SEOUL—The South Korean government is set to significantly raise fines for personal data breaches, tying penalties directly to the scale of the damage. This decision comes in response to a series of large-scale data leaks at major companies like SK Telecom, KT, and Lotte Card, and aims to hold corporations more accountable for security failures.

A New Approach to Fines: From Pennies to Proportionality 

Historically, penalties for data breaches in South Korea have been remarkably low. A recent report by Democratic Party lawmaker Min Byung-duk revealed that over the past five years, a staggering 88.54 million personal data records were leaked from both public and private sectors. However, the total fines amounted to just 87.7 billion KRW, or a paltry 1,019 KRW (approximately 1 USD) per leaked record. This lenient approach has been widely criticized for failing to deter companies from neglecting cybersecurity.

In response, the Personal Information Protection Commission (PIPC) announced a new policy to make the scale of the breach the primary factor in calculating fines. While the current system considers the size of the leak, it often reduces the penalty for first-time offenders or companies that attempt to mitigate the damage after the fact. The new guidelines will prioritize the victim's perspective, imposing heavier fines for large-scale and repeated incidents.

"We will strengthen the proportionality of fines based on the scale of the damage to close the gap between the actual harm and the penalty," a PIPC official stated. This move aims to ensure that companies face substantial financial consequences that reflect the true gravity of their negligence.

Beyond Fines: A Comprehensive Strategy for Data Protection 

The government’s new initiative extends beyond just financial penalties. The PIPC has unveiled a five-point plan to bolster data protection:

Strengthened Investigative Powers: The PIPC will establish a dedicated "forensic lab" to quickly secure and analyze digital evidence following a breach. It will also gain the authority to compel companies to submit data, preventing them from hindering investigations.
Expanded User Rights: In cases of significant breaches, companies will be required to immediately notify all affected users to prevent secondary harm. The "digital right to be forgotten" will be expanded, allowing individuals, especially those aged 18 and under (up from the previous age of 14), to request the deletion of their online posts and data.
Enhanced Corporate Responsibility: The PIPC will grant legal authority to a company’s Chief Privacy Officer (CPO) and will encourage businesses to allocate sufficient resources and personnel to data protection.
Modernizing Data Use: To balance data utilization with protection in the age of AI, the government plans to expand the scope of "MyData" services, streamline regulations, establish clear standards for using data for AI training, and improve the use of pseudonymized information.
Proactive Investigations: Prime Minister Kim Min-seok announced that the government will strengthen its ability to conduct ex officio investigations, meaning it can launch probes into companies without waiting for a formal report of a data breach.
Prime Minister Kim urged relevant ministers to approach this issue with the mindset of "waging a war on hacking," emphasizing the need for decisive action and accountability to build a safer digital environment for all citizens.