Ruling party seeks stricter corporate penalties for customer data breaches

The Korean government and the ruling Democratic Party of Korea (DPK) are moving to advance a second revision of the country’s Personal Information Protection Act that would strengthen corporate liability for large-scale data breaches.

The proposed amendment is intended to enhance compensation and relief for victims of large-scale data breaches. However, industry insiders warn that the measures could impose excessive burdens on companies.

Discussions at the National Assembly are focusing on amendment bills introduced by several DPK lawmakers, political sources said Sunday. The proposals share a central provision: eliminating the requirement to prove “intent or negligence” in compensation claims stemming from cases of compromised user data, a change that would broaden corporate liability.

The push for stricter liability follows a series of high-profile data breaches in Korea, including a recent case involving Coupang, the country’s largest e-commerce platform. Authorities said the incident may have exposed personal information linked to a large number of user accounts, intensifying scrutiny over how companies safeguard customer data.

Under current law, companies can avoid liability in customer data breach cases if they demonstrate that the incident did not result from intentional misconduct or negligence. The proposed revision seeks to expand the burden of proof placed on companies.

"People affected by data breaches have often struggled to obtain evidence proving how the leak occurred or how it caused their losses," an official at the Personal Information Protection Commission (PIPC) said. "The amendment is intended to place a broader burden of proof on companies regarding occurrences of losses and their causal relationship with the breach."

The amendment will also introduce new criminal penalties for the illegal distribution of leaked customer information. Current law penalizes only employees or officials within organizations who unlawfully obtain or leak customer data. It contains no provisions punishing outside parties that knowingly buy or redistribute such information.

To close this legal gap, the amendment would explicitly ban anyone from obtaining or distributing customer data while knowing it has been compromised, and establish corresponding criminal penalties.

The proposal also includes provisions allowing authorities to issue emergency protective orders when large-scale data leaks occur, aimed at preventing further spread of compromised information.

“As large-scale user data breach incidents continue to occur, the need for institutional improvements has been raised. Our goal is to ensure the amendment passes the National Assembly as swiftly as possible," the PIPC official said.

Source: Korea Times News