Research

Australia

No

Yes

AUD 500 (USD 400) to AUD 20,000 (USD 16,000)

Hong Kong

Yes

2 years imprisonment, and a HKD 50 000[1] fine (USD 6,500).

If the offence is of a continuing nature an additional fine of HKD 1000 (USD 130) per day will also apply.

Yes

HKD 1,000 (USD 130) to HKD 50,000 (USD 6,500)

Japan

Yes

Six months imprisonment or a fine of not more than JPY 300,000. (USD 2,500).

Yes

JPY 100,000 (USD 850) to JPY 1,000,000 (USD 8500) (approx).

Suspension of business activities (e.g. one month suspension).

Korea

Yes

5 years imprisonment or a fine not exceeding 50 million won (USD 54,000)

Yes

500,000 won (USD 500) to 20 million won (USD 21,000)

Taiwan

Yes

5 years imprisonment or a NT$1,000,000 (USD 30, 000) fine.

Yes

NT$20,000 (USD 600) but not more than NT$100,000 (USD 3,000) for each case of damages per person

Note: Total compensation is capped at NT$20 million (USD 612,000).

Suspension of business activities (e.g. prohibition on issuing new credit cards for one month).

J v Superannuation Provider[4]

The complainant was pursuing a claim against his superannuation provider for total and permanent disability entitlements. He alleged that records relating to his claim, including reports about covert surveillance undertaken by the superannuation provider as part of the claim assessment were found on a public thoroughfare. The complainant also alleged that documents included incorrect information about him.

The parties agreed to a resolution that included a formal written apology and a payment of compensation of AUD 3,500 (USD 2,750) for loss or damage including legal expenses and hurt and embarrassment.

C v Commonwealth Agency[5]

This case involved the disclosure of sensitive personal information by a Commonwealth agency, where the complainant was employed, to another Commonwealth agency where the complainant had applied for a position. The complainant attended an interview for a position with another Commonwealth agency and provided the name of a referee, who was the complainant's supervisor, to the interview panel. The complainant was unsuccessful at the interview and alleged that the supervisor improperly disclosed personal information about the complainant.

The agency apologised to the complainant and paid compensation of AUD 7,000 (USD 5,500).

I v Major wholesaler[6]

The complainant alleged that her ex partner’s current girlfriend used her position with a major supplier of products on two occasions to access the complainant’s credit report to check her financial position.

The employee was counselled about her actions and has since left the company. The company also offered the complainant its apologies and agreed to pay compensation of AUD 7,500 (USD 6,000) for the interference with her privacy.

The company recognised that there were potential problems regarding access to, and use of personal information. Previously, four separate divisions that operated in a number of States had access to the credit reporting database to assess credit applications. The company consolidated its credit applications functions into one specialised department in its Sydney office.

A v Department of Defence[7]

This determination relates to a complaint lodged by, "A" under section 36 of the Privacy Act 1988 against the Secretary, Department of Defence, regarding an alleged unauthorised disclosure of personal information about him. It was alleged that the Army had disclosed the reason for discharge and in doing so breached the Army Manual of Personnel Administration (MPA) Volume 1 Chapter 2.

A Declaration was made that A is entitled to AUD 5,000 (USD 3,950) as compensation for the embarrassment caused by the disclosure, and for the wages lost as a result of the disclosure. In addition, the Department of Defence was ordered to pay A the amount of AUD 5,000 (USD 3,950) as compensation for the interference with his privacy.

Illegal financial data checks[12]

Nine employees of seven financial institutions were arrested by the Independent Commission Against Corruption for allegedly conducting unauthorised checks on customer data for a debt collection syndicate. The institutions included Citibank, Citic Ka Wah Bank, Hang Seng Bank, DBS Bank (Hong Kong), Bank of China (Hong Kong), AIG Credit Card Company (Hong Kong) and Wing Hang Credit.

One of the defendants, Au Yeung Chuen admitted to retrieving, upon the request of a friend who owned a debt collection agency, and relying on his capacity as the credit control manger of CITIC Ka Wah Bank, customers’ information stored in the computer database of the bank so as to supply the information to his friend. The retrieval occurred once or twice every month, and not more than five customers’ data was retrieved each time. Over the course of the year, the number of customers whose information was retrieved by the defendant approximated between 60 and 120.[13]

Au Yeung Chuen was convicted of conspiracy to obtain access to computer with a view to dishonest gain and was sentenced to 9 months’ imprisonment. He appealed against the sentence but the appellate court upheld the sentence stating that the duration of the offence was long and the information of the customers involved was relatively substantial, the starting point of 9 months’ imprisonment could not be said to be excessive.

Another one of the defendants, Tse Yat-hoi

Case No.: 2001001[14]

In May 2001, the Commissioner referred a case to the police for prosecution as a result of the failure by a person to comply with an enforcement notice pursuant to section 64(7) of the PDPO. The case originated with a non-privacy related complaint by a hotel's customer against the defendant who was a former hotel telesales staff, resulting in his dismissal. Feeling aggrieved, the defendant took records of the hotel's customers' details and used the data to send out numerous fax letters to these customers accusing them of causing him to lose the job. After investigation, the Commissioner found that the defendant had collected personal data of the hotel's customers in breach of the Ordinance. An enforcement notice was served on him directing him to return the customers' information. He failed to comply with the enforcement notice.

The case was referred to the police for prosecution. The defendant was charged, convicted and received a fine (amount not disclosed).

Direct marketing case[15]

A telecommunications company was convicted of breaching section 34 of the PDPO in September 2006 in the Kowloon City Magistrates’ Court. In October 2005, the complainant received a telephone call from the Company promoting its IDD service. He made an ‘opt-out’ request explicitly over the phone (i.e. he asked the Company not to contact him in the future for direct marketing purposes). In December 2005, the complainant received another call from the Company promoting its broadband service. The complainant lodged a complaint with the Privacy Commissioner.

After investigation, the Company was charged with an offence under section 34 of the Ordinance, which requires data users to cease further contact with the individual if the individual chooses to opt-out. The company was fined HKD 4,000 (USD 515).

Defence Agency case[17]

In June 2002, the Defense Agency revealed that it had been collecting names of people requesting information and cross-referencing the list with private information, such as the political affiliations of the requestor.

On February 12, 2004, the Tokyo District Court ruled that the list compiled by the Defence Agency violated privacy, and ordered the agency to pay JPY 100,000 (USD 850) in compensation to a writer who was on the list.

Softbank case[18]

The personal data of about 4.6 million subscribers to Yahoo BB (Broad Band service) was leaked by its employees. The Metropolitan Police Department arrested four persons for allegedly blackmailing Softbank Corp. - the company that operates Yahoo BB - by threatening to leak the confidential customer data. Stolen information included each subscriber's name, address, phone number, subscription starting date and e-mail address.

In May 2004 two persons were arrested for illegally accessing personal information on Softbank customers after obtaining passwords to hack into the company's database. The pair passed the information on to four members of a right-wing extremist group.

On November 19, 2004 the Tokyo District Court sentenced one of the employees to a suspended 2 ½ year prison term and five years of probation. The other employee was given a two-year suspended term with four years of probation. The court criticised the defendants for causing ‘social anxiety’ and of ‘base’ motives, but said decided to suspend their jail terms because, ‘their role was subordinate.’

Three of Yahoo BB's customers have also launched a damages suit against Softbank Corp. before the Osaka District Court, seeking JPY 100,000 (USD 850) each in compensation.[19]

Mizuho Bank case[20]

This case is an example of the Financial Services Agency responding to a data leak, including issuing a ‘Business Improvement Order’ under the Banking Law, and recommendations under Article 34 of the Act on the Protection of Personal Information. If this recommendation is not followed, orders could be given under Article 34(2), and if these are not followed, the penal provisions of Article 56 could apply.

In this case, the recommendation included measures required to protect the rights and interests of individuals should be taken with respect to the following, in consideration of the nature of the incident in that the deed was done by a person with specific authority at the branch:

• Ensure effective security control measures for personal data.
• Strictly oversee employees to ensure the security control of personal data.

Following the business improvement order, Mizuho Bank chose to punish seven board members, including President Seiji Sugiyama, by cutting their salaries by 15% to 30% for two months.

Credit Suisse case[21]

Credit Suisse Bank Trust and Banking disclosed customer data without consent.

As a result, the FSA made an order that suspended Credit Suisse from engaging in new trust business for one month, and required it to implement new controls and procedures to ensure compliance.

KDDI[22]

This case involves a leak, probably by an insider, of personal information of nearly four million customers. The leak was apparently part of an attempted extortion.

KDDI negotiated with the group holding the data and recovered it, but no other details are revealed.

The Ministry of Internal Affairs issued an instruction requiring KDDI to ‘manage personal information adequately and thoroughly’.[23]

Citibank[24]

This case involves Citibank’s loss of a magnetic tape containing client information.

Following the data loss, the FSA[25] made a business improvement order, using its power under the Banking Law 1981.[26]

LG Case[27]

More than 100 job applicants filed a class action suit against LG Electronics for leaking their private information online. The police also investigated the leak. The personal information of over 22,000 applicants for LG Electronics jobs was made public for about an hour, where people could access private details such as the applicants' pictures and academic grades.

A member of Daum internet cafe ‘Job Break’ had applied for a job at LG, but was not hired. The member then posted the link to the personal data, saying he did it because he was not hired.

In October 2006, the victims sought 20 million won (USD 21,000) individually in damages.

Police also launched an investigation into Daum.net that carried the access link.

Kookmin Bank Case[28]

Korea’s largest lender Kookmin Bank faces a class action suit from customers after it mistakenly leaked their private information in a circular e-mail.

The bank e-mailed 3,700 members of its online lottery website to entice them into buying lottery tickets, sending an attachment that contained the resident registration numbers, names and e-mail addresses of some 32,000 customers.

Victims also filed complaints with the Financial Supervisory Service.

In April 2006, the plaintiffs are demanding a total of 1.242 billion won (USD 1.2 million) or 3 million won (USD 3,229) for each victim in compensation alleging severe psychological stress due to the leak of the information.

Lineage case[29]

NCSoft, the developer of the online game Lineage, is being sued for a large scale privacy breach.

While conducting a regular game upgrade in May 2005, NCSoft failed to encrypt a database log file that contained usernames and passwords. As a result, the account data of numerous Lineage II subscribers were available at a computer used for the game.

As a result, bogus Lineage accounts were apparently used by China-based groups to generate virtual items in the game world which were then sold to gamers in exchange for real world cash.

8,500 victims launched a class against NC Soft after their personal information was stolen by hackers to create fraudulent accounts in Lineage. They sought damages for the leak citing the firm’s failure to take timely steps against the threat.

In April 2006, the Seoul District Court ordered NCSoft to pay out 500,000 won (USD 500) to each plaintiffs, who lodged a civil complaint. The total payout is around USD 4,250,000.

NCSoft is likely to appeal the verdict.

Citibank Case[30]

The Ministry of Finance investigated and then disciplined Citibank after hackers breached the security of Citibank’s online credit card application in Taiwan in November 2003, exposing 2000 customers’ data.

The Ministry of Finance punished Citibank for ‘negligent internal management’.

Internet customers complained that they could access the personal information of other applicants. The online forms contained the names, addresses, birthdays, and other pertinent personal information of credit card applicants.

Citibank was prohibited from issuing any new credit cards for a month and ordered to unplug all of its online banking services for at least three months to allow the Ministry to inspect security before reinstating the services.

Yu Li International Marketing Corporation case[31]

The Kaohsiung District Prosecutor's Office brought a criminal case against 32 civil servants and civilians for their role in leaking 2 million entries of illegally obtained personal information.[32]

Prosecutors found that an organised crime syndicate began in 1995 to bribe law enforcement officers, coast guard patrol examiners, the privatised Chunghwa Telecom Co and private telecommunication company employees to obtain personal information such as home telephone numbers, mobile phone numbers, household registration, car registration and bank account information.

They then sold the illegally obtained information to other crime rings and individuals, including lawmakers, police officers and employees of credit information offices.

Police discovered that personal data on more than 10 million individuals had been sold by Yu Li International Marketing Corporation to various fraud syndicates.

The Consumer Protection Commission announced that monetary compensation would be paid to people whose confidential information was leaked by telecommunication companies.

Even people who have suffered no loss from having had their information leaked can demand compensation from the telecom companies. The amounts, ranging between NT$20,000 (USD 610) and NT$100,000 (USD 3,100), are based on those stipulated by the Law for the Protection of Computer-Managed Personal Information (LPCMPI).