Over the past five years, 88.54 million pieces of personal information were leaked across the public and private institutional sectors, but the penalty surcharge per item averaged only 1,000 won.
On the 22nd, an analysis by the office of Min Byung-deok of the Democratic Party of Korea, a member of the National Policy Committee, of data from the Personal Information Protection Commission found that 88,543,000 or so pieces of personal information were leaked in 451 incidents from 2021 through July this year. Of these, penalty surcharges totaling 87.727324 billion won were imposed in 125 cases, and fines totaling 2.4988 billion won were imposed in 405 cases. On a per-incident average, the penalty surcharge comes to about 700 million won, and the fines to about 6.17 million won.
However, when divided by the actual number of leaked items, the combined average amount of penalty surcharge and fines per piece of personal information is just 1,019 won. Looking at penalties by year, it was only 41 won in 2021 and 200 won in 2022, then increased to 1,063 won in 2023 and 8,302 won in 2024. This year, it was tallied at 2,743 won through July. Because a single incident can leak as many as several million items, the penalty surcharge per piece of personal information remains minimal.
Under the current Personal Information Protection Act, a penalty surcharge can be imposed up to 3% of total sales, and sales unrelated to the violation may be excluded from total sales. If there are no sales or they are difficult to calculate, a penalty surcharge may be imposed up to a maximum of 2 billion won.
By contrast, the European Union's General Data Protection Regulation (GDPR) imposes a penalty surcharge for major violations of the greater of €20 million (about 32.8 billion won) or 4% of the previous year's worldwide revenue. In fact, Amazon was hit with a €746 million (about 1.2252 trillion won) penalty surcharge by Luxembourg authorities in 2021 for violating the GDPR.
Min said, "Following the recent leak of SK Telecom USIM information, small-sum payment damage has occurred due to a personal information leak at KT as well, amplifying the debate over the effectiveness of 'information protection regulations,'" and emphasized, "Along with penalty surcharges at the GDPR level, strong sanctions such as the introduction of a class action system and punitive damages are needed."