Who Is a Personal Data Controller in South Korea? Four Supreme Court Cases
Table of Contents
- 1. What Is a “Personal Data Controller” Under South Korea’s PIPA?
- 2. What Is the Right to Informational Self-Determination? — Supreme Court 2012Da49933
- 3. Does Using Illegally Obtained Data Make You a Controller? — Supreme Court 2026Do477
- 4. Is an Insurance Solicitor a Personal Data Controller? — Supreme Court 2024Do14998
- 5. Does Prior Consent Block a Disclosure Offence? — Supreme Court 2024Do19539
- 6. Four Cases Compared
- 7. How Do PIPA Article 71(2) and Article 71(10) Relate to Each Other?
- 8. What Does This Mean for Foreign-Invested Companies in South Korea?
- 9. FAQ
Hypothetical scenario:
· Y, who runs an illegal gambling platform in South Korea —
“I bought data that had already been leaked. I didn’t hack anyone. Surely I’m not a data controller?”
· Y2, an insurance solicitor —
“I collected the customer’s data, yes — but doesn’t the insurance company control it, not me?”
· Y3, an apartment resident —
“I posted names in the group chat, but everyone consented when they signed up. Isn’t that a defence?”
· Y4, a member of parliament —
“Teachers’ union membership is a matter of public record. Why can’t I publish it?”
Are all four of them in violation of South Korea’s Personal Information Protection Act?
· Y (gambling platform) —
Using illegally obtained personal data to operate a business file makes you a controller. Criminal liability confirmed. (2026Do477)
· Y2 (insurance solicitor) —
Performing data processing acts alone is not enough. The decisive question is who holds ultimate decision-making authority. (2024Do14998, reversed and remanded)
· Y3 (apartment resident) —
Prior consent from data subjects blocks disclosure liability. (2024Do19539, reversed and remanded)
· Y4 (parliamentarian) —
Even publicly accessible personal data is protected. Unauthorized disclosure is unlawful. (2012Da49933)
Same statute, four different outcomes — where does PIPA criminal liability begin and end?
※ The hypothetical scenario above is based on the facts of the cases described below and is provided for illustrative purposes only. It does not constitute legal advice.
South Korea’s Personal Information Protection Act (PIPA) imposes obligations on “personal data controllers” across the entire data lifecycle — collection, use, provision, and disclosure — and backs those obligations with criminal penalties of up to five years’ imprisonment. Yet the statute’s definition of “personal data controller” leaves open many practical questions: Does it matter how data was acquired? Does processing data automatically make you a controller? Can consent eliminate liability? The Supreme Court of South Korea has addressed each of these questions in a series of rulings spanning 2014 to 2026. Reading the four decisions together provides a coherent framework for assessing PIPA criminal exposure.
1. What Is a “Personal Data Controller” Under South Korea’s PIPA?
PIPA Article 2(5) defines a “personal data controller” (개인정보처리자) as “a public institution, corporation, organisation, or individual that processes personal data, either directly or through a third party, in order to operate a personal data file for business purposes.” This definition determines who is subject to PIPA’s criminal sanctions under Articles 71 and 74.
Article 2(5) — Definition of Personal Data Controller
“Personal data controller” means a public institution, corporation, organisation, or individual that processes personal data, either by itself or through another person, in order to operate a personal data file for business purposes.
Elements of the Definition
| Element | Content |
|---|---|
| Purpose | For business purposes |
| Object | To operate a personal data file |
| Method | Directly or through a third party |
| Act | Processing of personal data |
| Subject | Public institutions, corporations, organisations, individuals — all included |
The statutory text places no restriction on the method or circumstances by which data was originally acquired — a textual gap that is central to the 2026Do477 ruling discussed below.
2. What Is the Right to Informational Self-Determination? — Supreme Court 2012Da49933
The fundamental right that PIPA is designed to protect is the right to informational self-determination (개인정보자기결정권). Its content and scope were authoritatively defined by the Supreme Court in its judgment of July 24, 2014 (Case 2012Da49933), which has since been cited in virtually every PIPA-related ruling.
Background
A then-serving member of the National Assembly obtained a list identifying teachers by name, school, and trade union membership, and published it on the internet. The publication went beyond the stated purpose for which the data had been requested from the Ministry of Education. The affected teachers and their union sued for damages, arguing that their right to informational self-determination had been violated.
The Court’s Definition
The Supreme Court defined the right to informational self-determination as the right of each data subject to determine for themselves when, to whom, and to what extent their personal information is disclosed and used. The right is grounded in the general right of personality derived from Article 10 of the Constitution (human dignity and the pursuit of happiness) and the right to privacy under Article 17.
Crucially, the Court held that the protected category of “personal data” is not limited to intimate or sensitive information. It includes information formed in the course of public life or information that has already been made public. Teachers’ trade union membership — a professional activity — was held to fall squarely within this definition.
Balancing Privacy Against Free Expression
Where the disclosure of personal data conflicts with freedom of expression, the Court held that courts must weigh the competing interests by reference to: whether the individual is a public figure; the public nature and public interest value of the information; the appropriateness of the collection method, purpose, and use; the necessity of the use; and the nature of the harm caused. In this case, the parliamentary defendant’s interest in disclosure was held not to outweigh the teachers’ interest in privacy, and the publication was found unlawful (citing Supreme Court 2008Da42430 en banc, September 2, 2011).
3. Does Using Illegally Obtained Data Make You a Controller? — Supreme Court 2026Do477
In Case 2026Do477 (April 16, 2026), the Supreme Court confirmed that a person who acquires personal data through hacking or unlawful channels and then uses it to operate a business personal data file qualifies as a personal data controller under PIPA Article 2(5). The defendant’s appeal was dismissed and the conviction affirmed.
Article 18(1) — Prohibition on Use or Provision Beyond Collected Purpose
A personal data controller shall not use personal data beyond the scope permitted under Article 15(1), or provide personal data to a third party beyond the scope permitted under Article 17(1) and Article 28-8(1).
The Court’s Three-Part Rationale
First, statutory text. PIPA Article 2(5) defines “personal data controller” without any restriction on the method or circumstances of data acquisition. The definition is silent on how the data was obtained.
Second, legislative purpose. PIPA exists to protect the right to informational self-determination as established in 2012Da49933 and reaffirmed in 2024Do19539. Excluding unlawful acquirers from the controller definition would create a significant gap in that protection.
Third, practical consistency. If unlawful acquisition stripped a person of controller status, that person would simultaneously escape controller duties — including the obligation to disclose data sources, respond to access and deletion requests, and face civil liability. This result would be directly contrary to PIPA’s protective purpose.
Practical Implication
Purchasing leaked or stolen personal data from dark web brokers or other unlawful sources, and then using it for marketing, fraud, or other business operations, constitutes criminal conduct under PIPA regardless of who originally obtained the data unlawfully. The argument “I didn’t hack anyone myself” carries no legal weight.
4. Is an Insurance Solicitor a Personal Data Controller? — Supreme Court 2024Do14998
In Case 2024Do14998 (February 26, 2026), the Supreme Court reversed and remanded an insurance solicitor’s conviction, holding that merely performing data processing acts does not automatically establish personal data controller status under PIPA.
Facts
Y was an insurance solicitor affiliated with Company A. During the solicitation process, Y collected customer B’s date of birth, address, and contact information. Y later conspired with C to have C call A’s customer service centre, impersonate B using the data Y had collected, and request cancellation of policy riders and changes to coverage terms. The prosecution charged Y as a personal data controller who had used B’s data beyond the original collection purpose under former PIPA Articles 71(2) and 18(1). Both the trial court and the appellate court convicted Y.
The Legal Test
The Supreme Court held that controller status turns on who holds the ultimate authority to determine the purpose, content, method, and procedure of personal data processing — not who performs processing acts. Courts must consider:
- Whose proprietary business and interests the data processing is closely connected to
- Who exercises actual supervision and direction over the processing
- Who creates, holds, and operates the personal data file, and for what purpose
- Which attribution of controller duties and liabilities best serves data subject protection
Applying this test, the Court observed that when an insurance solicitor collects policyholder data in the course of brokering insurance contracts, the processing purpose is ordinarily tied to the insurance company’s proprietary business, and the ultimate decision-making authority resides with the insurance company. The lower court failed to conduct this inquiry and instead inferred controller status from Y’s mere act of data collection — a legal error requiring reversal.
Note on Joint Punishment Liability
The Court noted that even if Y is found not to be a personal data controller on remand, liability may still arise if Y qualifies as an “actor” under PIPA Article 74(2), the joint punishment provision (Supreme Court 2020Do1942, October 28, 2021). Controller status is a threshold question, not the only path to criminal liability.
5. Does Prior Consent Block a Disclosure Offence? — Supreme Court 2024Do19539
In Case 2024Do19539 (October 30, 2025), the Supreme Court reversed and remanded a conviction for unlawful disclosure of personal data, holding that prior consent from data subjects eliminates liability under former PIPA Article 59(2) (currently Article 59(2), punishable under Article 71(9)).
Article 59(2) — Prohibition on Disclosure
Any person who processes or has processed personal data shall not engage in any of the following acts:
2. Disclosing personal data learned in the course of business, or providing it to another person for use without authorisation.
※ Penalty: Article 71(9) — up to 5 years’ imprisonment or a fine of up to KRW 50 million (formerly Article 71(5) prior to the 2025 amendment)
Facts
Y coordinated a noise-damage compensation claim on behalf of apartment residents and collected residents’ names, unit numbers, and contact details through a consent form. Y then created a group chat using the collected data. When some residents posted criticism of Y’s conduct in the chat, Y responded by publicly naming them with their unit numbers. The prosecution charged Y with unlawfully disclosing personal data learned in the course of business. Both lower courts convicted Y.
The Court’s Reasoning
The Supreme Court held that because the right to informational self-determination belongs to the data subject, the data subject’s prior consent to a particular disclosure eliminates the unlawfulness of that disclosure. The Court found that the residents had in fact consented to having their names and unit numbers used in the group chat, based on the following evidence:
- The consent form and accompanying notice stated that names and unit numbers would be used for resident opinion-gathering, announcements, and related group chat activities.
- Some residents voluntarily identified themselves by name and unit number during group chat discussions.
- Two of the named complainants submitted statements to the appellate court confirming they had consented to the use of their information and did not believe their data had been improperly disclosed.
- The investigation was initiated by a building manager, not by the residents themselves.
Practical Implication
The scope and specificity of consent is critical. Consent obtained for one purpose does not extend to materially different uses. This ruling confirms that well-documented, specific prior consent is an effective defence to PIPA disclosure charges — but the consent must actually cover the manner in which the data was used.
6. Four Cases Compared
| Case | Core Issue | Outcome | Key Takeaway |
|---|---|---|---|
| Supreme Court 2012Da49933 (July 24, 2014) |
Scope of the right to informational self-determination; whether public data is protected | Public and professional data included. Publishing teachers’ union membership unlawful. | No data is automatically “public enough” to lose PIPA protection |
| Supreme Court 2024Do14998 (Feb. 26, 2026) |
Whether an insurance solicitor qualifies as a personal data controller | Processing acts alone insufficient. Ultimate authority is the test. Reversed and remanded. | Controller status requires substantive decision-making authority, not just handling of data |
| Supreme Court 2024Do19539 (Oct. 30, 2025) |
Whether prior data subject consent blocks a disclosure offence | Prior consent eliminates liability. Reversed and remanded. | Documented, specific consent is a complete defence — but must match the actual use |
| Supreme Court 2026Do477 (Apr. 16, 2026) |
Whether unlawful data acquisition excludes controller status | Acquisition method irrelevant. Unlawful acquirer who operates data file is a controller. Appeal dismissed. | Buying leaked data and using it for business creates full PIPA controller liability |
The common thread across all four rulings is that PIPA is interpreted by reference to its core protective purpose — the right to informational self-determination — rather than by formal or technical criteria. Neither the illegality of data acquisition, nor the mere performance of processing acts, nor the public nature of information, is a reliable shield against PIPA liability. What matters is the substance of the data relationship and the presence or absence of data subject consent.
7. How Do PIPA Article 71(2) and Article 71(10) Relate to Each Other?
In Case 2026Do477, the Supreme Court addressed sua sponte the relationship between two separate PIPA offences: Article 71(2) (use or provision of data beyond its collection scope, violating Article 18(1)) and Article 71(10) (unauthorised use, destruction, alteration, falsification, or leakage of another person’s data, violating Article 59(3)).
Article 71 (Penalties) — Relevant Provisions
Any person falling under any of the following shall be punished by imprisonment of up to five years or a fine of up to KRW 50 million:
2. A person who uses personal data or provides it to a third party in violation of Article 18(1) or (2) … and a person who receives personal data for profit or improper purposes knowing the foregoing circumstances.
10. A person who uses, destroys, damages, alters, forges, or leaks another person’s personal data in violation of Article 59(3).
Article 40 — Imaginary Concurrence
Where one act constitutes several offences, the punishment shall be imposed under the provision for the most serious offence.
The Court’s Holding
The lower court had treated the two offences as standing in a special-general relationship, with Article 71(2) absorbing Article 71(10), and acquitted on the latter charge in its reasoning. The Supreme Court held this to be an error. Because the two provisions differ in their subject class and the specific conduct prohibited, neither fully subsumes the other. Where one act satisfies both, the offences stand in imaginary concurrence under Criminal Act Article 40, and punishment is imposed under the heavier offence.
The Court found the error did not affect the outcome — the sentencing range and practical result were identical — and therefore dismissed the appeal rather than remanding.
8. What Does This Mean for Foreign-Invested Companies in South Korea?
Foreign companies operating in South Korea’s Incheon Free Economic Zone (IFEZ — Songdo, Cheongna, Yeongjong) and across the country routinely engage third-party vendors, agency staff, and solicitors who handle customer data as part of daily operations. The four decisions discussed above have direct practical implications for these businesses.
The 2024Do14998 ruling on insurance solicitors offers a template for analysing controller status in any outsourced data processing relationship — including relationships with logistics agents, sales distributors, and platform operators. Companies should document clearly who holds ultimate authority over data processing decisions, and ensure that contractual arrangements with processors reflect that allocation of responsibility.
The 2024Do19539 ruling on consent underscores the importance of drafting specific, purpose-limited consent forms. Consent obtained for customer onboarding does not automatically extend to subsequent uses. Legal teams reviewing data processing agreements should map each data use to a specific consent basis.
The 2026Do477 ruling on unlawfully obtained data is a reminder that purchasing or receiving personal data from third parties carries PIPA controller liability regardless of where the data originated. Due diligence on the provenance of any externally sourced data lists is now a legal necessity, not merely a compliance recommendation. Our team at Atlas Legal has advised multiple foreign-invested companies in the IFEZ on structuring data governance frameworks that withstand this scrutiny.
9. FAQ
PIPA criminal enforcement in South Korea is increasingly sophisticated, and the four Supreme Court decisions discussed above show that liability can arise in contexts that initially appear straightforward. Whether the issue is the provenance of a data set, the legal status of a field agent, the scope of a consent form, or the public nature of information, the analysis must return to the same question: whose right to informational self-determination is at stake, and has it been respected? Our legal team has handled data privacy matters across a range of industries and is available to advise on PIPA compliance and criminal defence strategy.
※ This article is provided for general informational purposes only and does not constitute legal advice. The applicable law may differ depending on the specific facts of each case. Please consult a qualified attorney before taking action.