Ruling party and government: "Companies that leak personal data must pay damages even without intent"

[Financial News] The Democratic Party of Korea and the Lee Jae-myung administration decided on the 4th to overhaul the statutory damage compensation system for large-scale personal data breaches, significantly toughening corporate liability for companies that cause such incidents. Under the plan, companies will have to compensate even when there was no intent to cause the breach.
The Democratic Party of Korea and the Personal Information Protection Commission stated at a party–government meeting at the National Assembly of the Republic of Korea that they will "delete 'intent or negligence' from the current statutory damage compensation provisions so that companies bear the overall burden of proof regarding personal data breaches."
They concluded that it is more important to place fundamental responsibility on companies for the occurrence of a data breach itself than to allow them to seek exemption from liability by arguing that there was no intent or negligence.
Han Jeoung-ae, the Democratic Party of Korea’s policy committee chair, said, "Recently, cases of personal data leaks at Coupang and Seoul Metropolitan City’s public bicycle service 'Seoul Bike (Ddareungi)' have been repeated, heightening public anxiety and concern," adding, "We need to reexamine the laws and systems to respond to increasingly frequent personal data breaches."
She continued, "In reality, it is almost impossible for an individual to prove negligence on the part of a company that has leaked personal data," and argued, "We must strengthen statutory damage liability for personal data breaches regardless of whether negligence is found."
Song Kyung-hee, chair of the Personal Information Protection Commission, noted, "When a personal data breach occurs, we will ensure strict sanctions and effective compensation that meet public expectations," and added, "We will reinforce statutory liability for personal data breaches so that victims can more easily obtain relief."
The authorities will also establish a legal basis for punishing the illegal distribution of personal data. At present, large volumes of personal information leaked through hacking and other means are traded on the Dark Web and elsewhere and used for crimes, raising serious concerns about secondary damage.
In response, the Democratic Party of Korea plans to introduce new criminal provisions that ban and punish acts such as purchasing, providing, or distributing personal data when one knows in advance that the data were obtained through a breach.
Addressing criticism that the approach is overly focused on regulation, PIPC Secretary General Yang Cheong-sam explained, "Among the amendments to the Personal Information Protection Act passed by the National Policy Committee last year, there is a provision that requires punitive fines of up to 10% of sales to be mandatorily reduced by the amount a company invests in preventive measures in advance," adding, "We will also significantly expand government budget support programs to help small and medium-sized enterprises, which are vulnerable in personal data management, strengthen their security systems for safety management."
Meanwhile, the ruling party and the government will also seek to strengthen the powers of the PIPC. If companies fail to cooperate with PIPC investigations after a data breach, the commission will be able to impose penalty surcharges and issue emergency protective orders and other measures to prevent further spread of damage.
gowell@fnnews.com Reporter Kim Hyeong-gu Reporter