"Exemption Clause Creates Unclear Burden of Proof, Contradicts Personal Information Protection Act"
The Personal Information Protection Commission has called on Coupang, which recently experienced a massive data breach involving member information, to revise its third-party exemption clause. Additionally, the commission has urged Coupang to simplify the complex membership withdrawal process for Wow Membership subscribers.
The commission announced these measures after reviewing Coupang's response and personal information management practices at a plenary meeting held on the afternoon of December 10.
Song Kyunghee, Chairperson of the Personal Information Protection Commission, is presiding over a video plenary meeting held on December 3, 2025, at the Government Seoul Office in Jongno-gu, Seoul, to address the Coupang personal information leakage incident and prevent secondary damage. Photo by Jo Yongjun
First, the commission confirmed that Coupang had added an exemption clause to its terms and conditions last month, stating that the company bears no responsibility for any damages caused by illegal third-party access to its servers. This clause was introduced after the recent member information leakage incident.
The commission pointed out that this clause makes it unclear whether Coupang is exempt from liability and who bears the burden of proof in cases of intentional or negligent damages. It added that this contradicts the intent of the Personal Information Protection Act and creates unnecessary confusion for users.
According to the Personal Information Protection Act, if a user suffers damages due to the unlawful actions of a personal information handler, the user can claim compensation, and the handler must prove the absence of intent or negligence.
The commission stated that it would demand improvements from Coupang regarding this issue and would also submit its opinion to the Fair Trade Commission, the authority responsible for overseeing terms and conditions.
The commission also urged Coupang to simplify the complicated withdrawal process for its Wow Membership service. Users subscribed to the paid Wow Membership must cancel their membership before withdrawing, but the cancellation involves multiple steps and requires repeated confirmation of the user's intent, making the process unnecessarily complex. Some users were even unable to cancel their membership until the remaining period expired, making immediate withdrawal impossible.
In response, the commission called on Coupang to simplify the withdrawal process and make the information easily accessible to ensure users can exercise their rights.
The commission also reviewed Coupang's actions following its emergency resolution on December 3. The review found that Coupang had changed the wording in its incident notification from "exposure" to "leakage," included previously omitted leaked items such as shared entrance passwords in its notifications, and posted notices on its website and Coupang app, thereby partially implementing the commission's resolutions.
However, the commission demanded further improvements, noting that there were no specific notification plans for non-members whose information was leaked because they were listed as delivery recipients, and that the accessibility and visibility of notices on the website and app were insufficient.
Additionally, the commission instructed Coupang to strengthen its internal monitoring and immediate response systems. This comes amid recent suspicions that Coupang account information is being distributed on the internet and the dark web. Coupang was required to submit the results of its actions regarding these demands within seven days.
A commission official stated, "We plan to impose strict sanctions if any legal violations by Coupang are confirmed through a swift and thorough investigation," adding, "We will also continue to implement necessary preventive measures to ensure that secondary damages from the leaked information do not occur."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
