South Korea Adds Breach Voluntary Notice Incentive

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By James Lim

Aug. 28 — South Korea's Internet and media regulator has revised its data breach penalty rules to introduce incentives for voluntary disclosure.

The Korea Communications Commission (KCC) Aug. 27 published the revised notice (Notice No. 2015-18) on “Criteria for Imposition of Fines on Personal Information Protection Regulation Violations” with a new reduction provision.

The new provision allows the KCC to reduce the “discretionary” portion of the statutory fine by up to 30 percent for companies voluntarily reporting a data beach, effective immediately.

“From now on, businesses will be able to get additional reductions in fines if they come clean on a data breach,” Eom Yeol, director of the KCC Privacy Protection and Ethics Division, told Bloomberg BNA Aug. 28.

Three Tiers of Fines 

“This change is aimed at incentivizing voluntary reporting of a data breach and facilitating a timely response to a data breach,” the KCC said in an Aug. 27 statement.

The fines available to the KCC to levy on companies losing personal data come in three tiers:

• a base statutory damages fine, which was added in 2014, of up to 3 percent of the responsible company's relevant annual revenue;

• compulsory adjustments that can add or deduct up to 50 percent of the base fine, depending on the duration of a data breach and the frequency of violations; and

• discretionary fines that amend second tier compulsory adjustments plus or minus 50 percent, depending on the degree of violation and the level of cooperation with authorities.


The regulatory notice provides a mechanism for the KCC to increase the third tier discretionary fines for punitive reasons or offer reductions under mitigating circumstances. For instance, refusal to surrender evidence and obstruction of investigation can lead to a punitive increase of up to 30 percent.

In its most recent penalty action in April 2015, the KCC imposed 80 million Korean won ($68,000) and 19 million Korean won ($16,000) data breach fines on Baedaltong Co. Ltd., a mobile application operator that provides information on food delivery service based on a user's location, and Pandora TV, a local video sharing website that hosts user-generated content.

South Korea has also recently adopted new punitive damages provisions that institute court-awarded damages of up to three times the actual damage from the “loss, theft, leakage, forgery, alteration, or impairment of personal information due to a deliberate act or a serious error”.

To contact the reporter on this story: James Lim in Seoul at

To contact the editor responsible for this story: Donald G. Aplin at

The revised notice on “Criteria for Imposition of Fines on Personal Information Protection Regulation Violations” is available, in Korean, at


Request Bloomberg Law: Privacy & Data Security