The Act on the Promotion of Information Communication Network Utilization and Information Protection (“PICNUIA”) has been amended to include potential punitive damages for South Korean businesses that provide services over the internet. From 23 September this year, any serious data breach experienced by such businesses will lead to financial liability of up to three times

Ever since January 2014, when South Korea’s credit card industry lost huge amounts of customer data during a data breach, the South Korean government has been gradually announcing stricter penalties for those who run afoul of data protection rules. The latest amendment to the Personal Information Protection Act (PIPA), Bill No. 15737 (‘Amendment’), published 7 July, is no different and introduces punitive damages and statutory damages into Korea’s data protection legislation.

As a result of the Amendment, organisations that experience a data breach could find themselves faced with court-awarded damages of up to three times the actual damage caused from the ‘loss, theft, leakage, forgery, alteration or impairment of personal information because of a deliberate act or a serious error’. Consumers may claim statutory damages of up to 3 million Korean won (approx. £1,700). The Amendment also includes increased enforcement powers for the Personal Information Protection Committee, such as recommending policy and system changes, and handling dispute resolution. The Amendment also includes a certification mechanism for compliance with the PIPA.
Continue Reading South Korea introduces further data protection breach penalties to encourage compliance, and issues mobile app guidance