Coupang has been fined 624.7 billion won ($624.7 million) by the Personal Information Protection Commission for a data breach involving customer information. This fine marks the highest penalty ever imposed in South Korea for a violation of personal data protection laws. While it is the duty of government agencies to hold companies accountable for mishandling customer data, the severity of this fine has sparked criticism from both industry stakeholders and civil society regarding its fairness and proportionality.
Last year, SK Telecom faced a fine of 134.8 billion won for a data breach affecting 23.24 million users. Other cases include a 15.1 billion won fine for a data leak involving Kakao Open Chat and a 7.5 billion won penalty for Golfzon. Google and Meta were fined 69.2 billion won and 30.8 billion won, respectively, for violations related to personalized advertising. Notably, Kakao Pay received a 5.9 billion won fine for unlawfully transmitting the credit information of 40 million users to China's Alipay without consent. This transmission included 24 data points, such as users' phone numbers, email addresses, and information related to their account balances.
Each case involves different scales of data breaches, types of information, violations, and revenue structures, making direct comparisons challenging. However, the Coupang case is particularly serious as it involves not only data leakage but also the unauthorized collection of online activity records. This complexity necessitates a more nuanced explanation of why Coupang's fine is more than four times that of SK Telecom and why such a significant disparity exists compared to other platforms and IT companies. The public and market demand clear criteria for understanding these differences.
The civic group Barun Social Civic Group criticized the fairness and proportionality of the sanctions in a statement on June 15. They pointed out that the SK Telecom incident, which involved the leakage of subscriber identification numbers and SIM authentication keys, posed significant risks for financial fraud and phone cloning. They noted that Coupang's fine is 4.6 times greater than that imposed on SK Telecom. The group emphasized that fines should not be an emotional punishment but rather a tool of lawful administration, and proportionality should be demonstrated through consistency with comparable cases.
Coupang operates a complex platform that includes e-commerce, logistics, advertising, and membership services. If the majority of Coupang's domestic revenue was included in the fine calculation simply because it is related to personal data processing, it raises concerns that revenue not directly linked to the violations was used as a basis for the penalty. According to the Personal Information Protection Act, fines should be calculated excluding revenue unrelated to the violations. A clear explanation of which revenues were included or excluded is necessary.
The company's preventive measures should also be considered in the assessment. While significant security investments do not absolve responsibility, it is essential to publicly clarify how much the presence of information security personnel, investments, certification systems, and post-incident actions were factored into the fine reduction. If sanctions are intended as administrative measures to prevent recurrence, businesses should have a predictable understanding of what efforts could lead to a reduction in penalties.
There is also a possibility that this issue could escalate into a trade dispute between South Korea and the United States. Some members of the U.S. Congress have argued that the fine represents discrimination against Coupang, a U.S.-listed company, compared to Chinese firms like Alibaba and Temu, raising concerns about potential retaliatory tariffs. Coupang has indicated plans to pursue administrative litigation. In the forthcoming judicial review, the court must rigorously examine the intent behind the data breach, the appropriateness of the fine calculation, and the validity of the revenue scope considered.
While strong personal data protection is essential, stringent regulations do not automatically equate to effective regulation. There must be a belief that similar cases are treated with the same standards, and more severe cases incur greater responsibilities. Holding Coupang accountable is necessary, but it is equally important to explain whether the 624.7 billion won figure was determined based on legal principles, standards, and comparable precedents. A lack of proportionality in strictness breeds distrust rather than upholding the rule of law.
Last year, SK Telecom faced a fine of 134.8 billion won for a data breach affecting 23.24 million users. Other cases include a 15.1 billion won fine for a data leak involving Kakao Open Chat and a 7.5 billion won penalty for Golfzon. Google and Meta were fined 69.2 billion won and 30.8 billion won, respectively, for violations related to personalized advertising. Notably, Kakao Pay received a 5.9 billion won fine for unlawfully transmitting the credit information of 40 million users to China's Alipay without consent. This transmission included 24 data points, such as users' phone numbers, email addresses, and information related to their account balances.
Each case involves different scales of data breaches, types of information, violations, and revenue structures, making direct comparisons challenging. However, the Coupang case is particularly serious as it involves not only data leakage but also the unauthorized collection of online activity records. This complexity necessitates a more nuanced explanation of why Coupang's fine is more than four times that of SK Telecom and why such a significant disparity exists compared to other platforms and IT companies. The public and market demand clear criteria for understanding these differences.
The civic group Barun Social Civic Group criticized the fairness and proportionality of the sanctions in a statement on June 15. They pointed out that the SK Telecom incident, which involved the leakage of subscriber identification numbers and SIM authentication keys, posed significant risks for financial fraud and phone cloning. They noted that Coupang's fine is 4.6 times greater than that imposed on SK Telecom. The group emphasized that fines should not be an emotional punishment but rather a tool of lawful administration, and proportionality should be demonstrated through consistency with comparable cases.
Coupang operates a complex platform that includes e-commerce, logistics, advertising, and membership services. If the majority of Coupang's domestic revenue was included in the fine calculation simply because it is related to personal data processing, it raises concerns that revenue not directly linked to the violations was used as a basis for the penalty. According to the Personal Information Protection Act, fines should be calculated excluding revenue unrelated to the violations. A clear explanation of which revenues were included or excluded is necessary.
The company's preventive measures should also be considered in the assessment. While significant security investments do not absolve responsibility, it is essential to publicly clarify how much the presence of information security personnel, investments, certification systems, and post-incident actions were factored into the fine reduction. If sanctions are intended as administrative measures to prevent recurrence, businesses should have a predictable understanding of what efforts could lead to a reduction in penalties.
There is also a possibility that this issue could escalate into a trade dispute between South Korea and the United States. Some members of the U.S. Congress have argued that the fine represents discrimination against Coupang, a U.S.-listed company, compared to Chinese firms like Alibaba and Temu, raising concerns about potential retaliatory tariffs. Coupang has indicated plans to pursue administrative litigation. In the forthcoming judicial review, the court must rigorously examine the intent behind the data breach, the appropriateness of the fine calculation, and the validity of the revenue scope considered.
While strong personal data protection is essential, stringent regulations do not automatically equate to effective regulation. There must be a belief that similar cases are treated with the same standards, and more severe cases incur greater responsibilities. Holding Coupang accountable is necessary, but it is equally important to explain whether the 624.7 billion won figure was determined based on legal principles, standards, and comparable precedents. A lack of proportionality in strictness breeds distrust rather than upholding the rule of law.
[Photo by Jo Jae-hyung]
* This article has been translated by AI.
Copyright ⓒ Aju Press All rights reserved.