The Act on the Promotion of Information Communication Network Utilization and Information Protection (“PICNUIA”) has been amended to include potential punitive damages for South Korean businesses that provide services over the internet. From 23 September this year, any serious data breach experienced by such businesses will lead to financial liability of up to three times the actual damages suffered by their customers.

Additional amendments include the imposition of statutory fines of up to 3% of related revenue where companies fail to obtain prior customer consent when transferring customer personal data internationally (for access, management or storage).

The amendments to the PICNUIA were announced by the Korea Communications Commission (“KCC”) in March, and they authorise the KCC to impose corporate sanctions against top management in data breach cases, and order companies to delete any personal data exposed in such breaches.

Finally, from March next year, all smartphone application providers will require the consent of each app user to access the personal data stored within his or her smartphone.

These amendments bring the redress mechanisms of PICNUIA in line with the Personal Information Protection Act and the Protection of Credit Information Act, and highlight the trend of increasingly potent sanctions for data breaches in South Korea.