A recent Korean Supreme Court decision has fundamentally reshaped litigation risk analysis under the Personal Information Protection Act (PIPA), particularly regarding statutory damages under Article 39-2(1) of PIPA. The following post is essential reading for CISOs and those entrusted with company data.

Contrary to widespread assumptions in the compliance community in Korea, the Korean Supreme Court confirmed that:

A personal information processor may avoid statutory damages by proving that the data subject suffered no compensable mental damage — even where a data breach occurred.

This ruling is especially critical for:

  • Companies in Korea handling large user databases
  • Foreign tech companies operating in Korea
  • Platform operators, SaaS companies, and e-commerce firms
  • Multinationals facing class-style privacy claims in Korea
Data Breach PIPA Korea

Korean Data Breach Jurisprudence

Article 39-2 of the Korean Personal Information Protection Act (PIPA)

Article 39-2(1) PIPA introduced a statutory damages system to address a modern regulatory reality: in large-scale data processing environments, victims often cannot easily prove individualized harm.

Under PIPA, a data subject may claim statutory damages without proving the exact amount of damages if personal information is lost, leaked, stolen, altered, or damaged due to intent or negligence. A recent holding by the Korean Supreme Court indicates that the law does not impose strict liability.

Happy Campus Data Breach in Korea

  1. In September 2021, “Happy Campus” suffered a hacking incident that resulted in the leakage of personal information of approximately 400,000 users.
  2. The leaked data primarily included email addresses and encrypted passwords.
  3. A subscriber filed suit seeking KRW 300,000 in statutory damages, arguing mental distress arising from, inter alia, risk of spam; potential phishing; and anxiety over secondary misuse.
  4. Lower courts dismissed the claim, and the Korean Supreme Court affirmed.
  5. The Supreme Court of Korea noted, in short, that if the plaintiff is not able to prove psychological damage, the statutory damages claim should be dismissed.
    • Victims of a data breach do not need to prove specific damages under Article 39-2 and must only prove that a qualifying breach occurred
    • However, if the plaintiff fails to prove damages, the court in Korea must dismiss the case. Thus, enabling a defense that no “mental” damages resulted from the breach.

Korean Court Found No Compensable Psychological Damage

The Court adopted a highly fact-sensitive, risk-based analysis – a trend consistent with Korean regulatory enforcement by the Personal Information Protection Commission (PIPC). The Korean Supreme Court opined that lower Korean courts should consider these factors:

  1. Nature of the Leaked Data
    The Court ruled that the only data revealed was email addresses and encrypted passwords, and not highly sensitive data.
  2. Identifiability of Subject of Data Leak
    The Court held that the evidence indicates the leaked data did not include the subject’s name or other identifiers; thus, there is no reasonable possibility of identifying the individual.
  3. Secondary Harm
    The Court held that no evidence existed of information on harm, including increased spam, phishing attempts, financial losses, or reputational harm.
  4. Risk of Use & Dissemination
    The Court ruled that the risk of misuse or dissemination is low, since only leaked information was email addresses and encrypted passwords, and not sensitive behavioral or use data

This decision signals a doctrinal evolution in Korean privacy jurisprudence.

Previously (in practice):

Breach = presumed mental harm = likely statutory damages

Now:

Breach + Demonstrable risk of harm = potential damages
Breach + Minimal risk + No actual impact = possible dismissal

The Supreme Court of Korea held, in short, that Article 39-2 does not impose a damages compensation obligation where no actual damage exists.

About IPG Legal

IPG Legal is a leading international law firm with an office in Korea advising multinational companies, tech platforms, foreign investors, and individuals on Korean data privacy, PIPA compliance, cross-border data governance, and regulatory investigations before the Personal Information Protection Commission (PIPC).

Sean Hayes, a former law professor, has advised global corporations, startups, and executives on high-risk Korean compliance matters, including data privacy governance, internal data sharing compliance, and breach response strategy.

For a recent article on PIPA related to the sharing of data between divisions of a Korean company, please see: Internal Data Sharing Between Departments in Companies in Korea: PIPA Basics

You may schedule a call with Sean Hayes at: Schedule a Call.