South Korea’s Supreme Court has established a clear line on what constitutes an illegal gambling site in the handling of personal information. The case involved a man known as Lee in local reports. Prosecutors said Lee and an accomplice built an illegal online gambling site in 2024. They brought over personal information from a different platform when setting up the new site.
The information was related to 796 people. It contained names, bank account information, and mobile phone numbers. Prosecutors said that information was used to create accounts without the knowledge of the account holders and to test the site’s functions.
Privacy Law Drives the Ruling
The Supreme Court upheld the lower court’s one-year sentence. The ruling also confirmed that Lee could be treated as a personal information processor under South Korea’s Personal Information Protection Act.
That point was the core legal issue. Lee’s side argued that data obtained unlawfully should not place him in the same category as a lawful business handling user records. The court rejected that argument.
Illegal Source Did Not Remove Liability
The source of the data did not alter the way the law should be applied when that information was used to conduct business, the court said. The decision cuts off a potential avenue of defense for lawbreakers. In its absence, an individual could claim that the rules governing the handling of business data do not apply to stolen or leaked data. It added that this would “undermine the protection of victims”.
Lee had already been convicted in lower courts. The first trial considered the activity to be unauthorized access to personal information. The second trial took the additional step of identifying Lee as a data processor, explaining that it had direct access to the user data.
The Supreme Court let stand the second ruling.
Site Testing Argument Fails
Lee also said the gambling site hadn’t gone live, and so the offense described by prosecutors should not hold.
The courts were not persuaded. Judges concluded that the website was not merely a blank test page or a shell under construction. Users could play baccarat, slots, and other games. Deposit and withdrawal functions were operating as well.
That was significant because it tied the privacy violation to an operational gambling site. The personal information had not been taken by accident or filed away in an innocuous internal document. The data was used to support the creation of accounts and to perform operational checks for a casino platform.
What It Means for the Industry
South Korea’s courts have come down on stolen customer data not as a peripheral matter, but as an integral part of the illegal gambling business model. Operators who use leaked credentials to create or test gambling sites risk privacy-related charges, even if the platform is still in an early rollout stage.
