The penalties for personal information breaches are increasing significantly. The Personal Information Protection Commission (PIPC) has imposed a fine of 624.7 billion won on Coupang, marking the largest penalty since the enforcement of the Personal Information Protection Act.
This amount is approximately 3.7 times the total fines of 167.7 billion won imposed on companies last year, surpassing the total penalties for all companies with just one fine.
The record for penalties has been broken annually. In 2022, the PIPC fined Google and Meta a combined total of 100 billion won for collecting online activity records without user consent, setting a previous record.
Following that, SK Telecom faced a fine of 134.8 billion won for a data breach involving SIM card information, which set a new high. The fine against Coupang is about 4.6 times that of SK Telecom and six times the combined fines of Google and Meta.
Penalties for major personal information breaches in South Korea have also been steadily increasing. KakaoPay was fined 5.968 billion won for providing user information to Alipay, while Woori Card received a fine of 13.451 billion won for inadequate management of customer data. Fines that once ranged in the tens of millions have now escalated into the hundreds of billions.
The increase in fines is partly due to amendments to the Personal Information Protection Act. The current law allows fines of up to 3% of the revenue related to the violation. A 2023 amendment expanded the basis for calculating fines from revenue related to the violation to total revenue, meaning that larger platform companies with more users will face higher penalties. However, companies can exclude revenue unrelated to the violation if they can prove it.
Stricter penalties are expected to take effect in September. The PIPC is currently proposing amendments to the Personal Information Protection Act. The proposed changes include imposing punitive fines on companies that repeat the same violations within three years, cause data breaches affecting over 10 million individuals, or leak personal information again after failing to comply with corrective orders. If these conditions are met, the maximum fine could increase from the current cap of 3% of total revenue to 10%. However, the Coupang case will not fall under this punitive fine provision as it occurred before the amendments take effect.
The security industry anticipates that the level of penalties will rise further as major platforms experience increasingly large-scale personal information breaches. According to the Korea Internet & Security Agency (KISA), the number of reported personal information breaches reached 447 last year, a 45.6% increase from the previous year. IBM's '2025 Data Breach Cost Report' also indicates that as AI technology advances, companies with inadequate security controls and internal management are at greater risk of breaches.
* This article has been translated by AI.
Copyright ⓒ Aju Press All rights reserved.