Introducing a Penalty of Up to 10% of Sales Revenue... 'Strict Response' to Repeated or Serious Personal Information Leaks

\r\n
[The Financial News] A 'punitive fine' system will be introduced for repeated or serious violations of the Personal Information Protection Act, with penalties of up to 10% of total sales revenue. At the same time, companies that make voluntary investments in protection will receive incentives, and a risk-based oversight system will be established to focus on high-risk personal information handlers.
The Personal Information Protection Commission (PIPC) reported the plan, titled the 'Plan to Shift to a Prevention-Oriented Personal Information Management System,' at a State Council of South Korea meeting chaired by the president on the 12th.
First, PIPC will strengthen the effectiveness of economic sanctions by imposing fines of up to 10% of sales revenue for repeated or serious violations of the Personal Information Protection Act. The revised law is expected to take effect in September once the amendment process is completed. The calculation basis will also change to the higher of 'the previous year's sales' or 'the average sales over the past three years.' Until now, the standard has been 'average sales over three years.' The commission also plans to introduce enforcement fines and a reward system for reporting violations to improve compliance. However, small businesses that commit minor violations will be given a chance to correct them, while repeated violations will be met with strict action.
On the other hand, companies that make proactive security investments will receive incentives. If they have protection measures that exceed legal standards, active security spending, and a sound safety management system, they will be eligible for reduced fines and other benefits. The goal is to shift toward a 'regulation that encourages investment.'
The government also plans to institutionalize 'privacy by design (PbD),' which reflects personal information protection from the service design stage, and apply it to Personal Information Impact Assessments and ISMS-P certification standards.
The relief system for victims will also be strengthened. In the event of a personal information leak, companies and institutions will be held liable for damages as a rule, and the burden of proof will be placed on companies to improve the effectiveness of compensation. Practices that deceive or mislead users, such as dark patterns that make it difficult to correct personal information, withdraw consent, or cancel membership, will be closely monitored. The Personal Information Infringement Report Center will also expand its functions to include specialized counseling, consulting, and support for damage response. In particular, when sensitive information is leaked, authorities will monitor illegal distribution on social media and other platforms, detect and delete it, and work with investigative agencies to track down and punish those who illegally spread or use personal information to the end.
Starting in the second half of this year, the government will also conduct regular inspections directly on major public systems and about 1,700 high-risk systems that process large volumes of personal information. PIPC will build a 'risk-based management system' that differentiates inspection intensity according to risk level. The commission will directly manage 387 major public systems and high-risk sectors such as education and welfare. In addition, to improve personal information protection competitiveness across companies and industries, inspections will be expanded across the supply chain, including cloud providers, specialized contractors, and system vendors. PIPC is currently inspecting funeral service companies and customer service centers, and it plans to complete the work as soon as possible and recommend corrections for any shortcomings found.
Song Kyung-hee, chair of PIPC, said, "Once personal information is leaked, it is difficult to fully restore the damage, and recovery takes a long time." She added, "In addition to post-incident accountability, PIPC will build a system in which preventive measures work effectively, creating an environment for the use of personal information that the public can trust."
\r\n
\r\n
yjjoe@fnnews.com Jo Yoon-ju Reporter