Starting in September this year, corporations that have repeated or major personal data breaches will face a penalty surcharge of up to 10% of sales.
The Personal Information Protection Commission said on the 12th that it reported the "plan to shift to a prevention-centered personal information management system" at a Cabinet meeting chaired by the president.
Under the amended Personal Information Protection Act, set to take effect on Sept. 11, repeated or serious violations of the act will be subject to a penalty surcharge of up to 10% of sales. Cases that are repeated within three years due to intent or gross negligence, or where personal data breaches affect 10 million or more people, are subject to the measure.
Under the amended enforcement decree to take effect on the 19th, the basis for calculating the penalty surcharge will change from the current "average sales over the past three years" to the higher of "sales in the immediately preceding year" or "average sales over the past three years." To ensure swift investigations and dispositions, the government will also introduce a noncompliance charge and a whistleblower reward program. It also plans to strengthen sanctions for concealing evidence.
However, for minor violations by small corporations, authorities plan to grant an opportunity to correct issues to prevent recurrence and encourage improvements. Both the amended act and the enforcement decree will apply only to incidents that occur afterward, so it will be difficult to apply them to ongoing investigations involving Coupang or KT.
In addition, to strengthen substantive responsible management by corporations, authorities will evaluate whether preemptive protection measures and proactive security investments are in place and provide incentives such as reductions in the penalty surcharge.
The government will also build a "risk-based management system" that manages entities differentially according to risk levels. The Personal Information Protection Commission will focus management on 387 key public systems and high-risk areas such as education and welfare. It also plans to expand inspections across the entire supply chain, including cloud service providers, specialized processors, and system suppliers.
The standards for personal information impact assessments and for ISMS-P certification will also reflect this. In addition, the public sector will see an expansion of personal information protection personnel and budgets, and improvements in the treatment of dedicated personal information protection staff will be pursued. According to the results of an emergency inspection of public systems conducted by the Personal Information Protection Commission in March, the number of personal information protection personnel stands at only 1.1 at central government bodies and 0.3 at basic local governments.
To remedy harm to the public, the statutory damages system will also be activated. In the event of a personal data breach, corporations and institutions will, in principle, be liable for damages, and corporations will bear the burden of proof. Authorities will also conduct intensive inspections of practices that make it difficult to modify personal information, withdraw consent, or terminate membership—such as dark patterns—and will strengthen the functions of the Personal Information Infringement Report Center.
When sensitive information is leaked, authorities will monitor social media (SNS) and other platforms for illegal distribution and support detection and takedown. In cooperation with investigative agencies, they also plan to strengthen the tracking and punishment of those who illegally distribute and use personal information.
Song Kyung-hee, Chairperson of the Personal Information Protection Commission, said, "Going forward, the Personal Information Protection Commission will build a system in which not only ex post facto accountability but also prevention works well, so that we can keep the public's information safer and create an environment for the use of personal information that the public can trust."