"Up to 10% of Sales as Fines for Major Data Breaches"... Coupang, KT Excluded from New Rule (Comprehensive)

Going forward, companies that cause serious or repeated personal information leakage incidents will be required to pay punitive fines of up to 10% of their revenue. At the same time, companies and institutions that make proactive investments in personal information protection will be eligible for incentives such as reductions in fines. However, since the new system will only apply from September, after the legal amendments take effect, companies such as Coupang and KT, which have already experienced large-scale data breaches, will be excluded from the new measures.

The Personal Information Protection Commission announced on May 12 that it reported the "Plan to Shift to a Prevention-Oriented Personal Information Management System" to the Cabinet meeting presided over by the President. This plan was prepared to enhance the level of personal information protection and effectively respond to increasingly large-scale leakage incidents, especially as the use of personal information rises in the context of digital transformation driven by artificial intelligence (AI) and the expanding platform economy.

Song Kyunghee, Chairperson of the Personal Information Protection Commission, is briefing on the "Plan to Shift to a Prevention-Oriented Personal Information Management System" on the afternoon of the 12th at the Government Seoul Office in Jongno-gu, Seoul. Personal Information Protection Commission

View original image

First, for repeated or serious violations of the Personal Information Protection Act, punitive fines of up to 10% of revenue will be imposed. Previously, the law allowed for fines of up to 3% of the average revenue over the past three years. The new punitive fine provision will take effect on September 11.

Song Kyunghee, Chairperson of the Personal Information Protection Commission, explained, "Punitive fines will be imposed in cases where a serious accident occurs repeatedly within three years due to gross negligence, where the number of users affected exceeds 10 million, or where an accident occurs because corrective orders were not implemented." For violations that are not considered serious, the maximum fine will remain at 3% of revenue, as before.

The basis for calculating fines will also change, applying the higher amount between the "revenue from the previous year" or the "three-year average revenue." The current law calculates fines based on the three-year average revenue. The new calculation method will apply from May 19.

Hacking (Image=Getty Images Bank)

View original image

However, both the punitive fines and the revised calculation method will not apply to data breach incidents that are currently under investigation. As a result, companies such as Coupang and KT, which experienced significant data breaches last year, will not be subject to the new punitive fines. Chairperson Song stated, "The relevant enforcement decree is expected to be promulgated after passing at today's Cabinet meeting, and will apply to incidents that occur thereafter," adding, "Disciplinary actions against Coupang and others will be carried out according to legal principles and will be commensurate with their responsibility."

A new system to impose enforcement fines will be introduced to ensure prompt investigations and penalties. In addition, sanctions for concealing evidence will be strengthened, and a whistleblower reward system will be implemented. However, for minor violations by small businesses, corrective opportunities will be provided to prevent recurrence and encourage improvement; if violations are repeated, stricter action will be taken.

Incentives will also be provided to encourage investment in raising the level of personal information protection among companies. From now on, proactive protective measures that exceed legal standards, active security investments, and the effective operation of safety management systems will be comprehensively evaluated to grant incentives such as reductions in fines. Additionally, companies will be encouraged to publicly disclose their personal information protection activities to help them further strengthen their own protection capabilities.

Efforts will also be made to support remedies and recovery from damages caused by personal information leaks. In the event of a data breach, companies and institutions will in principle be held liable for damages, and the overall burden of proof will rest with them in order to activate the compensation system.

View original image

Practices that deceive or mislead users—such as dark patterns that make it difficult to revise personal information, withdraw consent, or cancel membership—will be closely monitored. The Personal Information Infringement Report Center will also be enhanced to provide professional counseling, consulting, and support for remedial actions.

In cases where sensitive information is leaked, the authorities will monitor illegal distribution on social networking services (SNS) and other channels, detect and delete such content, and work with investigative agencies to track down and punish those who illegally distribute or use personal information.

Meanwhile, the Personal Information Protection Commission will establish a risk-based management system with differentiated inspections according to risk levels, and will directly oversee 387 major public systems as well as high-risk sectors such as education and welfare. To enhance the competitiveness of personal information protection across all industries, inspections will be expanded to cover the entire supply chain, including cloud service providers, specialized contractors, and system vendors. The Commission is currently inspecting funeral service companies, customer call centers, and other organizations.

From the initial planning and design stages of a service, the principle of Privacy by Design (PbD) will be institutionalized, requiring the consideration of privacy protection elements during system development. As personal information processing environments become more complex, it becomes difficult to prevent breaches after services are launched. The Commission also plans to incorporate privacy-by-design principles into the criteria for personal information impact assessments and ISMS-P certification standards.

Regarding recent security concerns over Anthropic's general-purpose AI model Mythos, Chairperson Song stated, "The Commission is preparing countermeasures," adding, "We need to build a system that assumes attacks by AI agents, moving beyond the current human-centric defense systems."

Manpower and budget dedicated to personal information protection will also be increased, and cooperation between the public and private sectors will be strengthened to raise protection levels. In addition, graduate school programs for training experts in personal information protection will be expanded by region and area.

Hot Picks Today

"Those Who Hesitated at 3,000 Still Haven't Bought" 7 Trillion-Won Asset Manager Says "Opportunities Remain" [Investment Strategies of the Wealthy] ⑦

• "Why Are My Child's Grades Like This?" Surge in Overprotected, Isolated, and Reclusive University Students [University Students in Crisis] ⑧
• [Breaking] NCSoft Reports Q1 Operating Profit of 113.3 Billion Won... Up 2070% Year-on-Year
• "Don't Come to Work from Tomorrow": Two Million Face Unemployment Crisis...Iran Shaken by War Shock
• "SK hynix Could Reach 2.8 Million Won; Why Securities Firms Are Confident That the Main Chapter of AI Has Not Even Begun Yet [Click eStock]"

Meanwhile, on the status of the Coupang and KT data breach investigations, Chairperson Song said, "We have completed the investigations and sent advance notice of dispositions as per procedure," adding, "After receiving and reviewing opinions from the companies on the advance notices, we will finalize the disposition." Accordingly, sanctions against Coupang and others are expected to be concluded as early as June.

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.