Coupang Faces 1 Trillion Won Fine? Overseas Cases Show Multi-Trillion Won Penalties in US and Europe [News Seolcham]

As Coupang faces the possibility of being fined up to 1 trillion won for causing the largest-ever personal data breach in South Korea, involving 33.7 million cases, attention is turning to precedents set by the United States, the European Union (EU), and China, which have imposed multi-trillion-won fines on companies for mishandling personal information.

The largest fine in the United States for a personal data breach was the 5 billion US dollars (approximately 7.3 trillion won) imposed by the Federal Trade Commission (FTC) on Meta (then Facebook) in 2019. In its statement at the time, the FTC noted that this amount was "20 times higher than the previous record fine," explaining that "Facebook repeatedly promised it could control privacy itself, yet violated consumers' choices."

Meta had violated a "Consent Order" it entered into with the FTC in 2012. Previously, Meta had agreed with the FTC to ▲adopt specific measures to protect customer data, ▲not excessively share customer information with external developers, and ▲avoid making deceptive statements that could mislead users about the collection and use of personal data. However, it failed to uphold these promises.

The Cambridge Analytica scandal involved the unauthorized collection of Facebook users' personal information and its use in election campaigns in democratic countries such as the United States and the United Kingdom. Getty Images

This led to the incident in which the data startup Cambridge Analytica collected Facebook users' data without authorization, influencing presidential and general election campaigns in various countries during the 2010s. Given that Meta's negligence escalated into a scandal that shook the foundations of democracy, the FTC's punishment was severe.

The European Union (EU) also imposes strict penalties for mishandling personal information, on par with the United States. Fines for violating the EU's personal data protection laws are based on the General Data Protection Regulation (GDPR) enacted in April 2016. The GDPR comprehensively regulates not only data breaches but also the collection of personal data by companies and the transfer of personal information outside the EU. The maximum fine can be up to "4% of a company's global annual revenue from the previous fiscal year."

European Union Commission Headquarters in Brussels, Belgium. Photo by Reuters Yonhap News

According to the "GDPR Fines" report compiled annually by the EU data regulation consultancy Data Privacy Manager, the EU had imposed a cumulative total of 5.88 billion euros (approximately 10 trillion won) in fines on global companies as of early this year. The largest single fine to date in the EU was the 1.2 billion euros (about 2 trillion won) imposed by the Irish government on Meta in 2023.

This was because Meta violated GDPR regulations when transferring EU users' personal data to data centers in the United States. Data Privacy Manager commented, "This was intended as an example to ensure that big tech companies take EU regulations seriously," and noted that "(Meta's fine) had a broad impact on how companies handle personal data." Previously, Luxembourg imposed a fine of 746 million euros (1.278 trillion won) on Amazon in 2021 for violations related to the processing of customer data.

China treats the personal information of its citizens as a major national security issue, rather than merely a matter of privacy. Through the "Cybersecurity Law" enacted in 2017, China issues guidelines to IT companies regarding personal data security standards. These standards include ▲a data localization requirement mandating that personal information collected in China be stored on servers within the country, ▲granting the Chinese government access rights to personal information collected by companies, and ▲prioritizing national security interests in personal data protection.

A case that illustrates this aspect of China's cybersecurity approach is the penalty imposed on the ride-hailing app developer Didi Chuxing in 2022. Despite being a Chinese company, Didi Chuxing pushed ahead with an initial public offering (IPO) on the New York Stock Exchange in June 2021. A month later, the Cyberspace Administration of China announced it would investigate Didi Chuxing "to safeguard national security," and the following year imposed a fine of 8.026 billion yuan (then 1.2 billion US dollars). The Cyberspace Administration explained that this decision was "because Didi Chuxing posed serious risks to critical national information infrastructure and data security." Ultimately, Didi Chuxing withdrew from the New York Stock Exchange within a year.

Chinese ride-hailing company Didi Chuxing. Yonhap News Agency

Meanwhile, the Personal Information Protection Commission (PIPC) began investigating Coupang on November 30 for possible violations of obligations related to personal data protection and security measures. The investigation covers areas such as access control, management of access rights, and encryption. Under the current Personal Information Protection Act, a company can be fined up to "3% of its revenue" for serious violations. Based on Coupang's consolidated revenue of 41.2901 trillion won last year, the maximum fine could be around 1.2 trillion won, though there is a possibility of reduction.

However, under the current system, Coupang could be eligible for a reduced fine simply by holding certification for the Personal Information and Information Security Management System (ISMS-P). In the 2023 Coupang data breach, the PIPC's standard fine was 3.9 billion won, but this was reduced by 50% due to ISMS-P certification, and a further 30% discretionary reduction was applied for voluntary reporting, resulting in a final fine of 1.3 billion won.

Previously, the company that received the largest fine in South Korea for a personal data breach due to hacking was SK Telecom. The personal information of more than 23 million people, including 25 types of data such as mobile phone numbers, was leaked, resulting in a fine of 134.79 billion won.

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.