Vice Chairman Lee Jeongryeol's regular briefing
"KT leak investigation also nearing completion... Kyowon and Ddareungi still in early stages"
Policy overhaul to shift focus from "post-incident sanctions" to "pre-incident prevention"
The Personal Information Protection Commission has announced that it will focus on preventing personal information leaks in advance, while at the same time conducting strict investigations and imposing sanctions after incidents occur. It stated that the investigations into the personal information leak incidents at Coupang and KT are ongoing and in their final stages.
Lee Jeongryeol, Deputy Chair of the Personal Information Protection Commission, is holding a regular briefing at Government Complex Seoul on the 25th. Provided by the Personal Information Protection Commission.
Lee Jeongryeol, Vice Chairman of the Personal Information Protection Commission, said at a regular briefing held at the Government Complex Seoul on the 25th that "the investigation into the Coupang personal information leak incident is in its final stage, and we are looking at it in a very strict manner in accordance with laws and principles."
He went on to say, "Coupang is issuing its own statements, but additional verification is needed," adding, "Immediately after the report was filed on November 30 last year, we set up a dedicated task force and are still stationed on site."
Regarding the fact that Coupang Inc., Coupang's parent company, said earlier in the day that about 200,000 of the 33 million leaked accounts were based in Taiwan, he said, "Those figures are the result of Coupang's own investigation and are not what the Personal Information Protection Commission has verified." He then added, "If necessary, we may request cooperation from Taiwan."
In the case of KT, where attention is focused on the size of the administrative fine, the commission is checking for any legal violations, including delayed reporting, and said the investigation is expected to be completed soon. However, it is understood that the investigations of Kyowon Group and Seoul City's public bicycle service "Ddareungi" are still in their early stages. Vice Chairman Lee said, "The Ddareungi investigation is at about level 1 to 2 out of 10, and for Kyowon, the report was received last month, so we are at the stage of requesting and reviewing materials."
Vice Chairman Lee stressed, "As artificial intelligence (AI) spreads into people's daily lives, the environment surrounding personal information is changing rapidly, and leaks and infringements are occurring more frequently," adding, "In response to personal information issues and concerns, the Personal Information Protection Commission will serve as the vanguard of a prevention-centered protection system."
According to the Personal Information Protection Commission, the scale of personal information leaks has increased from 5 million cases in 2022 to more than 100 million cases last year, rising about twentyfold in three years. The number of leak reports also exceeded 400 last year. Although specific leak incidents such as the one involving Coupang accounted for about half of the total, Vice Chairman Lee assessed that the situation has reached a level that the public should be seriously concerned about.
Since personal information that has been stolen cannot be restored, the commission plans to completely redesign its policy direction to focus on prevention. In addition, under the amended Personal Information Protection Act recently passed at a plenary session of the National Assembly, it has decided to impose heavy responsibility by levying punitive-level administrative fines in the event of a major leak incident.
The amendment allows the commission to impose an administrative fine of up to 10% of total revenue on companies that cause serious personal information leak incidents. Previously, the fine was capped at 3% of total revenue. However, after a series of large-scale cyber breach incidents starting with SK Telecom last year, the scope of administrative fines was expanded to strengthen accountability.
The amendment also stipulates that the head of an organization or the chief executive officer (CEO) is ultimately responsible for personal information protection, and includes provisions to strengthen the role and authority of the chief privacy officer (CPO).
Vice Chairman Lee said, "In line with the timing of the amendment's enforcement, we will listen to opinions from industry and experts and make adjustments as we prepare subordinate statutes such as enforcement decrees," adding, "We will also hold briefings on the system requiring mandatory reductions in penalties when companies make proactive investments in personal information protection."
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
