정치

Korea to Impose 10% Revenue Fines for Major Data Breaches

진동영 기자,마가연 기자
#**#DataBreach#Coupang#KoreaPrivacyLaw#PIPC#CyberSecurity#DataProtection#CorporateFines
Korea to Impose 10% Revenue Fines for Major Data Breaches

South Korea is moving to impose fines of up to 10% of annual revenue on companies that cause large-scale personal data breaches, following the recent Coupang incident.

The ruling Democratic Party of Korea is leading the legislative push, with the Personal Information Protection Commission (PIPC) coordinating the effort. The opposition People Power Party plans to introduce a similar bill, raising expectations for swift passage through the National Assembly. However, the strengthened penalties are not expected to apply retroactively to Coupang, whose case triggered the legislative action.

Rep. Park Beom-gye of the Democratic Party is scheduled to introduce an amendment to the Personal Information Protection Act on January 10 after consultations with PIPC. The bill includes a special provision allowing fines of up to 10% of total company revenue for repeated and intentional serious violations—more than triple the current maximum of 3% of revenue. The amendment will also allow victims to seek damages through class action lawsuits over data breach harm, sources said.

Rep. Kim Sang-hoon of the People Power Party is preparing a similar amendment. His bill also raises the maximum fine to 10% of revenue for major data breaches, targeting cases involving intentional or grossly negligent repeated violations within three years, or incidents affecting more than 10 million people.

The ruling party's proposal emerged from consultations with PIPC, while the opposition's bill reflects similar concerns raised in standing committee discussions. Both parties plan to submit the amendments to the National Policy Committee's legislation subcommittee scheduled for January 15. "We plan to review the opposition's proposal alongside the government-party agreement," a committee official said. The bills will be sent directly to the subcommittee without going through the full committee.

The bipartisan crackdown reflects the view that recent incidents—including the breach affecting approximately 30 million Coupang members—amount to man-made disasters rather than unavoidable accidents. The aim is to impose punitive legal responsibility on data-handling companies to prevent recurring incidents amid growing public anxiety.

Under the proposed amendments, Coupang, which reported consolidated revenue of 41 trillion won ($30 billion) last year, could face fines of up to 4.1 trillion won. However, both parties' bills reportedly include provisions stating the new rules will not apply retroactively to incidents occurring before the law takes effect, meaning Coupang and SK Telecom would not be subject to the higher penalties for their recent breaches.

Industry players have raised concerns that holding companies solely responsible through higher fines is excessive, given that hacking techniques are evolving as rapidly as security technology. "Imposing punitive fines on companies that have proactively invested in security simply because an incident occurred could discourage corporate initiative," an industry official warned.

← Back to Home