Os consumidores coreanos podem ingressar em uma ação coletiva por violação de dados causada por um aplicativo, e qual compensação é realista?

Question

Um aplicativo popular na Coreia do Sul vazou números de telefone de usuários e histórico de compras, e recebi uma notificação posteriormente. Gostaria de saber se é possível uma ação coletiva, quais provas devo guardar e se os danos geralmente são compensados em dinheiro ou por outros meios.

Ascendance International Consulting (A-I-C) · Accepted Answer

In South Korea a data‑breach that exposes users’ phone numbers and purchase histories triggers the Personal Information Protection Act (PIPA), which allows affected individuals to file a collective (group) claim (called a “class‑action” under the Act on the Remedy of Collective Redress for Consumers) if at least 10 people have suffered the same injury and the court certifies the case as a class suit. To pursue a group claim you should preserve all evidence: the breach notice you received, screenshots of the leaked data (with timestamps), any communications from the app (emails, in‑app messages), records of any fraud or spam you experienced afterward, and a log of any financial loss (e.g., unauthorized purchases). Keep copies of your privacy‑policy consent and any proof that you did not opt‑in to share that data, as this strengthens the claim that the company violated its statutory duty to obtain consent and to safeguard personal information.

Damages under PIPA can be monetary compensation for actual loss (e.g., fraudulent charges, identity‑theft remediation costs) and non‑pecuniary damages for emotional distress, which Korean courts have awarded in the range of ₩ 5‑10 million per plaintiff in similar cases. In a class action, the court may order the company to pay a lump‑sum settlement that is then distributed among the class members, and it can also require injunctive relief (mandatory security upgrades, deletion of the data, and a public apology). Additionally, the regulator (Korea Communications Commission) can impose administrative fines on the company, which are separate from the civil damages. If you want to explore a collective claim, we can help you gather the necessary documentation, connect you with a Korean consumer‑rights law firm experienced in class actions, and advise on the best strategy for maximizing compensation and ensuring the app implements stronger data‑privacy safeguards. If you have any further questions or would like assistance coordinating the claim, just let us know—we’re ready to help.

Sincerely,

Ascendence International Consulting

Architect Legal Advisory · Answer

TL;DR: While a 'class action' against the data controller is possible, conservative damage awards by Korean courts typically render such lawsuits impractical. As an aside, 'class action' lawsuits (where a representative plaintiff sues on behalf of a class with similar or identical claims) are limited to securities litigation in Korea. There have been discussions about implementing class action lawsuits more broadly but nothing has been legislated yet. In any case, this is just a technicality - multiple plaintiffs with similar claims can still join in to file a single lawsuit together (usually under shared legal representation), which is technically not a class action but achieves a similar effect nonetheless. For simplicity's sake, we'll use the term 'class action' in this response. Under Korean tort law, damages are divided into pecuniary (for financial harm) and non-pecuniary damages (for emotional distress). Also, punitive damages are generally not recognized, and the burden typically lies with the plaintiff to establish both the occurrence and the specific amount of damages. Since personal data breaches rarely result in immediate, quantifiable financial harm, establishing damages is often challenging in such cases. To address this issue, the Personal Information Protection Act (PIPA, the primary data protection legislation in Korea) offers two key protections: (1) data subjects who suffered data breach may claim reasonable damages of up to KRW 3 million, and (2) the burden of proof is shifted to the data controller, requiring the data controller to establish their non-negligence (Article 39-2). Nevertheless, the recoverable amounts remain modest (to say the least). Korean courts tend to be more conservative (compared to U.S. courts, for example) in assessing damages, awarding between KRW 100,000 to 200,000 per plaintiff in typical large-scale data breach cases. In addition, punitive damages are not recognized in data breach cases. While awards may increase in instances of intentional disclosure, they rarely reach the statutory ceiling, which itself is not substantial (KRW 3 million). With that said, class action may still make sense in some cases: (i) when the class is large enough that the per-person legal cost is lower than the expected damage award; (ii) when the class is large enough that despite the low amount awarded to each plaintiff, the aggregate amount is large enough to punish the company; or (ii) when the goal is mostly symbolic - to send a message to the company or generate noise, for example. Otherwise, it may not be worth pursuing for individual plaintiffs seeking financial remedy.

Os consumidores coreanos podem ingressar em uma ação coletiva por violação de dados causada por um aplicativo, e qual compensação é realista?

Respostas de Advogados

Ascendance International Consulting (A-I-C)

Architect Legal Advisory

Precisa de Ajuda Jurídica Pessoal?

Especialistas Jurídicos Relacionados