The Story Behind Korea’s Laws: Your Guide to Korea’s Legal Pulse
SEOUL, Jan. 15 (Korea Bizwire) — South Korea’s Supreme Court has ruled for the first time that companies may be exempt from statutory damages for data breaches if they can demonstrate that customers suffered no actual harm, a decision that could reshape corporate liability in personal data cases.
In a ruling finalized last month and disclosed Wednesday, the Supreme Court of Korea upheld lower-court decisions rejecting a damages claim brought by a user of HappyCampus, an online knowledge-sharing platform, following a hacking incident that exposed user information.
The case stemmed from a September 2021 breach at HappyCampus, in which the personal data of more than 403,000 users was leaked. The plaintiff argued that the company had failed to properly control external access, leading to the exposure of encrypted passwords and email addresses, and sought 300,000 won ($220) in statutory damages, citing emotional distress and fears of secondary harm such as spam or voice phishing.
Under South Korea’s Personal Information Protection Act, victims of data leaks may seek statutory damages of up to 3 million won without proving specific losses—a provision introduced in 2016 to address the difficulty of demonstrating concrete harm in privacy cases.
Hacking incidents that are now increasingly likely to affect anyone. (Image courtesy of Yonhap)
The Supreme Court reaffirmed that plaintiffs need only prove that a data breach occurred to claim statutory damages. However, it drew a clear line, stating that the law does not require companies to pay damages in cases where it is evident that no harm occurred. The court said companies may avoid liability if they can prove that the breach did not result in mental or material damage to users.
In assessing whether harm occurred, the court said judges should consider factors such as the type and sensitivity of the leaked information, the likelihood of identifying individuals based on the data, whether third parties accessed or used the information, and the scope of its spread.
Applying those standards, the court found that the leaked passwords were encrypted and unlikely to be deciphered or misused, and that the email addresses were not combined with other identifying information, making it difficult to identify specific individuals. It also concluded that the risk of the data being exploited for profit or widely disseminated was low.
As a result, the court ruled that the plaintiff faced little risk of privacy violations, reputational harm or financial loss, and upheld the dismissal of the damages claim.
Legal experts said the ruling provides important guidance on how courts should balance consumer protection with the intent of statutory damages, signaling that while data breaches remain serious, liability will hinge on demonstrable harm rather than the breach itself.
Jerry M. Kim (jerry_kim@koreabizwire.com)
