Personal Data Breach Fines Up to 10% of Revenue... Incentives for Security Investment

Personal Information Protection Commission Reports Plan to Shift Toward Prevention-Centered Data Management System

Personal Information Protection System Shifts Focus from Punitive Measures to Preventive Approach

Starting in the second half of this year, companies responsible for major or repeated personal information breaches will be required to pay punitive fines of up to 10% of their sales. At the same time, companies and institutions that make proactive investments in personal information protection will be granted incentives such as reductions in fines.

The Personal Information Protection Commission announced on May 12 that it had reported its 'Plan for Transition to a Prevention-Oriented Personal Information Management System' at a Cabinet meeting presided over by the President.

This plan was established to enhance the level of personal information protection and to effectively respond to increasingly large-scale data breaches, amid an environment where the use of personal information is expanding due to the digital transformation driven by artificial intelligence (AI) and the growth of the platform economy.

First, for repeated or major violations of personal information protection laws, punitive fines of up to 10% of a company's sales will be imposed. Previously, fines could be imposed up to 3% of the average sales over the past three years. This new punitive fine provision will take effect on September 11.

The standards for calculating fines will also change: instead of the current 'three-year average sales,' the higher amount between 'previous year's sales' and 'three-year average sales' will be used. The new fine calculation method will be applied starting May 19.

A new system imposing compliance orders will also be introduced for swift investigations and dispositions. Sanctions for concealing evidence will be strengthened, and a whistleblower reward system will be implemented. However, in the case of minor violations of protection laws by small businesses, opportunities for correction and prevention of recurrence will be provided, but repeated violations will be dealt with strictly.

Through incentives and other measures, the plan also aims to encourage companies to invest in improving their level of personal information protection. Going forward, proactive protection measures that exceed legal requirements, active security investments, and the effective operation of safety management systems will be comprehensively evaluated and lead to incentives such as reductions in fines.

At the same time, to ensure that executives are held accountable for personal information protection starting in September, companies will be encouraged to publicly disclose their personal information protection activities, so that they can strengthen their own protection capabilities.

The plan will also support remedies and recovery for damages caused by personal information breaches. In principle, companies and institutions will be held liable for damages in the event of a personal information breach, and companies will bear the overall burden of proof, thus activating the compensation system.

The commission will focus on monitoring and addressing practices—such as dark patterns—that mislead or deceive users and make it difficult to modify personal information, withdraw consent, or unsubscribe. The Personal Information Infringement Report Center will also be strengthened to provide specialized counseling, consulting, and support for remedial actions.

In the event of sensitive information leaks, illegal distribution through social networking services (SNS) and other channels will be monitored, detected, and deleted, and the commission will cooperate with law enforcement agencies to track and punish those who illegally distribute or use personal information.

Meanwhile, the Personal Information Protection Commission will establish a risk-based management system with differentiated inspections according to risk levels. The commission will focus on managing major public systems (387 in total) and high-risk sectors such as education and welfare.

Additionally, to enhance the competitiveness of personal information protection across companies and industries, inspections will be expanded to include the entire supply chain, covering cloud service providers, specialized consignment companies, and system suppliers. The commission is currently inspecting funeral service companies and customer service centers, and will recommend corrective measures for any deficiencies found.

The principle of Privacy by Design (PbD) will be institutionalized so that it is reflected from the service planning and design stage. As the environment for handling personal information becomes more complex, it is difficult to prevent breaches after a service is launched. PbD means considering personal information protection elements from the system design stage. The commission also plans to incorporate the Privacy by Design principle into the standards for personal information impact assessments and ISMS-P certification.

The budget and dedicated personnel for personal information protection will also be increased, and the level of protection will be raised through public-private cooperation. Through a status survey conducted in February, the commission confirmed that there is a lack of personnel and budget for personal information protection in the public sector. Therefore, together with relevant ministries, the commission will also work to improve the treatment of dedicated personnel.

Foundations will also be laid for the training of professional personnel specializing in personal information protection. To foster experts who can solve real-world problems on site, graduate programs will be expanded by region and area. The commission will newly design and operate customized practical education programs based on an analysis of roles for policy makers, developers, and incident response teams.

Chairwoman Song Kyounghee of the Personal Information Protection Commission stated, "Once personal information is leaked, it is difficult to fully restore the damages, and recovery takes a long time. The commission will build a system where, in addition to post-incident responsibility, preventive measures can function effectively, so that we can protect citizens' information more safely and create an environment where the public can confidently make use of personal information."