SEOUL, December 10 (AJP) - South Korea’s National Assembly is considering legislation that would allow regulators to fine companies up to 10 percent of their revenue for serious data breaches, as lawmakers seek tougher penalties following a series of large-scale leaks.
The proposed amendment to the Personal Information Protection Act, introduced by Park Beom-kye of the ruling Democratic Party and Kim Sang-hoon of the main opposition People Power Party, would raise the current cap on administrative fines from 3 percent of revenue to 10 percent in cases of major violations.
The move follows high-profile incidents involving major companies, including a leak of 33.7 million customer records at Coupang and previous breaches at SK Telecom, Lotte Card and LG Uplus.
Under the bill, the higher penalty rate would be applied as a punitive measure in cases involving intent or gross negligence, breaches affecting more than 10 million people, or situations in which companies failed to comply with regulatory corrective orders.
If enacted, the legislation would expand victim protection and compensation. Park’s proposal would require companies to notify customers of potential leaks and would allow collective damage claims, rather than limiting class actions to injunctions, as is currently the case.
Kim’s proposal would make business owners or top executives ultimately responsible for data protection and require the reporting of designated data protection officers. It would also make security certification mandatory, rather than voluntary.
The bill is scheduled for review at a National Assembly subcommittee on Dec. 15. Park’s office said momentum is building in favor of stronger economic penalties, noting growing bipartisan support for the 10 percent cap.
The government has also backed tougher enforcement. President Lee Jae Myung said stronger, more realistic fines were needed following the Coupang incident, and previously urged tougher penalties and punitive damages at a cabinet meeting on Dec. 2.
Business groups, however, have warned of potential unintended consequences. A fine of 10 percent of revenue could translate into trillions of won for large companies. Industry representatives argue that steep penalties could burden firms even for relatively minor security lapses.
Critics have also said the government is placing excessive responsibility on companies while failing to address structural weaknesses in national cybersecurity frameworks, calling for stronger public-sector security governance and more effective certification systems.
* This article, published by Aju Business Daily, was translated by AI and edited by AJP.
Copyright ⓒ Aju Press All rights reserved.
