Personal Information Protection Commission and Ministry of Science and ICT Report on December 12
Plans to Revise Related Enforcement Decree and Laws
On December 12, the government announced plans to revise an enforcement decree to change the standard for imposing punitive fines for serious and repeated personal information leaks to "3% of the highest annual revenue from the past three years."
President Lee Jaemyung issued this directive during the Personal Information Protection Commission's work report held at the Sejong Convention Center that morning.
President Lee responded to an explanation by Song Kyunghee, Chairperson of the Personal Information Protection Commission, who stated that "the punitive fine for repeated and serious violations is set at 3% of the total revenue from the previous year by law, but the enforcement decree currently uses the average revenue from the past three years." President Lee instructed, "Let us revise the enforcement decree so that it is 3% of the highest annual revenue from the past three years."
President Lee remarked, "Currently, economic sanctions are too weak, so companies violate the rules as if it is nothing and do not care," adding, "When a violation occurs, it should cause a major stir, but even when violations happen, their attitude seems to be, 'What are you going to do about it?'"
Referring to the Coupang data leak incident, President Lee said, "If every affected citizen has to file a lawsuit individually, the legal costs will be even higher, so we must introduce a class action system," urging lawmakers to accelerate legislation.
Additionally, the government decided to pursue, within the first half of next year, a plan to impose punitive fines of up to 3% of annual revenue on companies that repeatedly experience security incidents, even if these are not personal information leaks.
The Ministry of Science and ICT announced this strengthened cybersecurity policy during its work report on the same day. The imposition of punitive fines in this case will be established through new legislation and will be separate from the Personal Information Protection Commission's enhanced penalties for repeated or serious violations of the Personal Information Protection Act.
The Ministry of Science and ICT also plans to raise the fine for delayed reporting of cyber incidents from the current 30 million won to 50 million won, and to introduce enforcement fines for companies that fail to implement recurrence prevention measures.
The government will require companies that experience hacking incidents to notify users, and will establish a notification system for affected users in the first half of next year.
To prevent the burden of damages from hacking incidents from being shifted onto users, the government will also work on easing the burden of proof for users in damage compensation cases and introducing systems such as class actions.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
