Supreme Court: Viewing Others' Multi-Rater Evaluation Results Cannot Be Considered a Violation of the Information and Communications Network Act

Published 15 Nov.2023 15:53(KST)

Updated 15 Nov.2023 15:55(KST)

open/close

Access to Viewing Without Personal Authentication Cannot Be Restricted Solely to Employees

The Supreme Court has ruled that repeatedly changing some digits in the internet address used to view the company's multi-rater evaluation results to access other employees' evaluation results and capturing and sending these to others cannot be considered a violation of the Information and Communications Network Act. The court held that if the internet page displaying the multi-rater evaluation results could be accessed simply by entering the address without any separate personal authentication process, it is difficult to regard the page access rights as being restricted solely to the employee themselves.

[Photo by Beopryul Newspaper]

The Supreme Court Criminal Division 1 (Presiding Justice Oh Kyung-mi) overturned the lower court’s ruling that sentenced Mr. A to a suspended prison term on charges of violating the Act on Promotion of Information and Communications Network Utilization and Information Protection last month on the 26th, and remanded the case to the Suwon District Court (2023Do1086).

Mr. A is an employee working at B Art Center in Gyeonggi Province. B Center conducted annual multi-rater evaluations among employees for personnel management, where employees could access their individual evaluation results by logging into a personal internet address assigned to them. Mr. A is accused of repeatedly changing the last two digits of his multi-rater evaluation viewing page address to open and view the evaluation results of 51 employees of B Center one by one, capturing the screens, and then sending the captured images to the head of B Center.

The first trial court sentenced Mr. A to 8 months in prison with a 2-year suspension, stating that "Mr. A intruded into the information and communications network without proper access rights, violating others' privacy and disclosing it." The company C, which had a service contract with B Center to develop the online multi-rater evaluation link and conduct the survey, and its CEO Mr. D were each fined 5 million won for violating the Personal Information Protection Act by failing to take measures to prevent the leakage of personal information of B Center employees. The appellate court dismissed Mr. A’s appeal and upheld the first trial ruling.

However, the Supreme Court’s judgment differed. The Supreme Court stated, "Article 48(1) of the Information and Communications Network Act, which prohibits intrusion into the information and communications network without proper access rights or beyond permitted access rights, is intended to protect the stability of the network itself and the reliability of information. Therefore, the entity that grants or sets the scope of access rights is the service provider." It added, "Whether a third party who is not a user authorized by the service provider has access rights should be judged based on the access rights granted by the service provider, and whether the service provider restricts access rights should be carefully judged by comprehensively considering various objectively apparent circumstances such as protective measures or terms of use."

Furthermore, the court noted, "The internet page for viewing evaluation results was accessible without separate login or personal authentication procedures, the last two digits of the address were simply structured, and the address was not encrypted. Also, company C did not include any content in the emails and text messages sent to employees that would restrict viewing by other employees. Therefore, company C and Mr. D were convicted for failing to take necessary measures to ensure stability."

The court continued, "Even if company C individually delivered only the internet page addresses where employees’ multi-rater evaluation results were posted, since the evaluation results could be viewed simply by entering the internet address without any protective measures, it is difficult to regard the internet page access rights as being restricted to the employees themselves. Therefore, even if Mr. A accessed pages containing other employees’ evaluation results by changing some digits in the internet address, it cannot be considered an intrusion into the information and communications network prohibited by Article 48(1) of the Information and Communications Network Act."

Regarding the charge that Mr. A disclosed secrets by accessing other employees’ evaluation viewing pages, the Supreme Court ruled, "Since Mr. A did not engage in any acts that could be regarded as improper means or methods other than changing some digits of the internet address, it cannot be said that he acquired or disclosed the multi-rater evaluation results by improper means or methods."