Tensions are mounting in Korea's industry as the government and ruling party accelerate follow-up legislation that would sharply expand corporate liability for damages, on top of recently introduced punitive fines for personal data breaches.
According to political and industry sources on Tuesday, the ruling bloc plans to push a second round of amendments to the Personal Information Protection Act, centered on bills separately proposed by Democratic Party lawmakers Kim Yong-man, Park Beom-kye, and Han Jeong-ae. The Personal Information Protection Commission, the supervising agency, plans to ask the National Policy Committee to skip a plenary session and refer the amendments directly to the legislative subcommittee for swift passage. The move reflects a determination to fast-track the follow-up amendments alongside the first revision set to take effect in September, in order to rectify lax personal data management practices.
The second-round amendments include heavy-handed regulatory measures such as removing the "intent or negligence" clause from statutory damages requirements, establishing penalties for the illegal distribution of leaked personal information, introducing a data preservation order system, and imposing enforcement fines for non-cooperation in investigations or failure to comply with corrective orders.
The information and communications technology (ICT) industry has voiced concerns, calling the measures clearly "excessive regulation." Under the current law, data processors are exempt from liability if they prove they acted without intent or negligence. If the amendments pass, however, companies would have to directly prove the absence of fault to avoid liability for damages.
The Korea Internet Corporations Association (KICA) said, "In environments handling massive traffic and data, it is often technically impossible to perfectly trace back the breach path after an incident and identify a specific cause," adding, "This could incentivize companies to shift the blame for incidents onto users as a defensive logic." The association made its opposition to the bill clear, stating, "In cases of unlawful breaches such as external hacking, this is excessive regulation that imposes no-fault liability on companies that are themselves victims."
Concerns have also been raised that an expansion of regulators' powers could infringe on corporate property rights. KICA argued, "If data preservation requests pour in at the mere stage of suspicion, before criminal charges or leak circumstances are confirmed, companies will inevitably have to commit massive resources to respond."
Critics also argue that this regulatory tightening trend will raise social costs and run counter to efforts to nurture the artificial intelligence (AI) industry. "If the amendments pass, a flood of lawsuits is all but certain," said Lim Kyu-chul, a professor at Dongguk University. "By restricting data utilization, which is at the heart of AI development, the bill runs directly counter to the government's own AI promotion policy."
