South Korea: Court Rules Data Sharing Without Notifying Subjects Unconstitutional

3 September 2022

ARTICLE 19 welcomes a recent decision of South Korea’s Constitutional Court in a mass surveillance case. The Court found that the Telecommunications Business Act, which permits sharing personal data from telecommunication operators without a warrant, is partly non-conforming with the South Korean Constitution. This is an important step towards providing protection of freedom of expression and privacy in the country. Unfortunately, the Constitutional Court neglected other human rights non-compliant aspects of the law. We call on the South Korean Government and the Parliament to urgently bring the Telecommunications Business Act into full compliance with international human rights standards.

Background

The case was initiated by several civil society organisations after Open Net Association, ARTICLE 19’s partner organisation based in the Republic of Korea (Korea), ran a successful ‘Ask Your Telco’ campaign uncovering the victims of mass surveillance. It challenged mass surveillance in Korea under provisions of the Telecommunications Business Act (the Act). Articles 83(3) and 83(4) of the Act permit personal data sharing from telecommunications operators to a court, prosecutor or investigative agency (including the military) without a warrant and without notifying the individuals whose data has been shared.

In December 2016, ARTICLE 19 submitted an amicus brief in the case, in which we criticised the legislation’s failure to provide meaningful protection to individuals in the exercise of their right to freedom of expression and privacy. In the brief, we addressed three key points: the law’s facilitation of mass surveillance and the resulting impact on freedom of expression and privacy; the need for the law to be amended to require a warrant in order to obtain user data; and how data transfer should be accompanied by notification to affected data subjects.

ARTICLE 19’s comments on the decision

On 21 July 2022, Korea’s Constitutional Court ruled—in line with ARTICLE 19’s recommendations—that the failure to notify data subjects of the sharing of their data was a due process violation. The Court determined that it prevents data subjects from being able to challenge actions that may restrict their rights. They held this element of the law non-conforming with the constitution and ruled that the legislature must amend the law to address this non-compliance by making user notification mandatory before the end of 2023. The ruling affirms the importance of notification and its necessity in order to protect the fundamental rights and freedoms of data subjects.

Unfortunately, the Court failed to heed the second due process violation raised by ARTICLE 19 in its amicus brief – the lack of a warrant requirement. The shareable data under the Act includes the name of users, their addresses, and phone numbers. A warrant is not required in contravention of international law, which states that the use of surveillance powers by public officials must be subject to independent oversight to safeguard against abuse. The UN Human Rights Committee has stated clearly that Article 83(3) of the Telecommunications Business Act, which allows the authorities to obtain personal data without a warrant, runs counter to fundamental principles of international human rights law.

Further, the Court overlooked ARTICLE 19’s substantive concerns regarding government surveillance under Article 83(3) and 83(4) and their infringement of international human rights standards for the freedom of expression and right to privacy pursuant to the International Covenant on Civil and Political Rights (ICCPR). ARTICLE 19 regrets this omission and reiterates the non-compliance of the Telecommunications Business Act with international law:

• The wording of Articles 83(3) and 83(4) are overly broad and give unfettered discretion to the authorities in question to request a wide range of user data, failing to meet the ICCPR’s requirement that restrictions on freedom of expression be ‘prescribed by law.’
• Article 83(3) allows authorities to request user data from a telecommunications operator on the grounds of ‘any threat to… the guarantee of the national security.’ While national security is one of the legitimate aims for the restriction of the right to freedom of expression listed in Article 19(3) of the ICCPR, restrictions on this basis still must be necessary, proportionate, and drafted with sufficient precision to enable individuals to regulate their behaviour.
• Articles 83(3) and 83(4) do not require the authorities to demonstrate that their data requests comply with the principles of proportionality and necessity; they therefore violate Article 19(3) of the ICCPR.
• The right to privacy can only be lawfully restricted under international human rights law when those restrictions meet the criteria of legality, necessity and proportionality, and the restrictions take place in the pursuit of a legitimate aim. As per the legal justifications within the previous three bullet points, Articles 83(3) and 83(4) therefore constitute an unlawful and arbitrary interference with the right to privacy as protected by Article 17 of the ICCPR.