Protecting Civil Rights Against Corporate Surveillance In South Korea

In June 2013, Edward Snowden revealed that the U.S. National Security Agency (NSA) was indiscriminately monitoring the communications of people all over the world through a variety of surveillance systems. Transnational corporations such as Google, Facebook, and Microsoft have also cooperated with the NSA by providing their users' personal information under NSA’s program, PRISM, through which the agency collects internet communication from US based tech companies. The U.S. government has stated that it collected the information legally with court authorisation under Section 702 of the Foreign Intelligence Surveillance Act and that it does not target U.S. citizens with surveillance. But this raises a concern about the citizens of other countries. How does NSA regard information of internet users outside of the United States of America? 

Human rights activists in South Korea communicate via email with activists around the world, including the United States. How can we find out if our personal information has been shared with the U.S. intelligence agencies without our knowledge, and seek redress and protection for our rights to privacy and safety? We believed that a system to protect the rights of data subjects regarding personal information can be a way to resist surveillance. 

On February 10, 2014, six activists from the Korean Progressive Network ‘Jinbonet’, Citizens’ Coalition for Economic Justice, Citizen’s Action Network, and Amnesty International Korea requested disclosure of the personal information related to their Google accounts from Google Headquarters and Google Korea. The request entailed enquiry about whether their personal information or information about their use of Gmail service (e.g., who they sent emails to, the content of their emails, and other metadata) was provided to third parties such as the U.S. National Security Agency (NSA). However, Google provided a generic response stating that it only provides personal information to government agencies as required by law and cannot disclose whether or not personal information is provided or not, but did not provide specific information in response to our request. On July 23, 2014, we filed a lawsuit in Seoul Central District Court against Google Headquarters and Google Korea, demanding disclosure of personal information and service usage details provided to third parties. The first trial court ruling was issued in 2015, a second trial court ruling was passed in 2017, and finally a Supreme Court ruling on April 13, 2023, nine years after the case was filed. The latest Supreme Court order says that the six activists must be granted access to their personal information and their service usage history, overturning the two earlier rulings by the lower courts which said that an exemption can be given if the US laws prohibit the sharing of this information.

The latest Supreme Court order says that the six activists must be granted access to their personal information and their service usage history, overturning the two earlier rulings by the lower courts which said that an exemption can be given if the US laws prohibit the sharing of this information.

During the hearings of the case, Google argued that users could not sue in South Korea because they had contracted with Google under the Terms of Service to be bound by California law in the event of a dispute. However, it would be practically impossible for worldwide Google users to file a lawsuit in a California court, leaving them unable to protect their rights. Fortunately, all three South Korean courts have held that, notwithstanding an agreement to exclusive jurisdiction in the Terms of Service, when a consumer contract is entered into, such an agreement is invalid under private international law and the case can be brought in a domestic court. Furthermore, notwithstanding the agreement to governing law in the Terms of Service, the domestic law for consumer protection (in this case, the law for the Protection of Personal Information, which at the time of filing was the Network Act in South Korea) applies. This is a very significant ruling globally, as it means that users from each country should be protected under their own laws from big tech companies that provide services to users worldwide.

In particular, it is noteworthy that the Supreme Court of Korea ruled that even if a foreign law imposes an obligation to keep the provision of personal information confidential, this is not an unconditional basis for refusing compliance with the obligation to disclose personal information under Korean law. 

The lower courts ruled that Google was required to provide users with the details of the provision of personal information to third parties, but held that an exception could be made if there were laws in the US that prohibit the provision of such information. However, the Supreme Court overturned the first and second court rulings, stating that an exception is not unconditionally granted, but rather that comprehensive consideration must be given to whether the foreign law is consistent with the Constitution and laws of the Republic of Korea and whether the need to respect the foreign law is significantly superior to the need to protect personal information. In addition, even if a foreign law imposes a duty of confidentiality, when responding to a request for disclosure of personal information of domestic users, specific reasons for restriction or refusal must be notified, and if the reason for confidentiality has ended, disclosure requests from domestic users must be honored. This means that it is necessary to strictly examine whether there is a substantial reason to restrict the rights of the data subject. 

The Supreme Court of Korea ruled that even if a foreign law imposes an obligation to keep the provision of personal information confidential, this is not an unconditional basis for refusing compliance with the obligation to disclose personal information under Korean law.

The Korean Supreme Court's decision reminded me of the European Court of Justice's ruling. The European Court of Justice invalidated Safe Harbor, the data transfer agreement between the European Union and the United States, in 2015, and then invalidated its successor, Privacy Shield, in 2020. The reasoning was that they did not adequately protect EU citizens' personal data from collection by U.S. intelligence agencies. 

Recently, classified U.S. documents were leaked again, including records of U.S. intelligence agencies eavesdropping on the conversations of South Korean government officials. Even after the Snowden revelations, intelligence agencies in the U.S. and elsewhere appear to be continuing their indiscriminate surveillance of the internet and communications. The databases of Big Tech, which provide services to users around the world and collect vast amounts of personal information, can be a valuable resource for intelligence agencies to target users indiscriminately and disproportionately. However, there is no justification for arbitrary and indiscriminate surveillance by states and corporations in the name of national security. We hope this Supreme Court decision is a step forward in curbing such surveillance around the world.