News

President Lee Calls for Bankruptcy-Level Penalties on Data Breach Companies

By Heung-rok Gim
#DataPrivacy#KoreaPolicy#CorporatePenalties#PIPC#DataBreach#PrivacyLaw#Coupang
President Lee Calls for Bankruptcy-Level Penalties on Data Breach Companies

Personal Information Protection Commission (PIPC) Chairperson Song Kyung-hee reported to President Lee Jae-myung that the agency would impose penalties of up to 10 percent of annual revenue on companies that leak personal data. President Lee responded by emphasizing that "companies must feel they will go bankrupt" for such violations.

At a government briefing held at the Sejong Convention Center on Monday, Chairperson Song said, "We will strengthen the effectiveness of sanctions so that companies recognize it is more advantageous to invest in prevention than to deal with data breach incidents." She added, "To this end, we will pursue imposing punitive fines of up to 10 percent on companies that repeatedly cause data breaches."

Under the current Personal Information Protection Act, companies that cause personal data breaches can be fined up to 3 percent of their total revenue. The plan aims to raise this ceiling to 10 percent of revenue, enabling penalties more than three times stronger than current regulations when necessary.

President Lee expressed agreement with the measures. "Economic sanctions against companies that cause personal data breaches are too weak," he said. "Companies must make efforts not to violate regulations and be required to spend money on compliance. If they harm the public, they should face enormous economic sanctions—they must feel that the company will go bankrupt."

President Lee specifically ordered strengthening enforcement decree standards, which can be implemented more quickly than legislative amendments. When Chairperson Song reported that "the law sets punitive fines at 3 percent of total revenue, while the enforcement decree sets it at 3 percent of the average revenue over the previous three years," President Lee responded, "It gets weaker as you go down to the decree level. Let's fix the enforcement decree first—make it 3 percent of the highest revenue year among the past three years."

The president added, "Current economic sanctions are so weak that violations happen routinely and companies don't care. There should be chaos when violations occur, but looking at companies' attitudes after violations, they seem to say 'What are you going to do about it?'"

In a related development, Democratic Party of Korea lawmaker Park Beom-kye and others submitted an amendment to the Personal Information Protection Act on January 9 that would add special provisions imposing fines of up to 10 percent of total corporate revenue for repeated and intentional serious violations. The bill limits punitive fines to cases including: repeated violations due to intentional or gross negligence within the past three years; intentional or gross negligence causing harm to a large number of data subjects (10 million or more); and data breaches resulting from failure to comply with corrective orders.

If the government and National Assembly pass such standards, the PIPC could potentially impose fines on Coupang (CPNG) of up to approximately 4.1 trillion won based on last year's revenue of 41 trillion won ($30 billion).

← Back to Home