The Supreme Court of Korea ruled that a person who obtains personal information through fraudulent or deceptive means and uses it for business purposes is also a “personal information processor” under Korea’s Data Protection Law. In April of 2026, the First Criminal Division of the Supreme Court upheld the lower court’s ruling sentencing a defendant to one year in prison for violating the Korean Personal Information Protection Act ( 2026do477 ) (“PIPA”).
For an article on Statutory Damages for PIPA violations, please see: PIPA Violations Statutory Damages.
Korean Personal Information Processors
under PIPA of Korea
Facts
- Defendant opened an online gambling site in 2024.
- Defendant received personal information, including the names, bank account numbers, and mobile phone numbers of members of another gambling site from an “unknown person.”
- Defendant used the personal information to register members on the gambling site and test the site’s functionalities.
Issues
Whether a person who acquires personal information through fraudulent means constitutes a personal information processor?
Under the Personal Information Protection Act of Korea, a personal information processor is an entity that systematically collects and handles personal information in the course of business. Personal information processors have obligations regarding the collection, use, disclosure, and security management of personal information and are subject to criminal penalties for violations of the Personal Information Protection Act of Korea.
Lower Court Judgment
The court of first instance found Defendant guilty of the crime of establishing a gambling space and violating the Personal Information Protection Act and sentenced him to one year in prison. The appellate court overturned the decision but imposed the same one-year prison term. The appellate court held Defendant to be a personal information processor and applied a punishment provision for cases in which a personal information processor uses personal information beyond the scope of the consent obtained.
Supreme Court of Korea
The Korean Supreme Court dismissed the Defendant’s appeal. The Court opined that: “Even a person who acquired personal information through fraudulent means or illegal distribution is considered a personal information processor as long as they processed the personal information to operate personal information files in the course of their duties. If this is not viewed as such, a significant gap arises in the protection of the data subject’s right to self-determination regarding personal information.”
We shall update the reader as more information becomes available in this evolving area of law.
About IPG Legal
IPG Legal is a leading international law firm with an office in Korea advising multinational companies, tech platforms, foreign investors, and individuals on Korean data privacy, PIPA compliance, cross-border data governance, and regulatory investigations before the Personal Information Protection Commission (PIPC).
Sean Hayes, a former law professor, has advised global corporations, startups, and executives on high-risk Korean compliance matters, including data privacy governance, internal data-sharing compliance, and breach-response strategy.
For a recent article on PIPA related to the sharing of data between divisions of a Korean company, please see: Internal Data Sharing Between Departments in Companies in Korea: PIPA Basics
You may schedule a call with Sean Hayes via “Schedule a Call.”