South Korea has passed a new law that significantly increases corporate penalties for data breaches, marking one of the country’s most aggressive steps yet to strengthen consumer data protection. The legislation, approved this week by the National Policy Committee, will allow regulators to fine companies up to 10 percent of their total revenue for serious violations. The move follows a massive leak at online retail giant Coupang, which exposed the personal data of more than 33 million customers earlier this year.
Under the existing framework, the maximum fine for a data breach caused by negligence or reckless conduct was capped at 3 percent of company revenue. The revised law raises that ceiling more than threefold and introduces additional provisions targeting companies that repeatedly fail to address security weaknesses.
Lawmakers backing the bill said the goal is to impose real accountability on large enterprises that handle vast volumes of personal data but often face relatively minor financial consequences when breaches occur. The law stipulates that a 10 percent revenue-based fine may apply when the breach affects at least 10 million users, when a company fails to follow corrective orders within three years, or when evidence shows gross negligence or willful misconduct.
The new penalties, however, will not apply retroactively—meaning Coupang will not face the increased fines for its 2024 breach. Still, the incident was a direct catalyst for the bill’s passage, amid growing frustration over repeated lapses across major tech and e-commerce platforms.
Coupang Leadership Under Scrutiny
Tensions escalated this week during a parliamentary hearing convened to examine how Coupang handled the incident. Founder and CEO Bom Kim did not attend the session, saying he was unable to return to Seoul due to overseas business obligations. Lawmakers reacted sharply to his absence, accusing him of avoiding public responsibility for one of the nation’s largest data breaches to date.
“Chairman Bom Kim’s claim that he cannot attend because he is travelling abroad and is a global CEO is an act that mocks the public,” said lawmaker Choi Hyung-du, noting that executives from multinational companies such as Meta and Amazon have previously appeared before similar hearings.
Harold Rogers, Coupang’s interim CEO, appeared in Kim’s place and apologized for the incident. He told lawmakers the company has reinforced its security systems and is cooperating fully with authorities. Investigations so far indicate that attackers exploited vulnerabilities in overseas servers beginning around June 24, and Coupang only discovered the breach on November 18. The leaked data included customer names, phone numbers, email addresses, shipping details and order histories. Coupang said no financial or password information was compromised.
Push for Stronger Oversight
South Korean President Lee Jae-myung publicly supported the tougher penalties, calling for “greater corporate accountability in protecting citizens’ private data.” The government also added new requirements mandating that companies report breaches affecting 1,000 or more people within 72 hours of discovery—a measure intended to curb the lengthy delays that often occur before public disclosure.
If applied to Coupang’s case, the previous 3 percent limit could have cost the company over 1 trillion won (about US$680 million), based on its 2024 revenue of 30.3 trillion won. But lawmakers argued that even that figure may not be sufficient to deter major firms with billion-dollar turnovers, emphasizing that a percentage-based penalty linked to total revenue aligns better with global compliance standards.
The legislation also raises the maximum fixed fine for companies without significant revenue—from 2 billion won to 5 billion won—to ensure smaller organizations cannot evade meaningful punishment.
South Korea’s approach mirrors a tightening global pattern in privacy governance, following the European Union’s General Data Protection Regulation (GDPR) and similar reforms in Japan and Singapore. For regulators and privacy advocates, the Coupang incident underscored how long-standing vulnerabilities in domestic data systems can have significant consequences when left unchecked.
Analysts expect further guidance in 2026 on how the new 10 percent ceiling will be calculated, as lawmakers refine enforcement mechanisms to balance deterrence with fairness across industries.
쿠팡의 상표는 Coupang, LLC 또는 그 계열사의 라이선스 하에 사용됩니다.
Comments