Korea to Impose 10% Revenue Penalty on Firms for Major Data Breaches

The Personal Information Protection Commission (PIPC) is pushing to impose fines of up to 10 percent of revenue on companies that cause large-scale personal data breaches or repeated incidents. The commission is also reviewing the introduction of class action lawsuits for data privacy cases, a mechanism currently available only in the securities sector. The measures aim to encourage companies to invest more in preventive measures before incidents occur.

PIPC reported these plans as part of its 2026 work plan during a presidential briefing held at the Sejong Government Convention Center on Monday.

The commission will establish new provisions raising the fine threshold from 3 percent to 10 percent of revenue for companies that commit repeated or serious violations. Current data protection law caps fines at 3 percent of total revenue for companies responsible for data breaches. The new framework would allow regulators to impose penalties more than three times stronger than current levels when necessary.

However, provisions allowing exclusion of revenue from unrelated business areas will remain. The existing 3 percent threshold will also be maintained considering the burden on small and medium-sized enterprises. The 10 percent penalty would apply only when specific conditions are met, including intentional or grossly negligent conduct and large-scale damage.

Rep. Park Beom-kye of the Democratic Party of Korea and other lawmakers submitted an amendment to the Personal Information Protection Act on Thursday that would allow fines of up to 10 percent of revenue. The bill limits punitive fines to cases involving repeated violations due to intentional or gross negligence within the past three years, intentional or grossly negligent conduct causing damage to 10 million or more data subjects, and data breaches resulting from failure to comply with corrective orders.

PIPC Chairman Song Kyung-hee said the commission shares the same position as the parliamentary bill and is pursuing it together. "Public consensus on the necessity has been formed, so we expect it to proceed quickly. The commission is making maximum efforts," Song said.

However, even if the bill passes, it would be difficult to apply to Coupang. "We need to examine each case individually, but punitive fines would likely be difficult to apply to incidents that occurred before the amendment," Song said.

PIPC is also pursuing measures to enable damage compensation through group litigation when data breaches occur. Currently, when collective dispute mediation fails to materialize after a data breach, victims cannot receive compensation even if they proceed to group litigation because there are no damage compensation provisions. To receive compensation, individuals must file lawsuits separately through law firms.

The commission reported it will pursue enabling damage compensation through group litigation while also participating in discussions on class action lawsuits. Class action systems allow all consumers to receive compensation when some victims win as representatives, even those who did not participate in the lawsuit—known as the opt-out method. However, Korea currently allows class action suits only in the securities sector.

President Lee Jae-myung said at the briefing, "You said you would make data breach incidents subject to group and class action lawsuits, and right now the entire nation is a victim." He added, "Filing a lawsuit would cost more than the compensation itself, so class action suits must be introduced. I hope you will speed up the legislation."

The commission is also strengthening the effectiveness of the Information Security Management System-Personal (ISMS-P) certification by enhancing on-site technical reviews. By the first half of next year, the commission will pursue legislation mandating management obligations for company CEOs as the final responsible party for safe handling and protection of personal information. The measure aims to establish awareness that data protection is a company-wide responsibility, not just the work of certain employees.

PIPC also reported other major initiatives for next year, including establishing a technology analysis center, reducing fines for companies that actively invest in data protection, operating an AX innovation support helpdesk, and creating a safe MyData ecosystem.

"Personal data breaches are surging and data demand is growing with the AI transition, so this is the time to fundamentally transform the personal information protection system," Song said. "We will shift the paradigm from document-based to on-site focused, and from post-incident sanctions to prevention."