We are pleased to inform you of a landmark ruling by the Supreme Court of Korea which has significant implications for e-commerce platform operators within the country. In a recent case, the Supreme Court has overturned the sanctions imposed by the Personal Information Protection Commission (PIPC) against major online marketplaces, Naver (South Korea’s leading internet platform company) and Gmarket (formerly eBay Korea). This pivotal case clarified that sellers on e-commerce intermediary platforms (the E-commerce Seller) are not considered ‘personal information managers’ of the platforms providing intermediary sales services (the E-commerce Platform) under the Personal Information Protection Act (PIPA). This ruling marks a transformative moment for privacy law enforcement related to E-commerce Platforms in South Korea.

In this article, we will delve into the details of the Supreme Court’s decision and discuss its broader impact on the e-commerce landscape.

  1. Overview of the Case

First, operators of the E-commerce Platform provide a service that enables members (including both sellers and buyers) to trade goods online. During the provision of this service, seller members utilize the personal information of buyer members, provided by the E-commerce Platform operators, to deliver products and carry out various sales-related tasks. In this context, the PIPC has interpreted that E-commerce Platform operators are ‘data controllers’ under PIPA, and that seller members are ‘personal information managers’ who process personal information under the direction and supervision of the E-commerce Platform operators. Based on this presumption, the PIPC found that E-commerce Platform operators breached the necessary safety measures required under PIPA by allowing seller members access to the seller system using only an ID and password, without employing additional secure authentication methods. As a result, the PIPC issued an order to seven (7) major platform operators to implement secure authentication methods and conduct regular training for their seller members (the PIPC Order).

Among the E-commerce Platform operators subject to the PIPC Order, Naver and Gmarket filed lawsuit actions against the PIPC seeking to annul the PIPC Order. We, Lee & Ko, have represented Naver and Gmarket from the court of first instance to the final decision by the Supreme Court.

  1. Summary of the Supreme Court’s Ruling

The main issue presented to the Supreme Court concerned whether E-commerce Sellers qualify as ‘personal information managers’ for E-commerce Platform operators under PIPA. This distinction was critical, as PIPA’s requirement for data controllers to implement secure authentication methods specifically applies to ‘personal information managers.’ Consequently, the legality of the PIPC Order depended on this determination.

In this regard, the Supreme Court annulled the PIPC Order for the following reasons, determining that E-commerce Sellers do not qualify as the ‘personal information managers’ of the E-commerce Platform operators:

    • a ‘personal information manager’ is not limited to those who have an employment contract with a data controller. It includes any person who, under laws or contractual terms, acts under the direction and supervision of a data controller to carry out certain tasks;
    • third parties,” who receive personal information from data controllers and utilize it for their own business purposes and benefits, are distinct from and cannot coexist with personal information managers; and
    • the E-commerce Sellers receive personal information of buyer members from the E-commerce Platform operators and process that information according to their own discretion for their business operations. They are thus ‘data controllers’ and ‘third parties’ themselves rather than ‘personal information managers’ of the E-commerce Platform operators.
  1. Significance of the Supreme Court’s Ruling

The significance of this case lies in the fact that it provided the first specific judicial interpretation of PIPA regarding the definition and scope of a ‘personal information manager,’ and the critical distinction between a ‘personal information manager’ and ‘third party.’ This ruling is pivotal not only for the e-commerce platform industry but also establishes a benchmark for future cases across various sectors involving the determination of who qualifies as a ‘personal information manager’ and who is subject to security measures requirements as per PIPA.

Prior to this ruling, the PIPC had used its guidelines as the legal basis to interpret E-commerce Sellers as ‘personal information managers’ for E-commerce Platform operators. However, this ruling clearly established that the PIPC’s guidelines cannot serve as grounds for enforcement actions. Nonetheless, it should be noted that independent of the Supreme Court’s decision, major E-commerce Platform operators such as Naver and Gmarket have proactively enhanced their security measures through self-regulatory efforts to safeguard the personal information of buyer members.

Furthermore, this ruling is also significant as it clearly delineates the responsibilities related to personal information processing between E-commerce Platform operators and their seller members. This provides critical guidance for E-commerce Platform operators on how to structure their compliance and governance frameworks to protect personal information effectively.

This ruling marks the first decision issued by the PIPC has been overturned since it became a central administrative agency in 2020.

 

More from Lee & Ko