The Personal Information Protection Commission (Chairperson Song Kyung-hee) announced on the 14th that it will form and launch the ‘System Improvement Task Force’ in October to prevent the recurrence of recent large-scale personal information leaks. This measure follows the ‘Enhancement Plan for Personal Information Safety Management System’ announced by the commission on September 11.
Through the amendment of the Personal Information Protection Act in September 2023, the commission has raised the upper limit of fines from ‘3% of revenue related to the violation’ to ‘3% of total revenue.’ As a result, the amount of fines imposed significantly increased from 23.2 billion won in 2023 to 61.1 billion won in 2024, and to 165.8 billion won as of September 2025.
Nevertheless, hacking incidents continue to occur at telecommunications and financial companies, and some businesses repeatedly experience personal information leaks, heightening public anxiety. The increase in damage cases underscores the urgent need for institutional responses.
Therefore, the commission will focus on three key tasks to enhance system improvements: strengthening the effectiveness of sanctions, expanding preventive investment, and linking support for damage relief.
To increase the effectiveness of sanctions, considerations are being given to imposing heavier fines on companies with repeated data breaches. Discussions are also taking place regarding the elevation of fines and the implementation of a punitive fine system. Additionally, the introduction of criminal penalties for illegal distribution of personal information under the Personal Information Protection Act is being reviewed.
To expand preventive investment, efforts will be made to encourage companies toward voluntary personal information protection. The establishment of grounds for regular inspections in the field of large-scale personal information processing is planned, and incentives will be offered for encryption or authentication strengthening, voluntary reporting, and compensation measures.
For damage relief, considerations include expanding individual notifications to all people potentially affected by leaks, and strengthening reporting and notification obligations. Furthermore, the establishment of a ‘fund’ to support actual damage relief and investment in personal information protection using the collected fines is being discussed.
In addition, if a business voluntarily presents a damage relief plan, the commission may confirm it through a decision, and discussions on enhancing the effectiveness of damage settlement insurance are also underway.
The commission plans to compose the Task Force with experts from academia, related organizations, and the legal sector in the fields of personal information protection and information security and will actively operate it starting in October. Subsequently, detailed system improvement plans will be prepared by the end of the year in parallel with policy research, and a public hearing will be held to gather opinions from industry and civic groups.
