The Personal Information Protection Commission is pushing to introduce a punitive penalty surcharge system that would impose penalty surcharges of up to 10% of total revenue for repeated or serious violations of the Personal Information Protection Act, and will significantly strengthen sanctions and relief for damages, including adding damage claims to class actions.
The Personal Information Protection Commission announced plans to strengthen the personal information protection sanction framework, including these measures, during a presidential policy briefing held at the Government Sejong Convention Center on the 12th. The move follows a series of large-scale personal data breaches in sectors closely tied to daily life, such as retail and telecommunications.
The Personal Information Protection Commission plans to establish a special punitive penalty surcharge provision that would raise the penalty surcharge cap from the current 3% of revenue to up to 10% when there is intent or gross negligence, or when the scale of damage is large. The plan aims to strengthen deterrence against corporations' legal violations.
In addition, to provide practical relief for personal information damage, the commission decided to include damage claims in the requirements for class actions under the Personal Information Protection Act. Currently, only injunctions against rights-infringing acts are possible, which is seen as limiting monetary compensation. If public-interest organizations, such as consumer groups, lead lawsuits as representatives, the general public's litigation expense burden is also expected to ease.
Personal Information Protection Commission Chairperson Song Kyung-hee, when asked whether punitive penalty surcharges could apply to ongoing cases under investigation such as Coupang, said, "Even if the law is amended, it will likely be difficult to apply it retroactively to incidents that occurred in the past." However, regarding class actions, Song said, "We believe there are areas where application is possible, and we plan to make this clearer during the legislative process."
Regarding the criteria for calculating penalty surcharges, the position is that further review is needed on detailed issues, such as whether to use the previous year's revenue as the basis or apply the three-year average revenue. Chairperson Song explained, "We will review the most reasonable option that protects the public interest and upholds the purpose of the system, and we will pursue amendments if necessary."
Along with this, the commission will also push to establish a "(tentatively named) Personal Information Damage Recovery Support Fund" that would use penalty surcharges and other funds imposed for violations of the Personal Information Protection Act to help restore public damages. However, it added that introducing the fund will require building consensus through discussions with relevant ministries and society.
If a corporation responsible for an incident voluntarily proposes corrective measures, the commission plans to introduce a "damage recovery consent decision system" that would finalize them by resolution to prompt swift recovery. For Information Security Management System–Personal Information (ISMS-P) certification, it will strengthen preliminary reviews and on-site technical inspections, and, in principle, revoke certification when serious or repeated legal violations are confirmed.
In addition, it will strengthen accountability in proportion to corporate size and personal information processing risk, and institutionalize incentives for investments in personal information protection. It will clearly designate the representative (CEO) as the final person responsible for personal information processing and protection, and plans to push for the introduction of a notification system for designating a chief privacy officer (CPO) at major institutions that handle large-scale or sensitive information.