Calls to strengthen the effectiveness of the punitive damages system are gaining traction again after Coupang's massive leak of customer personal information. Although current law includes a punitive damages clause, critics said it is "toothless" because its scope is narrow and there have been almost no cases of actual application. Spurred by the Coupang situation, voices in politics are demanding an overhaul of the entire system—including easing the burden of proof and raising the penalty surcharge—to provide "substantive relief" for data-leak victims.
◇Lee orders "make punitive damages a reality"… ruling camp also says "reexamine the penalty surcharge framework"
As public anger grew after personal information on 33.7 million customers was leaked from Coupang, President Lee Jae-myung on the 2nd ordered relevant ministries at a Cabinet meeting to prepare measures including tougher penalty surcharges and expanded adoption of punitive damages.
The president said, "In the age of artificial intelligence (AI) and digital technology, we must use this opportunity to completely change the wrong practices and perceptions that neglect the protection of personal information, a core asset," and emphasized, "Relevant ministries should refer to overseas cases to strengthen penalty surcharges and make the punitive damages system a reality, and roll out practical and effective measures." With recent personal information leaks recurring at SKT (Apr.) and Lotte Card (Aug.), the administration appears to have concluded that strong sanctions are needed.
The ruling camp also called for institutional improvements. Heo Yeong, senior deputy floor leader for policy of the Democratic Party of Korea, said at a floor countermeasures meeting that day, "The government should thoroughly investigate whether Coupang violated its security obligations and mete out stern punishment. In addition, the penalty surcharge framework and the effectiveness of the information protection certification system must be fundamentally reexamined and swiftly improved."
◇Personal Information Protection Act has "punitive damages," but zero applications in 10 years
Punitive damages are a sanctioning system that imposes compensation higher than the actual damage for unlawful acts. Following the 2014 leak at three card companies, the Personal Information Protection Act adopted it in 2015. The current law provides that if personal information leakage occurs due to intent or gross negligence, up to five times the amount of damage can be awarded.
However, critics have continued to call it toothless because there is a proviso stating, "It does not apply if the personal information controller proves there was no intent or gross negligence."
In fact, there has not been a single case in the past 10 years in which punitive damages were recognized. At a current-issues inquiry of the National Assembly's Science, ICT, Broadcasting and Communications Committee held that day, Personal Information Protection Commission Vice Chair Lee Jeong-ryeol, when asked, "In the past 10 years, has there been any case recognized as subject to punitive damages?" said, "We recognize there is a problem with the current legal framework. There have been no cases so far." Although Coupang also had leaks in 2020, 2021, and 2023, the total penalty surcharges and fines imposed amounted to only 1.6 billion won.
Sanctions are tougher overseas. According to the Personal Information Protection Commission, the European Union (EU) can impose penalty surcharges of up to 4% of total sales, China up to 5%, and the U.S. Federal Trade Commission (FTC) up to $53,000 per violation. When 76.6 million people's data were leaked in 2021, U.S. mobile carrier T-Mobile paid $350 million (about 514 billion won) in compensation.
◇Strengthening bills pile up, including "penalty surcharge up to 10 times sales"
Multiple bills to strengthen sanctions in the event of personal information leaks are also under discussion in the National Assembly. A Personal Information Protection Act amendment by Democratic Party of Korea lawmaker Lee Hun-gi would allow penalty surcharges of "up to 10 times" total sales when personal information is lost, stolen, leaked, forged, altered, or damaged. At the committee's current-issues inquiry that day, Lee said, "Coupang has been criticized for using its U.S. listing as a shield to circumvent regulation in Korea," and emphasized, "Now every citizen and corporations alike must bear clear responsibility for personal information leaks."
Min Hyeong-bae of the Democratic Party proposed an amendment to the Credit Information Act to remove the 5 billion won cap on penalty surcharges for credit information leaks at financial firms to boost the effectiveness of sanctions, and Yoo Dong-soo of the Democratic Party proposed an amendment to the Electronic Financial Transactions Act to introduce "punitive penalty surcharges," imposing surcharges of up to 3% of total sales on financial companies for major personal information leaks and collecting enforcement penalties from firms that fail to carry out remedial measures.
Park Ju-min of the Democratic Party also introduced a "punitive damages enactment bill" that consolidates punitive damages scattered across individual statutes. It would impose double the compensation amount when a person causes damage to another through intent or gross negligence.
People Power Party lawmakers in the opposition introduced bills focused more on victim relief than punitive sanctions. Lawmaker Park Jeong-ha proposed establishing a Personal Information Damage Compensation Fund within the Personal Information Protection Commission to be used to protect and support users harmed by leaks of personal information. Lawmaker Lee Sang-hwi proposed an obligation to notify victims "without delay" after recognizing a leak, and lawmaker Lee Heon-seung proposed making it mandatory to report to relevant authorities "within 24 hours" upon recognizing an incident.