Korea’s Supreme Court has ruled that submitting bank account information as part of court filings does not automatically constitute a violation of the Personal Information Protection Act (PIPA).

The key issue: who legally qualifies as a “recipient of personal information.”


—

⚖️ Court & Decision

Court: Supreme Court of Korea

Decision Date: January 8, 2026

Holding: Lower court conviction reversed and remanded



—

🧾 Background of the Case

Employees of a Saemaeul Geumgo (credit union) were dismissed.

They filed for a provisional injunction seeking wage payments.

The credit union argued the employees were not in financial hardship because:

They held deposits and savings accounts at the institution.


A manager retrieved:

Account balances

Withdrawable amounts


The data was:

Faxed and emailed to the institution’s lawyer

Attached to court filings



Prosecutors charged the credit union officials and the lawyer for violating the Personal Information Protection Act, arguing the account information was provided to a third party without consent.


—

🏛️ Lower Court Ruling

The trial and appellate courts held:

Account balances qualify as personal information.

Providing them to a lawyer constituted illegal third-party disclosure.

The defendants were convicted and fined.



—

🧠 Supreme Court’s Key Legal Reasoning

The Supreme Court disagreed and focused on the definition of:

> “A person who received personal information from a personal information controller.”



The Court clarified:

The law targets third parties who are transferred control or management rights over personal data.

Employees handling data in the course of their duties are not such third parties.

Even if the original disclosure violated procedural requirements,

That does not automatically make the recipient criminally liable under Article 19.



Specifically:

The credit union officials were performing litigation-related duties.

The lawyer was not considered a “recipient” in the statutory sense.

The lower court misinterpreted the scope of criminal liability.



—

📌 Why This Case Matters

This decision narrows the criminal scope of Korea’s Personal Information Protection Act:

Not every improper disclosure triggers criminal punishment for the recipient.

“Recipient” requires transfer of control and management rights, not mere handling during 업무 수행 (execution of one’s official work).

Litigation-related submissions receive more nuanced treatment.


The ruling prevents over-expansion of criminal liability in civil litigation contexts.


—

⚖️ Big Picture

The Court signaled a cautious approach to criminalizing data use in legal disputes.

Improper handling may still create liability — but criminal punishment requires meeting the statute’s precise definition.

Article: https://www.lawtimes.co.kr/news/articleView.html?idxno=216273