South Korea Increases Data Breach Fines, Lowers Liability Threshold

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By James Lim

May 12 --Recent data breach amendments ( Bill No. 10479) to South Korea's framework data protection law increase available fines; lower the liability threshold that regulators must show to levy fines; allow compensation of individual plaintiffs without a showing of damages; and require notification of affected individuals within 24 hours of discovering a breach, a Korea Communications Commission (KCC) official told Bloomberg BNA May 12.

Under the amendments, companiesthat lose online personal information may face fines equivalent to 3 percent of their revenue, attributable to any violation of data protection provisions.

Fine Ceiling Rises.

The limit on revenue-based fines for poor data security leading to a data breach is now 1 percent under the statute. In all previous data breach cases, responsible companies were fined only as much as 100 million Korean won ($97,600)--the maximum fine available when there is no evidence of deliberate negligence.

"These legal limitations have prevented effective enforcement of meaningful sanctions," Eom Yeol, director of the Privacy Protection and Ethics Division at the KCC, said.

The amendments to the Act on the Promotion of Information Communication Network Utilization and the Protection of Information, which passed the National Assembly May 2, will take effect in six months, Eom said.

Another important change is the elimination of a provision that requires evidence of deliberate negligence to enforce a revenue-based fine, Eom said. "Businesses will be held liable for a data breach with or without proven fault on their part."

Consumer Compensation.

The amendment also authorizes courts to award compensation of up to 3 million Korean won ($2,900) to each consumer complainant in a data breach case with no need to verify damage claims. "This will give companies a strong reason to upgrade their data security standard voluntarily," Eom said.

The amended law will require companies to alert customers within 24 hours of discovering a breach.

The amended law required companies to dispose of protected personal information in a manner to ensure it may not be recovered and misused.

Under the new law, businesses are required to obtain consumers' opt-in consent to accept marketing messages delivered through all channels, including via e-mail and mobile phone text messages.

The South Korean financial sector and other regulators have been working to increase data security oversight in the wake of a massive data breach involving three large credit card companies (13 PVLR 183, 1/27/14).

By James Lim

To contact the reporter on this story: James Lim in Seoul at

To contact the editor responsible for this story: Donald G. Aplin at

Bill No. 10479 is available, in Korean, at

Request Bloomberg Law Privacy and Data Security