.

In recent years that the Korean government has implemented successively liberal policies on the use of parsonal data for commercial interest. Having realised the opportunities that big data presents, the government officially announced the utilisation of such data in January 2016. This announcement was to support the use of data by local enterprises as part of an economic reinvigoration strategy (Min, 2016, para. 10). The most significant change was the shift from an opt-in system to an opt-out system. The system in Korea was based on opt-in, meaning that data could not be used without the explicit consent of the customer or data generator, regardless of its level of anonymisation. As Johnson, Bellman, and Lohse summarised (2002), this meant that an affirmative consent of the customer was compulsory before using customer data (p.5). Corporations based in Korea could not use any form of personal data from their customers (for example, sending a customer a marketing e-mail) without the customers’ official permission. In contrast, under the opt-out system, enterprises do not necessarily need consent from the customers to use customer data if there has been no explicit and official rejection from the subject. Thus, the corporations are able to send a customer a marketing e-mail without the customer’s approval. The customers need to instruct the corporations not to use their personal data, otherwise the corporations may use the customer data once it is anonymised.

The Korean government argued that deregulatory policy changes such as the opt-out system would enhance the data use options available to corporations and trigger new economic sectors. This policy relaxation is also expected to resolve corporations’ complaints that ‘corporations in Korea could have done better if the government had deregulated the law’ (Respondent 1, 15 July, 2016). However, there have since been numerous accidents related to customer data mismanagement in Korea and these cases have not been fully resolved in terms of clarifying where the responsibility lies and preventing recurrence. The rationale for the relaxation of customer data regulation is not plausible when we take the currently unresolved customer data mismanagement issues into consideration.

Research aim

Concerns about the mismanagement of personal data raise the issue of de-identification and anonymisation of such information. For example, the United States Federal Trade Commission (2012, p.18) warns against the collection of personally identifiable information as a means to discriminate against customers, such as the denial of insurance. However, research on employees’ misconduct in data management has not been conducted and contemporary literature on illegal trade in customer data remains limited. This is not because the latter is under-researched, but rather because these types of cases have not been very common until now.

According to Ishii and Komukai’s comparative research on data breach cases in Japan, the US and the UK, there have been very few cases of data compromise related to the illegal trade of personal data (Ishii and Komukai, 2016, p. 92-99). One example is T-Mobile’s customer records being sold to data brokers by a member of the sales staff. Likewise, and to the best of our knowledge, no detailed empirical research involving incidents relating to customer data leaking and illegal trade in data has been conducted in Korea. This paper aims to fill the research gap. We examine customer data management practices that Korean companies perform to manage personal data. We also shed light on the way the Korean government, corporations and civil society groups respond to this data management (and mismanagement) and analyse the big data policies that are taking Korea towards deregulation. The specific aim of this paper is twofold. First, this research examines customer data security management incidents that have occurred in Korea since 2013. Secondly, the paper traces the discourses of state and non-state actors and civil society groups on the legitimacy of trading personal data. This research resonates with Korean worries about the misuse of such data.

Literature review

Personally identifiable information and privacy management

This paper comes under the heading of theoretical debates relating to personal data and privacy protection practices. Data mismanagement incidents caused by the corporations’ data trade are very rare in the contemporary big data era. As reported in the media (Kuranda, 2015; Ramanan, 2015), recent privacy leaks are mostly related to cyber attacks and managerial mistakes through not following data protection protocols. However, the Korean cases chosen for this research are similar to historical literature on privacy intrusion and data control.

Customer data collection by the private sector is carried out under ‘second exchange’, that is that the customers trade their personal information with companies not for money but for non-monetary benefits such as better quality services or possible gifts (Milne and Gordon, as cited in Culnan and Bies, (2003, p. 326)). Earlier research (Caudill and Murphy, 2000; Goodwin, 1991) indicated consumers’ did not worry about the collection of their personal information if they received a better shopping experience in exchange. This also indicates customers’ lack of understanding of the value of personal information in a data society.

The discourse on consumers’ right to choose the types of personal information that companies can use started in the 1990s in Western society (Phelps, Nowak and Ferrell, 2000). Subsequent studies have examined customers’ perception of their personal data collected by organisations. The result of the Harris-Westin surveys between 2000–2002 indicated customers’ increasing concerns and lack of confidence in corporations’ handling confidentiality of personal data from 34% in 2000 to 56% in 2002, as well as showing their concerns about the policy gap rising from 38% to 62% (cited in Westin, 2003, p. 445-446). These results are similar to White, Novak and Hoffman’s (2014) study on customer efforts to measure the benefits of handing over personal data in proportion to possible consequences.

Research in big data settings was carried out by Wang and Yu (2015). According to their study in China, the loss of customers’ trust in data collectors and carriers in online business has been identified and will lead to the deterioration of both data quality and quantity. They suggest introducing more powerful regulation to intensify punishment as well as guaranteeing that online users have the right to know how their data is being used in a more transparent manner. The outcomes of this research also contribute to our understanding of how ordinary Korean people can be anxious about the security of their personal information.

According to the Korea Internet and Security Agency’s (2015) Survey on Information Security, the public worried that the growth of big data could lead to the ‘unnecessary and excessive collection of personal information (33.3%)’, followed by an ‘unauthorized use of collected personal information (27.6%)’ (p. 19). As other researchers have also found (Flavián and Guinalíu, 2006; Leppäniemi, Karjaluoto and Saarijärvi, 2017), such results indicate that customers’ trust in a particular Website relate to their loyalty towards it. The customers do not pay attention to the duty of disclosure that the organisations offer. The heightening of ordinary Korean people’s anxieties results from the Korean organisations’ data trade and inability to protect the customers.

Views regarding big data management

With the advent of the big data era, two approaches can be identified. The first approach is the advocacy of big data, whereby people insist on the introduction of big data in certain sectors, and believe it can bring benefits to society. They stress the positive side of big data, and this is examined below. In recent debates over big data, the most common evidence presented is the economic benefits from its use. In 2016, the Centre for Economics and Business Research in the UK estimated that big data could create 157,000 new jobs by 2017, and contribute £322 billion to the UK economy (2.7% of GDP) over that period (2016, p.7). Big data has huge potential value to the UK, as a driver of productivity and as a way of offering better products and services to citizens. Even for citizens who generally disagree with the exploitation of their personal data, big data can be a useful tool and help to advocate their social campaigning and movements, if it is well-designed and managed.

The second approach is against big data, emphasising privacy concerns. In this approach, critics, led mainly by non-government organisations, increasingly resist the use of big data because they believe that it could threaten civil rights through organisations’ privacy intrusion and government surveillance. In fact, there are pros and cons relating to big data in certain industries or sectors. Declaring the emergence of the 'Fourth Industrial Revolution', Schwab lists the positive and negative impacts of the development of big data as follows:

In short, big data provides both opportunities and challenges to society. One of the remaining matters is how to boost big data services, while utilising personal data to make profit.

Big data policies in Korea

The Korea Information and Communication Technology strategy outlined nine major strategic industries established by the Ministry of Science, ICT and Future Planning (MSIP) in 2016. The strategy aimed to expand the big data market, focusing on economic goals rather than regulations. The goals of the big data policy established by the Ministry were that ‘the government will establish six Big Data demonstration towns by 2017 and raise the level of Big Data, which is only at 57.2% in comparison to the advanced countries' to 80% by 2019 (2016, p. 13). The policy was mainly about bolstering the big data industry, and neglected the rising concerns about big data. We argue that this attitude could create policy failure and growing concerns among Koreans over the growth of big data and privacy of their information.

Current state of Korean personal information protection

The Korean Personal Information Protection Act defines personal information as ‘information that pertains to a living person by which the individual in question can be identified including information which, if not by itself, makes it possible to identify any specific individual if combined with other information’ (Korea. Ministry of Interior, 2015, para. 1).

Unnecessary collection, unauthorised use or disclosure, and abuse of personal information can be a violation of the Act, raising privacy concerns for citizens. With the increasing use of personal information for business purposes in the 2010s, the Ministry of the Interior wrote the Personal Information Protection Act in an attempt to deal with customer data management and safeguard private information. Additionally, the Ministry had established the Personal Information Protection Commission in 2012 to protect the privacy rights of individuals and supervise the information collected about society broadly. As an independent body, the Personal Information Protection Commission’s mission is to ‘monitor data protection law violations and take on a mediating role to redress the damage caused by such violations’ under the Personal Information Protection Act (Personal Information Protection Commission, 2011, para. 1). There are also regulatory bodies that govern issues on personally identifiable information in each sector. For example, the Financial Services Commission is the supervising body for the financial sector; the Ministry of the Interior is the regulatory body for the national administration and local government organisations; and the Ministry of Health and Welfare regulates the health and welfare sector.

The Financial Services Commission announced in March 2016 that it would revise the big data policy by exempting anonymised data from the personal credit information category so that organisations could make use of it without worrying about a breach of law. Following on from the Financial Services Commission’s policy change, the major government bodies (the Ministry of the Interior, the Korea Communications Commission, the Ministry of Science, ICT and Future Planning, and the Ministry of Health and Welfare) together announced their Guidelines for De-identification of Personal Data in June 2016 (Korea, Office for Government Policy Coordination et al., 2016). The Guidelines give official permission to corporations to use de-identified personally identifiable information as part of big data (p. 8), and permits corporations to legally share customer data once it has been anonymised (p. 17).

Unlike the expansion of big data and the use of personal data, the regulation of the related data protection was said to be outdated. No guidelines have yet been specified for using and anonymising data, nor for managing the data type. A Korean Progressive Network Centre activist argues that the current guidelines are not clear enough on how anonymised data should be managed and used by a corporation. The activist particularly argues that ‘customers should have a right to know how their data is being used even if it becomes anonymised’, but the current guideline does not cover this (Respondent 5, 13 Sep, 2016).

The current data utilisation approach is supported by the Korean government under the big data utilisation plan to scale up the economy. This policy relaxation over the use of customer data is a big change, and is being carried out based on the condition that the corporations will use their customer data in a secure manner by anonymising personally identifiable information. However, the representative cases that will be examined in this paper prove that the government’s trust in the corporations to date is misplaced: major Korean companies have been sued by civil groups over allegations of the illegal trading of customer data, including personally identifiable information. It is worrying that the social damage resulting from such behaviour will be more serious when the big data policy relaxes regulations regarding the corporations' use of personal information. This paper warns of an imbalance between the myth of big data uses and the problems in reality by critically evaluating the misuse of personal data by major Korean corporations.

Method

This paper approaches customer data management in the context of personal information protection. It focuses on how the protection of personal data in Korea is dealt with by policymakers (regulators), data generators (customers) and data collectors (corporations). This methodological framework corresponds with Westin’s (2003) assertion that ‘the political, the socio-cultural, and the personal’ are the three aspects which serve the understanding of privacy issues in society at a given time' (p. 3). Culans and Bies’s (2003) research into consumer privacy issues from the corporate, the activist and the centrist perspectives also fits with this paper’s approach to current privacy issues.

We selected three approaches to the research topic: policy analysis, interviews and discourse analysis on media coverage, to map the current customer data security management issues in Korea. The policy analysis was initially conducted to analyse how the policies on personal information protection are changing. Table 1 lists some revisions of personal information protection under different jurisdictions between 2012 and 2014 (Data Protection Authorities, 2014).


Table 1: Major personal information protection polices in South Korea
Policy and regulationMinistry concernedDateMain contents
Personal Information Protection ActMinistry of Interior March 2011Management and protection of personal information
Implemented to prohibit the personal information trade without the consent of the person (opt-in)
Guideline on Big Data Personal Information ProtectionKorea Communications Commission Dec 2014Set up guideline for anonymisation and de-identification of personally identifiable information
Allow data trade once personally identifiable information is anonymised (opt-out)

The regulatory authorities’ actions have drawn attention as they attempt to cope with social change driven by the expansion of data and increasing usage of personal data. Freedman’s (2010, p. 358) policy silence approach, a method of deconstructing ‘policy frames, guiding assumption, foundational principles and ideological presumptions', was used for the policy analysis stage. Policy silence considers values, principles and issues that are intentionally and unintentionally omitted from the political decision-making process. The policy analysis focused on finding the main ideological reasoning for the newly-established Guideline on Big Data Personal Information Protection (Korea Internet and Security Agency, 2014), which is in opposition to the personal information protection scheme in a historical Korean context. This enabled us to identify how the Guideline exhibited tension between economic growth and personal information protection. The main research aim was defined as critically evaluating whether the Korean government considered both the reality of corporations’ customer data management practices as well as the voices of civil society groups during the policy changes on data management and trade.

Secondly, keyword searching was used to identify the main discourses and context for problems of personal information protection presented in the Korean media. Keyword searching is a method by which ‘a set of keywords [are] applied to search engines from which the top hits within a threshold were fetched’ (Horng-Jyh, Kwang, and Soon, 2016, p. 104). The researchers also adapted Chong and Druckman’s (2009) keyword research method by following their procedure: ‘selection of an issue’, ‘identification of initial set of frames’, and ‘selection of media source’ as a means of analysing and identifying frames in the media (p. 240). The most popular and accessible online new media database portal Naver was used to collect news articles. The keywords personal identifiable information management, customer information leaking, and personal identifiable information trade were selected.

The results of the search query produced around 15,000 articles. An additional filter was applied using the keywords legal suit and accusation, and we examined 200 articles to identify the context of the customer data trade. The major issues identified were illegal customer data trade, corporations’ denial of illegality, loopholes in customer data protection policies and debate about the changing policy on data uses. As found from the secondary research, there are numerous incidents relating to personally identifiable information (mis)management, which are clearly identified in Park and Jan’s (2016) study on cases of personal information leaking. The government’s personal information protection portal,, which is designed to inform the public about personal information protection issues, also offers a useful resource on such cases and incidents. Based on those articles, the researchers were able to identify legal suits relating to the trading of customer data by major retail stores as the most controversial debate topics and issues in Korean society since 2012. Regarding these legal suits, the main discourse depicted in the media tends to focus on illustrating the mismanagement of customer’s personal data and damage to the customers.

Another finding from the news articles was that the illegal trading of customer data has become an issue. There were no precedent cases directly relevant that could be used to evaluate the incidents, and both customers and corporations put forward their own arguments. There have been many cases in which corporations have denied their responsibilities and charges for incidents, which has triggered resentment among civil society groups. This secondary research into news articles was used to understand the main discourse on personal data that pervade Korean society, and to illuminate the interview discussions that followed.

After the key contexts were identified, interviews were conducted with the experts on customer data management and personal information protection. The interviewees’ professions included government officers, and professionals from civil society groups and enterprises. The researchers’ professional backgrounds (a government officer involved with information and communications technology policy-making and a former researcher at a government affiliate in the cyber-security sector), meant that they knew who to contact in the sectors of the government, civil society groups and corporations. All the interviewees’ jobs were directly related to personal data management and protection. The researchers conducted ten semi-structured interviews: five with interviewees from the state sector, two from civil society groups, and three from the business sector. No-one from the corporations involved in the cases examined in this paper was interviewed.

The researchers used semi-structured interviews to give the interviewees more room to express their thoughts on the issues raised. Brennen (2013, p. 28) asserts that semi-structured interviews are appropriate as they give the interviewees ‘great flexibility’ in relation to the topic of the research. In line with the preference of interviewees, only written notes were taken during interviews with those from the government sectors and also some interviewees from the corporate sector. Audio recordings were made of the other interviews. Thematic analysis (Braun and Clarke, 2006) was used when coding the interviews to review the issues that the research identified. The researchers used incidents identified in the secondary research as the main resources for conversations with the interviewees. The validity of interviewees’ statements was cross-checked with other interviewees, as well as with secondary resources.

The final selection of the five cases was made after the interviews, and the cases explicitly demonstrate why the management of personal data is a key issue in current policy changes.

Case analysis

This section will examine five cases related to personally identifiable information management in Korea and the associated social concerns over privacy and data protection by categorising the cases and analysing the problems.

Case one: The leaking of personal information by credit card companies

The largest information leakage accident in Korean history occurred in 2013 when major credit card companies including KB card and Nonghyup card leaked personal information. The incident came to light in January 2014, and shocked society when it was reported that personal information of around 104 million individuals was leaked; this represented half the Korean population (Ahn, S.Y. 2014, para. 1). The major credit card companies’ data leaking resulted from negligence when following the data protection protocol, and this allowed a service staff member, at a service supplier developing a Fraud Detection System, to exploit the personal information stored on the credit card companies’ servers. The staff member used a memory stick to take the personal data from the servers and sell it (Sim, 2014, para.7).

Case two: Home Plus retail store: personal information collection and illegal trade

Home Plus is the second largest retailer with 113 branches throughout Korea. From 2011 it illegally traded customers’ information with insurance companies to make a profit. This issue explicitly arose in February 2015 when a civic group alliance sued Home Plus over allegations that they attracted their customers by offering a free gift in exchange for the detailed personal information which was then sold to third parties. It is estimated that Home Plus sold the personal information of around 24 million customers to insurance companies and gained around 23 billion South Korean won in profit (Ahn, E.G., 2015, para. 2).

The first court case ended in January 2016. The court ruled the defendant, Home Plus, not guilty, based on the rationale that their duty of disclosure had been met. That is, the court ruling inferred that the customers were aware of the data trade when they handed over their personal information. Furthermore, the court stated that the Personal Data Protection Act did not require enterprises to notify customers of such a policy (An, 2016, para. 2). The case was taken to a higher court which made the same ruling in the second court case in August 2016 based on the same rationale, provoking public indignation and opposition from civil rights groups (Lee, H.Y., 2016, para. 2).

Case three: Data trade by TV home shopping channels

In August 2016, Korea Communications Commission, the Korean communication regulatory body, announced results of their investigation into illegal data trade by corporations. It was found that Lotte Home Shopping, one of the big five home shopping TV channels in Korea, had illegally sold 3.24 million won of their customers’ information to insurance companies between 2009 and 2014. Lotte Home Shopping earned 3.73 billion won from the sale, which was far more than the 180 million won fine imposed by Korea Communications Commission (Whang, 2016, para. 4).

Case four: Retailers E-Mart and Lotte Mart: information management failure

In February 2015, the YMCA, a core civil organisation in Korea, sued major retail market leaders E-Mart and Lotte Mart (the first and the third largest local retail stores respectively) on suspicion of a breach of the Personal Information Act. It argued that between 2012 and 2013 the two retail chains had collected personal information by holding sweepstakes and selling participants’ information to insurance companies. Following investigation, prosecutors concluded that these incidents were the responsibility of the agents in charge of the sweepstakes procedure. It was revealed that the person who led the event at E-Mart illegally collected the information of 4.67 million customers and sold it to insurance companies for 7.2 billion won. A person related to Lotte Mart obtained 24 million customers’ personal information through the events and earned 23 billion won by selling it to the insurance companies (Kim, 2015, para. 12).

Case five: Customer data management failure by telecommunication service providers

In January 2016, the Korea Communications Commission imposed a total fine of 0.1 billion won on major operators including SK telecom (the largest mobile operator), LG U+ (the third largest mobile operator), the largest social network service Kakao Plus, and Coupang, an e-commerce company. The Commission found that these companies had not destroyed the personal information of their customers after one year, nor had they destroyed the personal information of users who had not had any online activities on their Websites for a long period (Oh, 2016, para. 4), as they were required to do.

Analysis and discussion

Through an empirical analysis of five cases, this research was able to categorise the problematic incidents around personally identifiable information management and privacy invasion into three categories: (1) illegal trade in customer data, (2) employee supervision failure, and (3) data management failure. Table 2 shows how each case was categorised.


CaseCategory
Case one The leaking of personal information by credit card companies(2) Employee supervision failure
Case two Home Plus retail store: personal information collection and illegal trade(1) Illegal customer data trade
Case three Data trade by TV home shopping channels(1) Illegal customer data trade
Case four Retailers E-Mart and Lotte Mart: Information management failure(1) Illegal customer data trade
(2) Employee supervision failure
Case five Customer data management failure by telecommunication service providers(3) Data management failure

Case one (the leaking of personal information by major Korean credit card companies) is very important in Korean information and communication technology history, not only because it leaked half of the Korean population’s personal information, but also because this incident had a great impact on the radical revision of the Personal Information Act and related laws. The Korean Financial Industry Union argued that:

The Financial Services Commission, the super regulatory body, has ignored the management of personal information in the financial sector, despite rising accidents over the years (Kim, 2014, para. 2).

Following the scandal, one significant policy change was the adoption of punitive damages, which refers to ‘a way of punishment in civil lawsuits to set a public example to others for malicious, evil or particularly fraudulent acts’ (Tangl, 2014, p. 13). By adopting this, the burden of proof is transferred from the individual to the corporations who manage personally identifiable information. As a result, a new clause 32 in the Personal Information Protection Act was added in March 2016. According to this clause, punitive damages would be applied to the mismanagement by corporations of personally identifiable information such as data loss, leaking, forgery and alteration. The revised Act would secure a maximum three million Won in monetary compensation for any victim of personal information protection failure (The National Law Information Centre, 2016, p. 7-8).

One policymaker has stated that, following this incident, the safety of personally identifiable information management has emerged as a key policy priority in the big data era, regardless of the sector (Respondent 4, 14 August 2016). Respondent 4 noted that the latest measures showed the government’s aim was to protect privacy in the commercial sector. In summary, this case and the resulting government measures show that proper management of personally identifiable information cannot be carried out through regulation alone, but through practical systems that watched over corporations’ customer data management and their recognition of the significance of privacy in the big data era.

Similarly, case four (the information management failure by Korean retailers E-Mart and Lotte Mart) explicitly exposed the loopholes in the management of personal data protection by employees of the retailers. The retailers argued that they were not involved in the events, but only rented a shop section to insurance companies and advertising agencies (JTBC News, 2015, para. 10). However, regardless of their level of involvement, these retailers will be unable to free themselves from criticism that they failed to monitor the events and manage their customers’ data. One policymaker said that:

These cases imply a widening gap between social practices and social institutions. Certainly, the incidents attract enough government attention for them to reconsider the policy gap to protect privacy in the nation (Respondent 3, 5 Aug 2016).

We note that case four not only represents employee supervision failure (category two), but also that of illegal customer data trade (category one). The YMCA argued that both retailers failed to fully inform the sweepstake participants of the ways in which the personally identifiable information they collected would be used for insurance sales (Lee, 2015, para. 7). The Personal Information Protection Act identifies the acknowledgement of the use of customer data as one of the indexes by which to measure the legitimacy of the customer data trade under article twenty-six: ‘Restrictions on Management of Personal Information Following Entrustment of Affairs’ (Korea Ministry of the Interior Act, 2015, para. 26). The problem identified in this case is related to a lack of appropriate acknowledgement to the customer regarding the use of collected data, and this continues to be a matter of considerable interest in Korean society.

Case two (the collection of personal information by retail store Home Plus) and case three (data trade by TV home shopping channels) are the most controversial because of the extent of their data trading. One interviewee from a civil society stated that:

a retail store normally is one of the biggest data collectors and carriers in terms of collecting and analysing PII [personally identifiable information] to maximise profit and customise services. The proper management of the personalized information in the corporation cannot be overemphasised in the big data era. However, the illegal data trade is rampant in the Korean service industry where personal information can be easily collected and sold. This will be worse once the policy on customer data uses is relaxed. (Respondent 5, 13 September, 2016).

In these cases, two issues have been identified: 1) the high level of personal information being revealed, and 2) the corporations’ obligation to notify customers about the ways of using the personal information collected by the corporations. While it is common to request applicants’ names, addresses and phone numbers on a free gift application form, Home Plus also required more detailed personal information such as age, birthday, and number of children. Furthermore, in terms of notifying customers of the intended use of the information collected, Home Plus stated their duty of disclosure in very small print (1mm) at the bottom of the form and this was arguably unnoticeable by customers. Civil society groups argued that Home Plus misusedthe customers’ personal information. Cha Hae-Sun, Director General of Korea National Council of Consumer Organizations, argued that the decision of the court means that the ‘the corporation (Home Plus) was at fault, but consumers were blamed’ (Cha, as cited in Geum, 2016, para. 17).

If the court thought that Home Plus’s sale of customer information came under legally committed information (that is, Home Plus stated their duty of discourse regarding personal data collection and uses), the legal ground is in conflict with the perceptions of civil society groups and citizens. That is, these civil society groups argue that Home Plus intentionally minimised the text size in their customer information, in order that customers would not be adequately informed about Home Plus’s use of customer data. However, there is no guideline or law that determines minimum text size, so the question of visibility is not able to be legally challenged. Consequently, we argue that the Home Plus case unveiled a policy gap in personal information protection in Korea: a detailed guidline relating to the visibility of the duty of disclosure regarding personal data collection and uses has not been implemented in Korean society. Secondly, the court ruling explicitly revealed that the public cannot trace their personal information unless an enterprise voluntarily notifies customers about the way that enterprise uses the personal data collected or if the customer data are leaked. There are no legal protections in Korea when customer data are misused for the purpose of marketing.

While the Home Plus incident raised the question of how effective the legal system is for deciding such matters, case three brought about the adoption of a strong compensation system for damages. Lotte Home Shopping illegally gained 3.73 billion won in exchange for personal information, but were fined only 180 million won. This case explicitly revealed the limitation of the punishment compared to the crime, and consequently raised politicians’ awareness of the issue of the need for punitive damages to punish the non-state actors’ illegal trade in data.

In response to the Lotte Home Shopping incident, an opposition party, People’s Party made an official statement arguing that the current punishment for the illegal trading of data was too weak, reducing the incentive for effective data management. For this reason, it argued that ‘an adoption of a punitive damage system is imperative in order to prevent personal information leaking’ (Jung, 2016, para. 8).

Case five showed another management failure type: data management failure. It is important to note that the Act on the Promotion of Utilization of Information and Communications Network was revised in 2015, changing the period for keeping personally identifiable information from three years to one year to protect this information from possible threat (The National Law Information Centre, 2016). However, it turns out that major information and communication technology service providers have not been aware of the significance of this revision. As indicated, the main Korean telecommunications companies were fined because they did not comply with the revised Personal Information Act. Case five demonstrates the non-state actors’ negligence in not updating data protection protocols to comply with the revised Act. Telecommunication companies and Web service companies holding personally identifiable information for a longer period than they should shows how ignorance of the risks has permeated Korea. One policymaker stated that:

The media corporation is one of beneficiaries by exploiting the personal information which would continue exploring new business opportunities. However, the activities should be under a legal umbrella to justify business activities relating to the online privacy polices (Respondent 2, 20 July, 2016).

When the Korean government decided to relax the Personal Information Act to enhance big data utilisation by non-state actors, it was mutually assumed that the personal information was being kept safely. However, the series of incidents revealed recently has contradicted this assumption, and demonstrated that some Korean non-state actors dealing with big data do not manage big data ethically. Questions remain whether the state, non-state actors and civil society groups have been through an appropriate process of discussing management of personally identifiable information. Margulis (2003) argues that privacy is a social-political issue; the cases presented in this research represent socio-political and cultural concerns relating to personal information and privacy protection.

Langenderfer and Miyazaki argue that the debate surrounding privacy has shifted from who invades privacy to who controls privacy. Almost all research papers on privacy between 2003 and 2009 ‘deal with the threat to privacy posed by private data collection’ (Langenderfer and Miyazaki, 2009, p. 383). The Korean cases in this paper represent both issues: invasion by insiders, and inappropriate data aggregation and trade without the data generators’ awareness.

In terms of finding ways of enhancing data collection and utilisation practices, Small (2013) emphasises the creation of ‘a culture of security’, which involves ‘changing the perception of security’, ‘creating information stewardship champions’, ‘education, teaching and mentoring’ and ‘rewards and sanctions’ as a way to prevent data breaches (p.7). The Korean non-state actors’ trading of personal information could be seen as evidence of poor personal information protection systems at a company level, loose supervision policies at a governmental level and an immature perception of personal data that permeates Korean society. One interviewee from the corporate sector stated that:

The problem about the data leaking incidents relating to Home Plus, Lotte Home Shopping and other retail companies in Korea are not related to an issue of data protection. Rather, it is a managerial issue. If the Home Plus data trade incident had happened in U.S. or other European countries, Home Plus would have gone broke due to punitive damage. (Respondent 6, 20 September, 2016).

This means that the current policy on personal information protection is effectively regulating personal information, but personally identifiable information management practice is poor and corporations are not following the data protection protocols. The state’s influence on the non-state actors’ personal data management was studied by Milne (2000) who showed that ‘government regulation, industry guidelines, company policy and ethics, competitor actions, and technology’ (p. 3) are factors for determining corporations’ personal information collection practices. The researchers agree with Milne’s stance, and urge policymakers to improve the supervision mechanism around data management to ensure that corporations follow the protocol of customer data management and secure personally identifiable information in practice.

Conclusion

This paper sheds light on issues surrounding the management of personally identifiable information management by Korean enterprises by examining five recent significant incidents in Korea. No other research has been conducted that documents understanding of the state, enterprises and civil society groups on personally identifiable information protection. This paper also critically evaluates the perceptual gaps between the government, the enterprises and the public in Korea on the issues surrounding personally identifiable information protection practices, by investigating representative cases and the surrounding discourses.

Based on an analysis of media coverage and interviews, our findings show that the personal information protection incidents between 2013 and 2016 come under the umbrella of personally identifiable information management. One of the main contributions of this work has been to categorise the personal information protection incidents in Korea into three types as follows: (1) illegal trade in customer data, (2) employee supervision failure, and (3) data management failure. The incidents that fall into these categories explicitly reflect the corporations’ immature perceptions of personally identifiable information protection practices; these perceptions have permeated Korean society.

The cases in this paper present the moral hazard prevalent in the corporate sector regarding personal data management and trade. The enterprises’ request to relax the Personal Information Act to use personal data in response to the big data era has been shown to be self-interest (allowing them to use customer information) and they have not carried out their duty to keep their customer data safe. Despite a series of incidents in customer data management failure over the last five years, large corporations in South Korea (or the retail sector at least) have shown negligence in in their creation and use of a security management system and supervision protocol for personal data When they wanted the state to relax the use of customer data, the effective management of such datas was not considered.

In view of this, legal measures such as punitive damages are needed to support government policies on customer data protection. Furthermore, more cohesive and transparent personal data management is imperative control both the employees and systems at an enterprise level.

Acknowledgements

This is the outcome of a research project ‘Cyber Governmentality in the Era of Big Data within Asian Context’ funded by Asia Research Institute (ARI) at the National University of Singapore. The authors express their gratitude to Prof. Chua Beng Huat, Prof. Jonathan Rigg and the ARI team. The authors gratefully acknowledge the help of Dr. Yoo Hun-chal, Jung Jan-hun,Park Jung-Kwan and Dr. Yoo Jaepil. We also would like to thank Yeo-Kyung Chang and Byung-il Oh at Jinbo.net. Finally, we really appreciate Amanda Cossham for her great support over the past year, two reviewers for their thoughtful suggestions, and Madeleine Pearson for copyediting.

About the authors

DongHyun Song has been working as a Postdoctoral Fellow at the Asian Research Institute, the National University of Singapore since January 2016. He previously worked at the Korea Internet Security Agency (KISA) between January 2014 and January 2016. He is currently examining social media culture in Asia in relation to the privacy and security concerns of the state’s ideology. His e-mail address is cop01ds@gmail.com.
Chang Yong Son is Deputy Director of the Ministry of Science, ICT and Future Planning, South Korea. He received his PhD from City University of London, UK and is a member of the American Institute of Certified Public Accountants. He has worked in several media regulatory institutions and his research focuses on communication policy, digital media culture and cyber security. He can be contacted at uscpsonson@gmail.com.

References


How to cite this paper

Song, D.H. & Son, C.Y. (2017). Mismanagement of personally identifiable information and the reaction of interested parties to safeguarding privacy in South Korea. Information Research, 22(4), paper 770. Retrieved from http://InformationR.net/ir/22-4/paper770.html (Archived by WebCite® at http://www.webcitation.org/6vNxtks82)

Check for citations, using Google Scholar