As the Personal Information Protection Commission imposed a record-high penalty surcharge of 624.681 billion won on Coupang, attention is focusing on the calculation criteria.
The Personal Information Protection Commission said on the 11th that it held a full meeting on the 10th and voted to impose separate penalty surcharges on Coupang of 423.575 billion won related to a personal information leak and 201.106 billion won related to unauthorized collection of personal information. This is the largest penalty surcharge the Personal Information Protection Commission has imposed on domestic corporations, about 4.6 times larger than the previous high of 134.8 billion won on SK Telecom.
The scale of the sanction grew not only because of the large-scale personal information leak but also because the act of collecting other companies' web and app activity records without user consent was uncovered together. However, the Personal Information Protection Commission said it calculated the penalty surcharge based on revenue related only to the e-commerce business, not Coupang's total revenue, and comprehensively reflected the severity of the violation, the extent of damage, cooperation with the investigation, and corrective measures. It also noted that Coupang's victim compensation program was considered as a partial mitigating factor, but the actual execution scale could not be verified.
The Personal Information Protection Commission plans to proceed as scheduled with a criminal referral regarding acts such as log deletion revealed during the investigation. It also said it would respond actively if Coupang files an administrative suit. The following are key questions and answers from a briefing held at Government Complex Seoul on the 11th.
—What are the criteria for calculating the penalty surcharge?
"In the case of a personal information leak, up to 3% is possible based on the average revenue for the three years immediately before the incident. However, revenue unrelated to the violation is excluded, and the final penalty surcharge is determined by comprehensively reflecting aggravating and mitigating factors such as the degree of the violation, the extent of damage, cooperation with the investigation, and corrective measures."
—What is the specific basis for the 624.6 billion won penalty surcharge?
"The subject of the disposition is Coupang Corp. in Korea, and related revenue was calculated based on the disclosed revenue and materials submitted by the business operator. Independent revenue unrelated to the violations—such as Coupang Eats, Coupang Play, and B2B businesses—was excluded. As a result, the reference revenue related to the personal information leak incident was calculated at about 30 trillion won, and the reference revenue related to infringements such as unauthorized collection of personal information was about 36 trillion won. Based on this, we imposed penalty surcharges of 423.575 billion won and 201.106 billion won, respectively. Specific criteria will be disclosed later. Although this disposition is the largest ever in terms of amount, it is not at the highest level when viewed only as a ratio to revenue."
—Why is the penalty surcharge much larger than SK Telecom's?
"It is difficult to make a simple comparison because the nature of the violations and the applicable laws differ for each case. Coupang's membership size encompasses most of Korea's economically active population, and it is a platform closely tied to people's lives that holds vast amounts of information such as delivery addresses. We issued the disposition in accordance with the law and principles."
—Was the damage compensation, such as the 50,000 won purchase voucher paid by Coupang, reflected as a mitigating factor?
"It was partly considered. However, it was important to verify how much the compensation program was actually used, and Coupang did not provide specific answers to related inquiries, so we could not confirm the exact execution scale."
—Will you proceed with a criminal referral for non-cooperative acts identified during the investigation?
"Yes. Despite receiving an order to preserve evidence such as access records related to the incident immediately after the start of the investigation, Coupang manually deleted about five months' worth of web access logs. It also did not suspend an internal policy under which logs are automatically deleted after six months, allowing some application logs to be deleted. Since the legal requirements for referral are met, we will proceed with the process as planned."
—What will you do if Coupang files an administrative suit?
"We will respond actively even if a suit is filed. This disposition is a decision made after very thorough review and sufficient deliberation in accordance with the law and principles. In the full meeting, there were also presentations of the business operator's position and Q&A for about five hours on the personal information leak matter and about three hours on the personal information infringement matter. Afterward, the Commissioners and the Secretariat reached a conclusion through sufficient discussions based on fact-finding and legal review. Even if a suit is filed, we will respond actively."
—There are voices saying the sanction on Coupang could escalate into a diplomatic issue.
"The Personal Information Protection Commission focused solely on whether Coupang violated the Personal Information Protection Act, the evidence, and the investigation results. Whether it is a domestic corporation or a foreign corporation was not a consideration."