On July 21, 2022, the Constitutional Court of Korea rendered a decision of nonconformity(2016Hun-ma388) on the law allowing telecommunications business operators to disclose its users’ identification data(name, identification number, address, date of subscription and unsubscription, telephone number, ID, etc) to investigatory agencies requesting the same without a warrant (Article 83-3 of Telecommunications Business Act).
The Court ruled that the law infringed the right to informational self-determination by violating due process as it lacks notifications to the affected persons which would otherwise allow them to become aware of the restriction of their rights and challenge its validity if necessary.
It is noteworthy that the decision confirmed the importance of notification and that the access to the communications user data limits users’ fundamental rights. The decision will unveil the pervasive extent of the government’s acquisition of private information as the law, if amended per this decision, will make user notification mandatory unlike before when access was revealed only upon users’ individual inquiries. Open Net welcomes this decision as privacy is a fundamental right for which procedural protection is as important as substantive protection, and the decision enhances the transparency of state surveillance.
It is, however, regrettable that the decision found the access not compulsory and therefore the warrant requirement not applicable. If the access is not an exercise of binding state power, then the telecommunications business operators’ disclosure must be voluntary. In such a case, the disclosing operators must be legally responsible in cases where users’ privacy is infringed by that disclosure. However, the Supreme Court previously ruled that the operators’ disclosure is lawful as long as it mechanistically follows the statutory format and procedure in a user’s damage suit against the operators. Under that reasoning, citizens will not be able to hold anyone accountable for other rights infringement arising out of non-compulsory request of the government and voluntary cooperation of a private company whenever such cooperation is authorized. It means that Article 83-3 of the Telecommunications Business Act effectively carves subscriber identifying information out of the scope of privacy protection, and the Constitutional Court failed to deliberate on this substantive issue.
The Constitutional Court also ruled that the provision of subscriber identifying information did not go against the principle of proportionality because the purpose was to facilitate the speed and efficiency of the investigation during its early stages and because the scope and cause of the information collected was limited (e.g., names, addresses, etc.). The Court overlooks the fact that citizens lose their freedom of anonymous communication the moment they make telecommunications under such a legal system. The extent of privacy infringement upon disclosure of subscriber identifying information is no different than that of a warrant for search and seizure because it does not end at the acquisition of identifying information but reveals to the investigative agencies one’s involvement in telecommunications. For example, not only are users’ Kakao Talk nicknames and identifications matched but also the otherwise private fact that the user is participating in a Kakao Talk chat with persons under investigation is revealed. In addition, operators such as Naver and Kakao have had the practice of providing identifying information only upon presentation of a court order, and there is nothing to indicate that such practice hampered related investigations. This means that there is an alternative means to achieve the public need for investigation while satisfying the warrant requirement, and thus it is doubtful that an inquiry under the minimal impairment principle has been fully conducted. It is rather worrying that that Naver and Kakao may start to cooperate with warrantless provision of subscriber identifying information.
Through litigation and public campaigns Open Net, together with People’s Solidarity for Participatory Democracy (PSPD), has created a legal environment where users could compel the operators to disclose the records of access to subscriber identifying information. Open Net has also successfully lobbied for the 2015 UN Human Rights Committee who issued a Concluding Observation on Korea recommending adding the warrant requirement, the 2016-2017 Third-Party Intervention Submission by Article 19 and Privacy International, the 2017 Third-Party Intervention Submission by David Kaye, United Nations Special Rapporteur on the Right to Freedom of Opinion and Expression, and a statement of the United Nations Special Rapporteur Joseph Cannataci on the right to privacy, on the conclusion of his official visit to the Republic of Korea in 2019, each of which called out human rights violations of the provision of subscriber identifying information.
Just as the current Protection of Communications Secrets Act requires the Court’s approval for the acquisition of communications confirmation, a similar procedure must be established for the provision of subscriber identifying information. Simply treating subscriber identifying information lightly compared to the content of communications or other metadata is equal to denying the freedom of anonymous communication. Open Net demands that the National Assembly, tasked with legislative amendment, define adequate notification procedure that allow proper evaluation of the access , and take a step further by drawing up legislation that meets the fundamental principles of the warrant requirement and international human rights standards.
July 28, 2022