The Personal Information Protection Commission said it will actively respond to SK Telecom's lawsuit challenging a penalty surcharge, and, regarding Coupang, which is pushing claims via U.S. political circles that "the Korean government is witch-hunting the U.S. corporation Coupang," it said, "We will thoroughly investigate and take action, in line with principles, on whether the Personal Information Protection Act was violated, without distinguishing between domestic corporations and overseas corporations."
Regarding SK Telecom's filing of a suit on the 21st to cancel the roughly 130 billion won penalty surcharge imposed by the commission, saying it is unfair, Chairperson Song Gyeong-hee of the Personal Information Protection Commission said, "The claim that the penalty surcharge is unfair because there was no financial damage caused by the personal information leak and no unjust enrichment was gained does not hold logically."
At a New Year's press briefing held at the Korea Press Center in Jung-gu, Seoul, that day, Chairperson Song said, "Even looking only at overseas cases such as the United States or the European Union (EU), penalty surcharges imposed for large-scale personal information leaks are intended to hold corporations accountable for failing to properly manage personal information," adding, "SK Telecom's penalty surcharge is a disposition reached after thoroughly reviewing and presenting various legal issues, so we will actively respond to the cancellation suit."
Earlier, in April last year, the Personal Information Protection Commission imposed a 134.791 billion won penalty surcharge and 9.6 million won in fines on SK Telecom for a hacking attack that leaked personal information of as many as 27 million customers. This is the largest penalty surcharge the commission has imposed on domestic corporations, surpassing the surcharges imposed on Google (69.2 billion won) and Meta (30.8 billion won) in 2022.
On the 19th, SK Telecom filed a suit to cancel the disposition, arguing the penalty surcharge is excessive compared with similar cases. It is known that SK Telecom's position is that factors such as the total 1.2 trillion won invested in compensation plans and information security innovation plans after the hacking incident, and the absence of financial damage from the leak, should be taken into account.
On Coupang's large-scale personal information leak, Chairperson Song said, "The investigation has progressed considerably," adding, "What is certain is that the personal information of more than 30 million Coupang members was leaked, and if we add nonmember information (such as delivery addresses and phone numbers of nonmembers like family members entered by subscribers), the scale is likely to grow further." This rebuts Coupang's claim, presented as its own investigation result, that only 3,000 people's personal information—about one ten-thousandth of the known figure—was leaked.
On the controversy over Coupang's response, Song said, "Compared with previous businesses or institutions that suffered personal information leaks, (Coupang's response) was indeed insufficient," emphasizing, "The Personal Information Protection Commission will investigate Coupang and issue dispositions based on whether the Personal Information Protection Act was violated, and this applies the same regardless of whether the business is overseas or domestic."
Regarding LG Uplus, where it was confirmed that some servers were reinstalled or discarded amid suspected hacking damage, Song said, "We recognize this as a very serious issue," adding, "To prevent similar situations in the future, we are preparing a bill that includes compulsory investigative powers and data preservation orders."
She went on to add that investigations are also underway into KT, Lotte Card, Netmarble and Kyowon, which experienced personal information leaks last year, and that "they will be concluded in the not-too-distant future."
Marking just over 100 days in office that day, Chairperson Song said, "The area that drew the most attention to the commission last year—regrettably—was the large-scale personal information leaks in sectors closely tied to people's daily lives, such as telecom companies and retail platforms." She pointed out, "These corporations, because they hold vast amounts of personal information, are required to implement commensurately high levels of protection measures, but many of the incidents confirmed in actual investigations stemmed not from sophisticated hacking techniques but from a lack of basic management, inspection and control."
Chairperson Song said, "This reflects not only problems at individual corporations but also the structural limits of an existing protection system focused on post-incident response," adding, "Especially in an environment where artificial intelligence (AI) and automation technologies have spread, it is difficult to truly protect the public by only investigating and punishing after personal information infringement occurs." She explained that in AI-based services and platform environments, a single management failure can quickly expand into large-scale and chain damage in a short time, and that by the time an incident is recognized and addressed, personal information has often already been copied and distributed.
She emphasized, "We will shift the personal information protection regime from post-penalties to preemptive prevention." To strengthen preventive functions in terms of organization and infrastructure, the commission set up a department dedicated to preemptive prevention late last year and newly established a forensic center. She said, "This year, we will build a technology analysis center so that preemptive on-site inspections and preventive measures in key sectors can be properly carried out."
Chairperson Song emphasized that shifting to a prevention-centered system does not mean weakening sanctions. She said, "For serious or repeated violations, we are pushing to introduce a punitive penalty surcharge special measure that can impose up to 10% of total sales," explaining, "This is not intended to toughen punishment per se, but a structural mechanism to ensure that corporations recognize personal information protection not as a choice but as a precondition for management."
She also added that the commission will secure a legal basis for an incentive system that offers benefits, such as reductions in penalty surcharges, when corporations proactively invest in personal information protection and faithfully carry out preventive measures.
In addition, to fundamentally strengthen the accountability structure for personal information protection, the commission is pushing legal revisions to clarify that the chief executive officer (CEO) has ultimate responsibility for personal information protection, and to include measures such as strengthening the authority of the chief privacy officer (CPO) and introducing a CPO designation reporting system.
It also plans to strengthen research on standards for handling personal information as part of continued responses to new personal information infringement threats in the AI era, such as deepfakes.