Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
Aug. 28 — South Korea's Internet and media regulator has revised its data breach penalty rules to introduce incentives for voluntary disclosure.
The Korea Communications Commission (KCC) Aug. 27 published the revised notice (Notice No. 2015-18) on “Criteria for Imposition of Fines on Personal Information Protection Regulation Violations” with a new reduction provision.
The new provision allows the KCC to reduce the “discretionary” portion of the statutory fine by up to 30 percent for companies voluntarily reporting a data beach, effective immediately.
“From now on, businesses will be able to get additional reductions in fines if they come clean on a data breach,” Eom Yeol, director of the KCC Privacy Protection and Ethics Division, told Bloomberg BNA Aug. 28.
“This change is aimed at incentivizing voluntary reporting of a data breach and facilitating a timely response to a data breach,” the KCC said in an Aug. 27 statement.
• a base statutory damages fine, which was added in 2014, of up to 3 percent of the responsible company's relevant annual revenue;
• compulsory adjustments that can add or deduct up to 50 percent of the base fine, depending on the duration of a data breach and the frequency of violations; and
• discretionary fines that amend second tier compulsory adjustments plus or minus 50 percent, depending on the degree of violation and the level of cooperation with authorities.
The regulatory notice provides a mechanism for the KCC to increase the third tier discretionary fines for punitive reasons or offer reductions under mitigating circumstances. For instance, refusal to surrender evidence and obstruction of investigation can lead to a punitive increase of up to 30 percent.
In its most recent penalty action in April 2015, the KCC imposed 80 million Korean won ($68,000) and 19 million Korean won ($16,000) data breach fines on Baedaltong Co. Ltd., a mobile application operator that provides information on food delivery service based on a user's location, and Pandora TV, a local video sharing website that hosts user-generated content.
South Korea has also recently adopted new punitive damages provisions that institute court-awarded damages of up to three times the actual damage from the “loss, theft, leakage, forgery, alteration, or impairment of personal information due to a deliberate act or a serious error”.
To contact the reporter on this story: James Lim in Seoul at firstname.lastname@example.org
To contact the editor responsible for this story: Donald G. Aplin at email@example.com
The revised notice on “Criteria for Imposition of Fines on Personal Information Protection Regulation Violations” is available, in Korean, at http://bit.ly/1NEh4G1.
Notify me when updates are available (No standing order will be created).
Put me on standing order
Notify me when new releases are available (no standing order will be created)