] The Korea Communications Commission has imposed 180 million won ($163,000) in fines on Lotte Homeshopping for selling the personal information of its customers to other companies.
But the fines were too small compared to the revenue Lotte earned through the sale of customer data. The home shopping channel earned 3.7 billion won between 2009 and 2014 by selling 3.24 million pieces of customer data to insurance companies.
The fines were small because they were levied for a fraction of the personal information Lotte sold -- the data of 29,000 customers that it sold without their consent.
The commission could not impose any fines for more than 99 percent of the customer data Lotte sold because the company had obtained consent from the other customers for its provision of their personal data to a third party.
The current law on personal information protection does not ban sales of customer information. It simply states that a private company can “provide” the personal information of its customers to a third party if it has obtained consent from them.
The problem with the law is that it does not tell whether the “provision of personal data to a third party” includes selling the data to other companies.
Private companies interpret the law as allowing them to sell customer data only if customers agree to the provision of their information to a third party.
Consumers usually do not read the terms and conditions when they sign up for online services of retailers. Companies know this and include in the membership terms a clause to the effect that customer information can be passed on to other companies for marketing purposes.
By accepting the terms without reading them carefully, customers unwittingly allow unethical retailers to earn undue profits by selling their personal data.
In a similar case, Homeplus Co. got away with earning 23 billion won by selling more than 24 million pieces of personal data it collected from participants in its lotteries for free gifts.
The company put a notice on its lottery coupons that participants’ personal information could be passed on to a third party. But the notice was written in minuscule letters that were barely visible.
Yet the court found the discount store chain not guilty of selling customer data illegally because it had fulfilled its duty to inform the participants.
These cases illustrate that the current law on personal information protection fails to serve its purpose. The law should be rewritten to ban unethical companies from making money by sharing the personal information of customers.