Article - Privacy breach sanctions in the Asia-Pacific region (July 2007)

[ Galexia Dots ]

Related Galexia services and solutions

This article provides information on the sanctions that are available in Asia-Pacific privacy legislation. Case studies are also provided to indicate the range of sanctions that have been imposed for privacy breaches in each country.

A range of sanctions have been imposed in the region, including:

  • Significant criminal sanctions have been imposed in Hong Kong, Japan and Korea, including fines and imprisonment;
  • A mix of significant criminal sanctions and large compensation payouts have been imposed in Taiwan;
  • Moderate sanctions have been imposed in Australia, where there is an emphasis on mediation and the payment of small amounts of compensation;

Some jurisdictions have imposed additional, sometimes innovative, sanctions that have a direct impact on the business causing the privacy breach. These have included suspending businesses from specific activities for up to one month.

The following table provides an overview of the six jurisdictions:


Criminal Sanctions

Maximum Penalty
(with approximate USD)


Compensation range
(with approximate USD)

Additional sanctions




AUD 500 (USD 400) to AUD 20,000 (USD 16,000)

Hong Kong


2 years imprisonment, and a HKD 50 000[1] fine (USD 6,500).

If the offence is of a continuing nature an additional fine of HKD 1000 (USD 130) per day will also apply.


HKD 1,000 (USD 130) to HKD 50,000 (USD 6,500)



Six months imprisonment or a fine of not more than JPY 300,000. (USD 2,500).


JPY 100,000 (USD 850) to JPY 1,000,000 (USD 8500) (approx).

Suspension of business activities (e.g. one month suspension).



5 years imprisonment or a fine not exceeding 50 million won (USD 54,000)


500,000 won (USD 500) to 20 million won (USD 21,000)



5 years imprisonment or a NT$1,000,000 (USD 30, 000) fine.


NT$20,000 (USD 600) but not more than NT$100,000 (USD 3,000) for each case of damages per person

Note: Total compensation is capped at NT$20 million (USD 612,000).

Suspension of business activities (e.g. prohibition on issuing new credit cards for one month).




Privacy Act 1988 (Cth)

The sanctions for breaches of privacy law in Australia are contained in section 52 of the Privacy Act 1988 (Cth).[2]

Section 52 Determination of the Commissioner
(1) After investigating a complaint, the Commissioner may:
(a) make a determination dismissing the complaint; or
(b) find the complaint substantiated and make a determination that includes one or more of the following:...
(ii) a declaration that the respondent should perform any reasonable act or course of conduct to redress any loss or damage suffered by the complainant;
(iii) a declaration that the complainant is entitled to a specified amount by way of compensation for any loss or damage suffered by reason of the act or practice the subject of the complaint;...
(3B) A determination may include an order that:
(a) an agency or respondent make an appropriate correction, deletion or addition to a record, or to a credit information file or credit report, as the case may be; or
(b) an agency or respondent attach to a record, or include in a credit information file or credit report, as the case may be, a statement provided by the complainant of a correction, deletion or addition sought by the complainant.

The most common sanctions utilised in Australia include:

  • Provision of access to records;
  • Correction of records;
  • Apologies;
  • Changes to systems; and
  • Compensation.

Case Studies

The Office of the Privacy Commissioner investigates about 1200 complaints each year. The majority of these are resolved through mediation and conciliation, and the use of significant sanctions is rare. However, compensation awards are becoming more common. Amounts of compensation range from AUD 500 (USD 393) to AUD 20,000 (USD 15,703).[3]

The following table contains examples that are indicative of the types of cases that result in an award of compensation:




J v Superannuation Provider[4]

The complainant was pursuing a claim against his superannuation provider for total and permanent disability entitlements. He alleged that records relating to his claim, including reports about covert surveillance undertaken by the superannuation provider as part of the claim assessment were found on a public thoroughfare. The complainant also alleged that documents included incorrect information about him.

The parties agreed to a resolution that included a formal written apology and a payment of compensation of AUD 3,500 (USD 2,750) for loss or damage including legal expenses and hurt and embarrassment.

C v Commonwealth Agency[5]

This case involved the disclosure of sensitive personal information by a Commonwealth agency, where the complainant was employed, to another Commonwealth agency where the complainant had applied for a position. The complainant attended an interview for a position with another Commonwealth agency and provided the name of a referee, who was the complainant's supervisor, to the interview panel. The complainant was unsuccessful at the interview and alleged that the supervisor improperly disclosed personal information about the complainant.

The agency apologised to the complainant and paid compensation of AUD 7,000 (USD 5,500).

I v Major wholesaler[6]

The complainant alleged that her ex partner’s current girlfriend used her position with a major supplier of products on two occasions to access the complainant’s credit report to check her financial position.

The employee was counselled about her actions and has since left the company. The company also offered the complainant its apologies and agreed to pay compensation of AUD 7,500 (USD 6,000) for the interference with her privacy.

The company recognised that there were potential problems regarding access to, and use of personal information. Previously, four separate divisions that operated in a number of States had access to the credit reporting database to assess credit applications. The company consolidated its credit applications functions into one specialised department in its Sydney office.

A v Department of Defence[7]

This determination relates to a complaint lodged by, "A" under section 36 of the Privacy Act 1988 against the Secretary, Department of Defence, regarding an alleged unauthorised disclosure of personal information about him. It was alleged that the Army had disclosed the reason for discharge and in doing so breached the Army Manual of Personnel Administration (MPA) Volume 1 Chapter 2.

A Declaration was made that A is entitled to AUD 5,000 (USD 3,950) as compensation for the embarrassment caused by the disclosure, and for the wages lost as a result of the disclosure. In addition, the Department of Defence was ordered to pay A the amount of AUD 5,000 (USD 3,950) as compensation for the interference with his privacy.

Hong Kong


The sanctions for breaches of privacy law in Hong Kong are contained in the Personal Data (Privacy) Ordinance (PDPO).[8] Schedule 1 of the PDPO incorporates six data protection principles (DPPs) to which users of personal data must comply.

Where there is a contravention of a DPP, the Privacy Commissioner can, if it deems appropriate, issue an enforcement notice to the user of the personal data, requiring them to take specific action in order to ensure future compliance with the DPP.[9] Failure to comply with this enforcement notice does constitute a criminal offence which will render the non-compliant party liable to 2 years imprisonment, and a HKD 50 000[10] fine (USD 6,500). If the offence is of a continuing nature an additional fine of HKD 1000 (USD 130) per day will also apply.[11]

Section 66 of the PDPO provides that an individual who suffers damage, by reason of a contravention of the Ordinance in relation to his or her personal data may seek compensation from the data user concerned.

Case Studies

Privacy complaints in Hong Kong usually result in the issue of an enforcement notice by the Privacy Commissioner directing the data user to take such steps as are specified in the notice to remedy the contravention. If the data user complies with the enforcement notice then no further action is taken. Consequently, few complaints result in the imposition of serious sanctions despite there being a large number of privacy complaints cases in Hong Kong.

The following table contains examples that are indicative of the range of sanctions used in Hong Kong:




Illegal financial data checks[12]

Nine employees of seven financial institutions were arrested by the Independent Commission Against Corruption for allegedly conducting unauthorised checks on customer data for a debt collection syndicate. The institutions included Citibank, Citic Ka Wah Bank, Hang Seng Bank, DBS Bank (Hong Kong), Bank of China (Hong Kong), AIG Credit Card Company (Hong Kong) and Wing Hang Credit.

One of the defendants, Au Yeung Chuen admitted to retrieving, upon the request of a friend who owned a debt collection agency, and relying on his capacity as the credit control manger of CITIC Ka Wah Bank, customers’ information stored in the computer database of the bank so as to supply the information to his friend. The retrieval occurred once or twice every month, and not more than five customers’ data was retrieved each time. Over the course of the year, the number of customers whose information was retrieved by the defendant approximated between 60 and 120.[13]

Au Yeung Chuen was convicted of conspiracy to obtain access to computer with a view to dishonest gain and was sentenced to 9 months’ imprisonment. He appealed against the sentence but the appellate court upheld the sentence stating that the duration of the offence was long and the information of the customers involved was relatively substantial, the starting point of 9 months’ imprisonment could not be said to be excessive.

Another one of the defendants, Tse Yat-hoi

Case No.: 2001001[14]

In May 2001, the Commissioner referred a case to the police for prosecution as a result of the failure by a person to comply with an enforcement notice pursuant to section 64(7) of the PDPO. The case originated with a non-privacy related complaint by a hotel's customer against the defendant who was a former hotel telesales staff, resulting in his dismissal. Feeling aggrieved, the defendant took records of the hotel's customers' details and used the data to send out numerous fax letters to these customers accusing them of causing him to lose the job. After investigation, the Commissioner found that the defendant had collected personal data of the hotel's customers in breach of the Ordinance. An enforcement notice was served on him directing him to return the customers' information. He failed to comply with the enforcement notice.

The case was referred to the police for prosecution. The defendant was charged, convicted and received a fine (amount not disclosed).

Direct marketing case[15]

A telecommunications company was convicted of breaching section 34 of the PDPO in September 2006 in the Kowloon City Magistrates’ Court. In October 2005, the complainant received a telephone call from the Company promoting its IDD service. He made an ‘opt-out’ request explicitly over the phone (i.e. he asked the Company not to contact him in the future for direct marketing purposes). In December 2005, the complainant received another call from the Company promoting its broadband service. The complainant lodged a complaint with the Privacy Commissioner.

After investigation, the Company was charged with an offence under section 34 of the Ordinance, which requires data users to cease further contact with the individual if the individual chooses to opt-out. The company was fined HKD 4,000 (USD 515).



The sanctions for breaches of privacy law in Japan are contained in Chapter 6 of the Act on the Protection of Personal Information 2003.[16] Pursuant to Article 34, where a data user is in contravention of certain provisions of the Act, the competent Minister may issue a recommendation that the contravention be ceased and take necessary measures to correct the violation. If the Minister considers that the infringement is imminent or considers it necessary to take measures urgently, the Minister may order that the contravention be ceased. Article 56 contains the sanction for non-compliance with these orders:

An entity who violates orders issued under Paragraph 2 or 3 of Article 34 shall be sentenced to imprisonment of not more than six months or to a fine of not more than 300,000 yen (USD 2,500).

Case Studies

Privacy complaints in Japan often result in the imposition of serious sanctions.

The following table contains examples that are indicative of the range of sanctions used in Japan:




Defence Agency case[17]

In June 2002, the Defense Agency revealed that it had been collecting names of people requesting information and cross-referencing the list with private information, such as the political affiliations of the requestor.

On February 12, 2004, the Tokyo District Court ruled that the list compiled by the Defence Agency violated privacy, and ordered the agency to pay JPY 100,000 (USD 850) in compensation to a writer who was on the list.

Softbank case[18]

The personal data of about 4.6 million subscribers to Yahoo BB (Broad Band service) was leaked by its employees. The Metropolitan Police Department arrested four persons for allegedly blackmailing Softbank Corp. - the company that operates Yahoo BB - by threatening to leak the confidential customer data. Stolen information included each subscriber's name, address, phone number, subscription starting date and e-mail address.

In May 2004 two persons were arrested for illegally accessing personal information on Softbank customers after obtaining passwords to hack into the company's database. The pair passed the information on to four members of a right-wing extremist group.

On November 19, 2004 the Tokyo District Court sentenced one of the employees to a suspended 2 ½ year prison term and five years of probation. The other employee was given a two-year suspended term with four years of probation. The court criticised the defendants for causing ‘social anxiety’ and of ‘base’ motives, but said decided to suspend their jail terms because, ‘their role was subordinate.’

Three of Yahoo BB's customers have also launched a damages suit against Softbank Corp. before the Osaka District Court, seeking JPY 100,000 (USD 850) each in compensation.[19]

Mizuho Bank case[20]

This case is an example of the Financial Services Agency responding to a data leak, including issuing a ‘Business Improvement Order’ under the Banking Law, and recommendations under Article 34 of the Act on the Protection of Personal Information. If this recommendation is not followed, orders could be given under Article 34(2), and if these are not followed, the penal provisions of Article 56 could apply.

In this case, the recommendation included measures required to protect the rights and interests of individuals should be taken with respect to the following, in consideration of the nature of the incident in that the deed was done by a person with specific authority at the branch:

  • Ensure effective security control measures for personal data.
  • Strictly oversee employees to ensure the security control of personal data.

Following the business improvement order, Mizuho Bank chose to punish seven board members, including President Seiji Sugiyama, by cutting their salaries by 15% to 30% for two months.

Credit Suisse case[21]

Credit Suisse Bank Trust and Banking disclosed customer data without consent.

As a result, the FSA made an order that suspended Credit Suisse from engaging in new trust business for one month, and required it to implement new controls and procedures to ensure compliance.


This case involves a leak, probably by an insider, of personal information of nearly four million customers. The leak was apparently part of an attempted extortion.

KDDI negotiated with the group holding the data and recovered it, but no other details are revealed.

The Ministry of Internal Affairs issued an instruction requiring KDDI to ‘manage personal information adequately and thoroughly’.[23]


This case involves Citibank’s loss of a magnetic tape containing client information.

Following the data loss, the FSA[25] made a business improvement order, using its power under the Banking Law 1981.[26]




The Act on Promotion of Information and Communication Network Utilization and Information Protection came into effect in 2000. It is not applicable to all organisations in the private sector as it only applies to the information and telecommunications industries that are ‘providers of information and communications services’ such as common carriers, Internet service providers and other intermediaries, such as content providers. While Fidelity is not required to comply with the Act, it nevertheless provides guidance on the desired protection of information.

The Act contains some severe sanctions for privacy breaches:

Article 62 (Penal Provisions)
... shall be punished by imprisonment with prison labor for not more than 5 years or by a fine not exceeding 50 million won (USD 53,837):
1. A person who has used or provided personal information it to any third person beyond the scope of the notification or the limit specified in a standardized contract under Article 22 (2) in breach of Article 24 (1);
2. A person who has used user personal information for a purpose other than the purpose for which such personal information has been provided or provided said personal information to any other person in breach of Article 24 (2).

Case Studies

Privacy complaints in Korea are generally resolved by mediation. However a small number of privacy breaches have resulted in high profile complaints and the imposition of serious sanctions.

The following table contains examples that are indicative of the range of sanctions used in Korea:




LG Case[27]

More than 100 job applicants filed a class action suit against LG Electronics for leaking their private information online. The police also investigated the leak. The personal information of over 22,000 applicants for LG Electronics jobs was made public for about an hour, where people could access private details such as the applicants' pictures and academic grades.

A member of Daum internet cafe ‘Job Break’ had applied for a job at LG, but was not hired. The member then posted the link to the personal data, saying he did it because he was not hired.

In October 2006, the victims sought 20 million won (USD 21,000) individually in damages.

Police also launched an investigation into that carried the access link.

Kookmin Bank Case[28]

Korea’s largest lender Kookmin Bank faces a class action suit from customers after it mistakenly leaked their private information in a circular e-mail.

The bank e-mailed 3,700 members of its online lottery website to entice them into buying lottery tickets, sending an attachment that contained the resident registration numbers, names and e-mail addresses of some 32,000 customers.

Victims also filed complaints with the Financial Supervisory Service.

In April 2006, the plaintiffs are demanding a total of 1.242 billion won (USD 1.2 million) or 3 million won (USD 3,229) for each victim in compensation alleging severe psychological stress due to the leak of the information.

Lineage case[29]

NCSoft, the developer of the online game Lineage, is being sued for a large scale privacy breach.

While conducting a regular game upgrade in May 2005, NCSoft failed to encrypt a database log file that contained usernames and passwords. As a result, the account data of numerous Lineage II subscribers were available at a computer used for the game.

As a result, bogus Lineage accounts were apparently used by China-based groups to generate virtual items in the game world which were then sold to gamers in exchange for real world cash.

8,500 victims launched a class against NC Soft after their personal information was stolen by hackers to create fraudulent accounts in Lineage. They sought damages for the leak citing the firm’s failure to take timely steps against the threat.

In April 2006, the Seoul District Court ordered NCSoft to pay out 500,000 won (USD 500) to each plaintiffs, who lodged a civil complaint. The total payout is around USD 4,250,000.

NCSoft is likely to appeal the verdict.




Taiwan has complex privacy legislation in place - the Computer-Processed Personal Data Protection Law 1995 (‘the PDP law’) regulates the ‘computerized processing of personal data’. The PDP Law requires certain private sector organisations to register their activities with a relevant regulator. Fidelity Taiwan has registered and as a result is bound by the privacy legislation but receives some generous waivers for communications with clients.

The compensation arrangements are contained in Article 28:

A non-government agency which infringes upon the rights and interests of a principal as a result of its violation of this Law shall be liable for the damages arising therefrom, provided, however, that these provisions do not apply to the situation where the non-government agency can prove that the damages are not caused by its wilful conduct or negligence.
The total amount of compensation for the damages referred to in the two preceding paragraphs shall not be less than NT$20,000 (USD 614) but not more than NT$100,000 (USD 3,068) for each case of damages per person, provided, however, that the above provisions do not apply to the situation where the injured party can prove that the damages sustained by it are more than the aforesaid prescribed amount.
With regard to damages caused to the principal by the same cause and fact, the total amount of compensation shall not be more than NT$20 million (USD 613,638).

The criminal sanctions are contained in Articles 33 and 34:

Article 33
A person with an intention to seek profits, who violates Articles 7, 8, 18 and 19, Paragraph 1, and 2, Article 23, or a restriction order to issued under Article 24 of this Law and thereby causing damages to others, shall be punished with imprisonment for not more than five years, detention, or, or in addition thereto a fine of not more than NT$1,000,000 (USD 30, 000).
Article 34
A person with an intention to acquire illegal interests for its personal or third party's benefit, or damage other's interests, who makes illegal output, interference, alteration, and deletion of a personal data file of impedes the accuracy of a personal data file causing damages to others shall be punished with imprisonment for not more than five years, detention, or a fine of not more than NT$1,000,000 (USD 30, 000).

Case Studies

Privacy complaints in Taiwan often result in the imposition of serious sanctions.

The following table contains examples that are indicative of the range of sanctions used in Taiwan:





Citibank Case[30]

The Ministry of Finance investigated and then disciplined Citibank after hackers breached the security of Citibank’s online credit card application in Taiwan in November 2003, exposing 2000 customers’ data.

The Ministry of Finance punished Citibank for ‘negligent internal management’.

Internet customers complained that they could access the personal information of other applicants. The online forms contained the names, addresses, birthdays, and other pertinent personal information of credit card applicants.

Citibank was prohibited from issuing any new credit cards for a month and ordered to unplug all of its online banking services for at least three months to allow the Ministry to inspect security before reinstating the services.

Yu Li International Marketing Corporation case[31]

The Kaohsiung District Prosecutor's Office brought a criminal case against 32 civil servants and civilians for their role in leaking 2 million entries of illegally obtained personal information.[32]

Prosecutors found that an organised crime syndicate began in 1995 to bribe law enforcement officers, coast guard patrol examiners, the privatised Chunghwa Telecom Co and private telecommunication company employees to obtain personal information such as home telephone numbers, mobile phone numbers, household registration, car registration and bank account information.

They then sold the illegally obtained information to other crime rings and individuals, including lawmakers, police officers and employees of credit information offices.

Police discovered that personal data on more than 10 million individuals had been sold by Yu Li International Marketing Corporation to various fraud syndicates.

The Consumer Protection Commission announced that monetary compensation would be paid to people whose confidential information was leaked by telecommunication companies.

Even people who have suffered no loss from having had their information leaked can demand compensation from the telecom companies. The amounts, ranging between NT$20,000 (USD 610) and NT$100,000 (USD 3,100), are based on those stipulated by the Law for the Protection of Computer-Managed Personal Information (LPCMPI).

[ Galexia Dots ]

[1] Section 113B, Criminal Procedure Ordinance 1999 (HK), <>.

[2] Privacy Act 1988 (Cth), <>.

[3] Office of the Privacy Commissioner, 2005-06 Annual Report of the Office of the Privacy Commissioner, <>.

[4] J v Superannuation Provider [2005] PrivCmrA 7, <>.

[5] C v Commonwealth Agency [2003] PrivCmrA 1, <>.

[6] I v Major wholesaler [2003] PrivCmrA 7, <>

[7] Determination No. 1 of 1993, Between, “A”, Complainant and the Secretary, Department of Defence, Respondent, <>.

[8] Personal Data (Privacy) Ordinance 1995 (HK), <>.

[9] Section 50, Personal Data (Privacy) Ordinance 1995 (HK).

[10] Section 113B,Criminal Procedure Ordinance 1999 (HK), <>.

[11] Section 64(7), Personal Data (Privacy) Ordinance 1995 (HK).

[12] Hong Kong Independent Commission Against Corruption, Press Release, 27 March 2006, <>.

[13] Prosecutions Divisions, Hong Kong Department of Justice, Criminal Appeals Bulletin, December 2006, <>, pages 25 31.

[14] Case No.: 2001001 Non-compliance with an enforcement notice - Section 64(7), <>.

[15] Hong Kong Office of the Privacy Commissioner for Personal Data, A telecommunications company fined for breaching Personal Data (Privacy) Ordinance, Press Release, 15 September 2006, <>.

[16] Act on the Protection of Personal Information 2003 (JP), <>.

[17] <>.

[18] Refer to Softbank, Comments on Arrest of Attempted Extortion Suspects, 24 February 2004, <>; and Richardson T, Softbank rocked by giant data leak, SecurityFocus, 5 March 2004, <>.

[19] An apology from Softbank included payouts to each affected customer of a JPY 500 (USD 4.22) gift certificates, potentially costing the company some several billion yen.

[20] Financial Services Agency, Japan, Administrative Actions on Mizuho Bank, 25 April 2006, <>

[21] Financial Services Agency, Japan, Administrative Actions on Credit Suisse Trust and Banking Co.,Ltd, 8 April 2005, <>

[22] Refer to Sydney Morning Herald, KDDI reports massive personal data leak, 13 June 2006, <>.

[23] Ministry of Internal Affairs and Telecommunications, Japan, Measures Taken for Instructing KDDI Corp. to Manage Personal Information Concerning Case of Personal Information Leakage, 21 September 2006, <>

[24] <>

[25] Financial Services Agency, Japan, Administrative Actions on Citibank, N.A. Japan Branch, 11 June 2004, <>.

[26] Banking Law 1981 (Japan), <>.

[27] Bang AI, LG sued for personal info leak, Asia Media, 17 October 2006, <>.

[28] Refer to: Chosun, Kookmin Faces Class Action Over Data Leak, 18 April 2006, <>.

[29] Refer to Burns S, Game ID thefts surpass one million, IT Week, 16 March 2006, <>.

[30] Refer to: Wright B, The Costs of Not Securing Personally Identifiable Data, 2004, < 2004.pdf>; and Huang J, Ministry punishes bank for online security leaks, Taipei Times, 26 November 2003, <>.

[31] <>

[32] <>