South Korea is tightening criteria for reducing fines on highly serious violations of the Personal Information Protection Act, including large-scale personal data leaks, while imposing stricter standards for calculating revenue used in determining penalties.
The Personal Information Protection Commission (PIPC) said a partial amendment to the Enforcement Decree of the Personal Information Protection Act and a partial amendment to the notification on standards for imposing fines for violations of the Personal Information Protection Act will take effect on Nov. 19, aimed at enhancing the effectiveness and appropriateness of fine impositions.
Under the amendments, grounds have been established to exclude fine reductions for highly serious violations.
Current fine standards allow penalty reductions when certain conditions are met, such as cooperation with investigations or voluntary protection activities. However, critics argued that applying the same criteria uniformly even in cases of severe violations or extensive damage weakens the deterrent effect of sanctions and diminishes corporate incentives to prevent incidents.
The amendments accordingly include provisions allowing all or part of the reductions to be withheld when the severity of a violation qualifies as a "highly serious violation."
The standards for calculating fines have also been strengthened. Fines will now be calculated based on the greater of "revenue from the immediately preceding fiscal year" or "average annual revenue from the three preceding fiscal years."
The change comes after concerns that the current rule, which calculates fines based on average annual revenue from the three fiscal years preceding the violation, fails to reflect the actual economic capacity of companies with rapidly growing revenue, such as information technology (IT) and platform companies.
Once the amendment takes effect, revenue from the immediately preceding fiscal year will apply to companies with growing revenue, which is expected to enhance the effectiveness of fine impositions.
However, under Article 14 of the Framework Act on Administrative Affairs, the revised provisions apply only to violations occurring after the amendment takes effect. Since previous regulations apply to violations that ended before the effective date, the changes will not be retroactively applied to the personal data leak cases involving Coupang (CPNG) or KT (030200.KS) currently under investigation.
"We will respond more strictly to serious personal information infringements by imposing fines that correspond to a company's current economic capacity and the severity of the violation," the PIPC said.
