Home > National > Social Affairs

Parliamentary committee approves bill to fine companies up to 10% of revenue for personal data leaks

Published: 17 Dec. 2025, 18:41 Updated: 18 Dec. 2025, 10:59

Lawmakers deliberate on bills during a plenary meeting of the National Policy Committee at the National Assembly building on Dec. 17. [YONHAP]

A parliamentary committee on Wednesday approved legislation that would allow regulators to fine companies up to 10 percent of their total revenue for serious personal data breaches, significantly raising the potential cost of large-scale leaks.

The National Policy Committee passed an amendment to the Personal Information Protection Act that would introduce the tougher penalty rules at a plenary meeting.

The bill raises the ceiling on administrative fines from the current 3 percent of total revenue to as much as 10 percent when large-scale personal data breaches occur.

The higher limit would apply only in specific cases, including repeated violations within three years caused by willful misconduct or gross negligence, breaches that affect at least 10 million people due to willful misconduct or gross negligence, and cases in which a leak occurs after a company fails to comply with corrective orders.

Under the current law, companies with no revenue or whose revenue is difficult to calculate face a maximum fine of 2 billion won ($1.4 million). The amendment would raise that cap to 5 billion won.

The amendment would also spell out in law a requirement that personal data handlers report breaches involving the personal or sensitive information of at least 1,000 people to the Personal Information Protection Commission within 72 hours of becoming aware of the incident.

The provision was revised to state that details will be “as prescribed by presidential decree," which lawmakers said aims to prevent companies from delaying reports after discovering a breach.

The revised law would not apply retroactively. Even if the National Assembly passes the bill in a plenary session, the tougher fine rules would not apply to Coupang, which recently reported a data breach compromising the personal information of more than 33 million users.

The committee also approved changes to the Special Act on the Prevention of Loss caused by Telecommunications-based Financial Fraud and Refund for Loss, expanding responsibility for preventing and compensating victims of voice phishing and similar crimes to include virtual asset exchanges.

In addition, lawmakers passed an amendment to the Credit Union Act that raises the asset threshold for requiring a full-time auditor at credit unions from 200 billion won to 300 billion won.

This article was originally written in Korean and translated by a bilingual reporter with the help of generative AI tools. It was then edited by a native English-speaking editor. All AI-assisted translations are reviewed and refined by our newsroom.
BY JEONG JAE-HONG [[email protected]]