May 12 --Recent data breach amendments (
Bill No. 10479) to South Korea's framework data protection law
increase available fines; lower the liability threshold that
regulators must show to levy fines; allow compensation of
individual plaintiffs without a showing of damages; and require
notification of affected individuals within 24 hours of discovering
a breach, a Korea Communications Commission (KCC) official told
Bloomberg BNA May 12.
Under the amendments, companiesthat lose online personal
information may face fines equivalent to 3 percent of their
revenue, attributable to any violation of data protection
The limit on revenue-based fines for poor data security leading
to a data breach is now 1 percent under the statute. In all
previous data breach cases, responsible companies were fined only
as much as 100 million Korean won ($97,600)--the maximum fine
available when there is no evidence of deliberate negligence.
"These legal limitations have prevented effective enforcement of
meaningful sanctions," Eom Yeol, director of the Privacy Protection
and Ethics Division at the KCC, said.
The amendments to the Act on the Promotion of Information
Communication Network Utilization and the Protection of
Information, which passed the National Assembly May 2, will take
effect in six months, Eom said.
Another important change is the elimination of a provision that
requires evidence of deliberate negligence to enforce a
revenue-based fine, Eom said. "Businesses will be held liable for a
data breach with or without proven fault on their part."
The amendment also authorizes courts to award compensation of up
to 3 million Korean won ($2,900) to each consumer complainant in a
data breach case with no need to verify damage claims. "This will
give companies a strong reason to upgrade their data security
standard voluntarily," Eom said.
The amended law will require companies to alert customers within
24 hours of discovering a breach.
The amended law required companies to dispose of protected
personal information in a manner to ensure it may not be recovered
Under the new law, businesses are required to obtain consumers'
opt-in consent to accept marketing messages delivered through all
channels, including via e-mail and mobile phone text messages.
The South Korean financial sector and other regulators have been
working to increase data security oversight in the wake of a
massive data breach involving three large credit card companies (13
PVLR 183, 1/27/14).
By James Lim
To contact the reporter on this story: James Lim in Seoul at firstname.lastname@example.org
To contact the editor responsible for this story: Donald G.
Aplin at email@example.com
Bill No. 10479 is available, in Korean, at