The massive personal information leak at Coupang has caused significant psychological harm to the public, yet the presence of the Personal Information Protection Commission, the responsible government agency, remains faint. Despite the existence of a powerful law that allows fines of up to 3% of a company’s revenue for violations of the Personal Information Protection Act, the agency has been found lacking in its role to prevent such incidents and minimize damage.
![[Reporter’s Notebook] In the Age of Digital Disasters... The Personal Information Protection Commission Is Nowhere to Be Seen](https://cphoto.asiae.co.kr/listimglink/1/2025120510331144948_1764898438.jpg)
On December 3, the Personal Information Protection Commission held an emergency plenary meeting and urged Coupang to revise its notification from "exposure" to "leak" and resend the notice, to publicly announce the details of the leak via pop-up windows and other means for a certain period, and to actively provide guidance on how to prevent further harm. The commission also ordered Coupang to strengthen its internal monitoring and expand its dedicated response team. As of the morning of December 5, Coupang had only updated its website’s customer center post to include the term "leak," maintaining a complacent attitude by stating, "(To prevent further harm) there are no additional actions required from customers." A representative of the commission told The Asia Business Daily, "We have required Coupang to submit the results of their actions within seven days," adding, "If they do not comply within the deadline, they may be subject to a corrective order and fines, after prior notification in accordance with the law."
The commission has the authority under the Personal Information Protection Act to impose fines of up to 3% of a company’s total sales in the event of a personal information leak. Accordingly, Coupang’s fine is expected to exceed 1 trillion won. However, industry observers believe Coupang will file an administrative lawsuit to contest the fine. Coupang is likely to downplay the incident and claim it was not negligent in its protection and management responsibilities in order to avoid a disadvantageous position in court.
The ISMS-P, a domestic certification system recognized for proving that a company has established a personal information protection system, also lacks effectiveness. Although the ISMS-P certification is valid for three years and requires annual reviews, loopholes have been exposed in this process. There are no procedures for regularly monitoring certified companies, and the review criteria and methods have been found to be merely formalities. For example, this year’s budget for the commission’s ISMS-P project was 200 million won, and it will remain the same next year. Although the Coupang incident occurred during the budget review process, it is regrettable that the budget was not increased. The commission requested an additional 1.1 billion won, but the National Assembly’s Special Committee on Budget and Accounts did not approve it. Even with strong laws and certification systems, if they are only nominal and ineffective in practice, they become useless.
Given that large-scale personal information leaks cause serious disruption, the Personal Information Protection Commission, which stands at the forefront of protecting the public’s data, must not forget that its role and responsibility are as important as those of agencies that prevent major social disasters.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
