[Asia Economy Reporter Koo Chae-eun] The fines imposed on companies responsible for personal information breaches will be strengthened to 3% of their total annual sales. Previously, fines were calculated as 3% of the sales related to the breach, but this will be significantly increased by basing it on the company's total domestic and international annual sales.
Additionally, the dual regulations for online and offline industries will be integrated, and a personal information transmission request right will be introduced, allowing individuals to decide the extent to which their personal information is used or provided.
On the 23rd, the Personal Information Protection Commission announced that it reviewed the second amendment to the Personal Information Protection Act containing these provisions at a plenary meeting. The amendment primarily shifts the sanctions for personal information breaches from a criminal penalty focus to an economic penalty focus by strengthening fines.
First, regardless of whether the business is online or offline, fines of up to 3% of the company’s total domestic and international sales will be imposed for violations, and criminal penalties will be limited to violations committed "for the benefit of oneself or a third party." This reflects the increasingly blurred distinction between domestic and international sales in the industry environment and considers major countries’ standards such as the European Union (EU) GDPR, which imposes fines up to 4% of global sales.
Currently, online businesses can be fined up to 3% of the sales related to the violation and face imprisonment of up to five years or fines up to 50 million KRW. Offline businesses are subject to fines up to 50 million KRW. The Commission explained, "Personal information breaches are often motivated by economic gain, but criminal penalty-focused sanctions excessively punish individuals. Instead of broad criminal penalties, we aim to secure companies’ proactive compliance and accountability by significantly strengthening fines in line with legislation in major countries such as the EU."
The amendment also unifies regulations that were applied differently to online and offline industries. During the revision of the three data-related laws, personal information protection regulations for information and communication service providers under the Information and Communications Network Act were transferred to the Personal Information Protection Act, but they were simply merged. The amendment reorganizes this so that the same violations are subject to the same regulations regardless of whether they occur online or offline.
Furthermore, the amendment establishes new personal information protection standards for mobile video devices such as drones and autonomous vehicles, which previously lacked clear legal provisions. It also diversifies methods for cross-border transfer of personal information, allowing transfers to countries with adequate personal information protection levels without the individual's consent. The Commission plans to finalize the government bill after inter-ministerial consultations and public feedback through legislative notice, and submit it to the National Assembly in the first half of next year.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
