On the 5th, Personal Information Protection Commission Chairperson Song Kyung-hee said, "We will impose strong punishment for acts that could infringe on the basic rights of the public, such as when serious incidents occur or personal information leaks happen repeatedly."
Chairperson Song said this at a press briefing held at Government Complex Seoul on the afternoon of the same day, noting, "We could create additional regulations for such matters." Regarding the announcement to shift the response paradigm to personal information leaks toward preemptive prevention, Song emphasized, "Prevention in advance absolutely does not mean prior regulation," and "the preventive framework should not be misunderstood as prior regulation."
Addressing a question that "concerns are being raised that the Personal Information Protection Commission could create many new regulations going forward," Song said, "The benefits that can be obtained from regulation must be greater than the expense," adding, "This means we will deliberate carefully whenever we create any regulation."
Chairperson Song explained, "We know the reality that no matter how much you invest in prevention, you cannot block incidents 100%," and "even if an incident occurs, we will recognize corporations that made efforts, and we aim to induce a framework that allows voluntary participation rather than regulation." The Personal Information Protection Commission has continued to stress its policy of shifting the response paradigm to personal information leaks from ex post sanctions to a preemptive prevention system. It has also stated that it will, in the mid to long term, review the introduction of more effective sanction tools, such as a punitive penalty surcharge system.
Regarding the recently issued SKT dispute mediation plan, Chairperson Song said, "The dispute mediation committee is an organization that operates independently under the Personal Information Protection Act," adding, "It is a structure that operates together when an individual has not been sufficiently compensated in terms of overall compensation." On the 3rd, the Personal Information Dispute Mediation Committee recommended that SKT pay 300,000 won each in damages for 3,998 subscribers who filed for dispute mediation against the company. On the KT personal information leak case, Song said, "The investigation is still ongoing, and once it is concluded, we will be able to explain clearly."
Alongside the recent SKT personal information leak case, investigations into major cases involving KT, Lotte Card, and SK shieldus have followed in succession, prompting criticism that decisions on investigations and dispositions for individual cases are being delayed. In response, Chairperson Song said, "It is true that investigations are proceeding in considerable volume," and answered, "Given the overall scale of incidents and their impact on individuals, as we allocate limited personnel to conduct investigations, there are aspects where dispositions for minor cases take a long time." Song added, "The number of Researchers was 31 in 2022, and there has been no change to date," and "meanwhile, the number of dispositions has increased by 56%, and the scale of incidents has risen by more than 500%."
Regarding the ISMS-P (personal information protection management system) scheme, Song said, "As incidents have occurred even at corporations that recently obtained certification, criticism is being raised about whether the certification is effective," adding, "Unlike ISMS, ISMS-P is not mandatory, but the protection level of certified corporations has generally improved." Song added, "Certification alone cannot prevent every incident, but it has contributed to raising corporations' security levels to some extent," and "we will improve procedures that had been limited to document reviews by introducing on-site and preliminary assessments, and after certification, we plan to conduct annual penetration tests or ex post reviews."