From September, punitive fines of up to 10% of revenue for major personal data breaches

According to The Financial News, starting September 11, companies that, through gross negligence, leak the personal information of more than 10 million people or repeatedly violate the Personal Information Protection Act may be subject to punitive administrative fines of up to 10% of their revenue. The law will also explicitly designate the Chief Executive Officer (CEO) as the person with ultimate responsibility for personal data protection, creating a legal basis for holding the CEO accountable when data breaches and similar incidents occur.
As a series of personal data breaches has recently heightened public anxiety, regulations related to personal information protection are being significantly tightened.
On the 9th, the Personal Information Protection Commission (PIPC) announced that the amended Personal Information Protection Act, which centers on three key changes—introduction of punitive administrative fines, strengthening the role of personal information protection officers, and improvements to the Information Security and Personal Information Protection Management System Certification (ISMS-P)—will be promulgated on the 10th. The law will come into force on September 11.

The amended law stipulates a special provision that allows the imposition of punitive administrative fines of up to 10% of a company’s total revenue for repeated or serious violations.
Repeated or serious violations include: cases where a company has, with intent or gross negligence, committed violations repeatedly over the past three years; cases where intent or gross negligence has caused large-scale damage affecting 10 million or more individuals; and cases where a data breach or similar incident occurs because a corrective order was not carried out.
The law also introduces incentives to encourage preventive investment in personal data protection. If a company or institution has invested in and operates budgets, personnel, facilities, and systems for personal information protection, fines may be reduced, provided the incident did not result from intent or gross negligence.
In addition, a notification system for potential data breaches has been introduced. Previously, data controllers were required to notify data subjects only after a personal data breach had occurred. Under the amendment, once a data controller becomes aware of the possibility of a breach, they must promptly notify the data subjects. The scope of a “breach or similar incident” has been expanded to include not only loss, theft, and leakage of personal information, but also forgery, alteration, and destruction, all of which now require notification and reporting. When notifying data subjects of a breach or damage to their data, the controller must also inform them of available remedies, such as filing a claim for damages or applying for dispute mediation.
The amended law clearly identifies the CEO as the person with final responsibility for the processing and protection of personal information. This means the CEO can now be held directly accountable when a data breach or similar incident occurs.
Companies that process personal information above a certain scale will be required to appoint a Chief Privacy Officer (CPO). Any change or dismissal of the CPO must be approved by the board of directors and reported to the PIPC.
For major companies and institutions in both the public and private sectors, where the impact of a breach would be significant, the previously voluntary personal information protection certification (ISMS-P certification) will become mandatory.

cafe9@fnnews.com Lee Gu-soon Reporter