[Insight & Opinion] 40 Million Personal Data Leaked: How Long Will Lenient Punishments Continue?
Recurring Personal Data Breaches
Stronger Penalties and Executive Accountability Needed
Effective and Robust Regulations Essential
![[Insight & Opinion] 40 Million Personal Data Leaked: How Long Will Lenient Punishments Continue?](http://www.asiae.co.kr/news/img_view.htm?img=2025022610275246903_1740533272.png)
Kakao Pay recently sparked a major controversy after it was revealed that the company had illegally transferred the personal information of 40 million users overseas. The Personal Information Protection Commission imposed a fine of 6 billion KRW, but compared to Kakao Pay’s revenue, this penalty is merely a slap on the wrist. Ultimately, it is questionable whether such punishments can eradicate illegal practices by corporations. The continued unauthorized leakage of personal information under the rule of law is due to insufficient regulation and weak penalties.
The biggest issue in this case is the complacent attitude of companies toward personal information protection. This is not just simple data but an important asset directly linked to users’ privacy, rights, and even safety. However, companies perceive it more as something to evade regulation than as an obligation to protect. Kakao Pay transferred data overseas without clear notification to users, and internal controls were also inadequate. This is by no means a simple mistake but clearly reveals structural problems within the company.
The 6 billion KRW fine is negligible compared to Kakao Pay’s annual revenue. This ultimately instills the wrong perception that “violations only require paying a fine.” Apple, which received the data without authorization, was also sanctioned. However, global IT companies generate enormous profits in the Korean market yet do not take domestic regulations seriously. Domestic fines do not pose any real burden to them. These companies often weigh government regulations as cost-benefit analyses and continue their business even if the profits outweigh the fines.
The core problem lies in the weak penalties for violations of the Personal Information Protection Act. Current legal punishments are limited and easily manageable by companies. If such behavior continues, companies are likely to regard personal information protection merely as a cost-saving measure. In contrast, the European Union’s General Data Protection Regulation (GDPR) can impose fines up to 4% of annual revenue on violating companies. This is a strong sanction designed to prevent companies from easily risking legal violations.
If the government has the will, the solution is actually straightforward. First, the Personal Information Protection Act should be amended to significantly strengthen penalties. Fines should be linked to company revenues, and repeated violators should face strong sanctions such as business suspension. Second, the government should enhance functions to conduct prior reviews and audits of personal information protection measures. Current regulations mostly involve after-the-fact actions, with penalties imposed only after damage occurs. A thorough government oversight system is needed to prevent violations in advance. Third, legal responsibility of executives must be strengthened. Since sanctions are mostly imposed at the corporate level, executives who neglect personal information protection rarely face accountability. Imposing legal responsibility on executives will ensure that companies thoroughly protect personal information themselves. Lastly, it is important to strengthen users’ rights. When personal information is breached, victims should be able to respond actively through the introduction of class action lawsuits and simplified compensation procedures. Many victims find it difficult to respond individually, which companies often exploit.
Hot Picks Today
"How Much Will They Get?" 600 Million vs. 460 Million vs. 160 Million... Samsung Electronics DS Division's 'Three Wallets Under One Roof'
- Opening a Bank Account in Korea Is Too Difficult..."Over 150,000 Won in Notarization Fees Just for a Child's Account and Debit Card" [Foreigner K-Finance Status]②
- Samsung Electronics Labor-Management Agreement, Nvidia Revenue Surges... KOSPI Soars Over 6%
- "Disappointing Results: 80% of Sunscreens Found Lacking in Safety and Effectiveness"
- "Who Is Visiting Japan These Days?" The Once-Crowded Tourist Spots Empty Out... What's Happening?
As long as companies treat personal information not as a protected asset but merely as ‘data assets,’ stronger sanctions and effective regulations are necessary. Protecting users’ rights must be an essential obligation, not a choice, and failure to comply should result in strict accountability, including for executives. The government must strengthen personal information protection policies with more effective measures, and awareness should spread that this is not only an individual right but also a corporate social responsibility.
Professor Kim Gyu-il, Michigan State University
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
!["Please Help Us": How Much Do Those Bowing Deeply for Your Vote Really Earn? [Data Pick]](https://cwcontent.asiae.co.kr/asiaresize/307/2026052010120870131_1779239528.png)
