the recent breach of 33.7 million personal information records at Coupang raises fundamental questions about the safety of South Korea's digital environment. this breach surpassed the previous breach at SK Telecom (approximately 23.24 million people), making it the largest privacy breach in history. public attention has centered on the fact that this incident has become a critical test of the effectiveness of South Korea's Personal Information Protection Act (PIPA). under the current law, violators can be fined up to 3% of a company's revenue for the three years immediately preceding the violation, meaning that a company with as much revenue as Coupang could theoretically be fined up to KRW 1 trillion. however, there is a significant disconnect between these astronomical theoretical caps and the actual enforcement power of regulators, and this case has highlighted that disconnect.
the theoretical trillion won clashes with real-world mitigating factors
the Personal Information Protection Act sets a cap on fines at 3% of the revenue associated with the violation. if you apply this to Coupang's annual revenue, you get a figure of over KRW 1 trillion. however, the actual process of calculating fines is not as simple.
1. limitations of calculating 'relevant revenue'
the actual amount of the administrative penalty is calculated based on the revenue of services directly related to the breach. the highest realistic administrative penalty for a domestic privacy breach was KRW134.7 billion imposed on SK Telecom. this is the largest administrative sanction ever imposed on a large Korean company with revenues in the trillions of won, and it is virtually impossible for regulators to deviate significantly from this figure and reach the hundreds of billions or trillions of won, given the legal stability and existing precedents. while a figure of KRW 1 trillion is an alarming figure for the public, there are structural constraints that make the realistic enforcement ceiling much lower.
2. corporate defense logic: Leveraging immunity and mitigating circumstances
companies are likely to take advantage of mitigating circumstances when calculating fines. The Enforcement Decree of the Personal Information Protection Act provides for a 30-50% reduction in fines, taking into account the level of security investment by the offending business, the difficulty of continuing business, and the severity of the violation. coupang has recently disclosed that it has invested more than 270 billion won in information security over the past four years, and may be able to argue for a reduction in fines based on this large security investment record.
however, regulators are expected to apply a strict standard this time around, requiring companies to prove that they have sufficient security management systems in place,as past decisions to reduce fines have led to 'leniency controversies'.
structural vulnerabilities: repeated incidents and failures of 'operational security'
what made the Coupang incident so controversial was not only the scale of the incident, but also the structural weaknesses in the company's internal management and crisis response.
1. controversy and lack of transparency
coupang's initial response to the breach was heavily criticized. The company initially reported the breach as an "exposure" rather than a "leak," which could be seen as a strategic decision to downplay the severity of the incident, which is the primary criterion for determining legal liability. although the company later changed the term to "leak" and republished the notice after being criticized by the Personal Information Protection Commission, the initial notice was criticized for lacking transparency in disclosing information, as it omitted sensitive information such as common entrance passwords.
furthermore, the fact that the breach was identified as an unauthorized access to information by a Chinese national who left the company, rather than an external hack, highlighted structural failures across Operational Security, including access control systems, human resources management, and employee account management, rather than just technical issues. internal control failures make it difficult for organizations to prove that they have taken steps to ensure safety, and they are more likely to lead to gross negligence, which is difficult to mitigate in fines.
2. weakened ISMS-P certification and barriers to revocation
coupang suffered repeated data breaches despite being ISMS-P (Information Security and Privacy Management System) certified, a national certification scheme for privacy. this led to criticism that the certification system was operating as a formality rather than a real safeguard, and in response, the government initiated a structural reorganization of the certification system, including revoking certification for serious violations and strengthening on-site verification audits.
the NIPC also pointed out that Coupang's membership withdrawal process was designed to be complicated, requiring users to cancel their WoW membership paid subscription service first, thus acting as a "termination barrier" that hinders users' right to self-determination of their data. this was interpreted as a violation of the purpose of the Privacy Act (to simplify the withdrawal process) in favor of the company's commercial interests.
comparing overseas cases: the depth of civil remedies is needed
while Korea's privacy laws have high theoretical penalty caps, actual enforcement amounts are relatively low compared to overseas. This is due to the fact that Korea's sanctions regime is heavily weighted toward administrative sanctions, and reveals a fundamental limitation: the lack of a civil remedy system that guarantees substantial monetary compensation to victims.
1. Punitive enforcement of the EU GDPR
the European Union's (EU) GDPR sets a cap on fines of up to 4% of global annual turnover, which is not much of a numerical difference compared to South Korea's 3%, but the actual enforcement is overwhelming. The EU has levied trillions of euros in fines against platform giants such as Meta, Amazon, and TikTok for breaches of its privacy principles. The EU's fines are not based on the size of the breach, but on the nature of the breach itself, such as structural problems and mismanagement of the data processing process.
2. implications of the Equifax case in the US
in the US, class action lawsuits and settlement structuresare more prevalent than administrative sanctions. in 2017, credit reporting company Equifax paid up to $700 million in government fines and consumer settlements for neglecting a security vulnerability that compromised the information of about 140 million people. this amount was paid directly to victims in the form of cash compensation, free credit management services, and more.
in light of these overseas cases, law firms in Korea have been filing punitive damages lawsuits against Coupang's U.S. headquarters in addition to domestic courts, demonstrating victims' distrust that domestic legal remedies are difficult to prove damages and obtain substantial compensation.
comparison of domestic and international data breach sanctions
category south Korea (PIPA, as of today) EU (GDPR) uS (Equifax case focus) upper limit of sanctions no more than 3% of relevant turnover no more than 4% of global annual revenue large civil settlements/fines largest enforcement cases SKT (KRW 134.7 billion) Meta, Amazon, and others (trillion euro fine) Equifax (up to $700 million settlement) victim remedy statutory damages (KRW 3 million), class action (injunctive claims only) Remedies through DPAs, civil lawsuits direct cash awards through class actions and settlement fundssubstantive Damages and Future Regulatory Directions
the Coupang case ultimately exposed the reality that there is still a lack of mechanisms to protect consumers after a data breach. as secondary reports of harm continue to emerge (foreign IP login attempts, phishing, etc.), consumers are voluntarily joining class action lawsuits to hold companies accountable.
1. strengthening punitive sanctions and class action lawsuits
to address this situation, the Personal Information Protection Commission is promoting system improvements. a special case of punitive fines is being introduced, which will raise the upper limit of fines from the current 3% to up to 10% for serious/repeat violationswhere intent or gross negligence is recognized or where the damage is large.
in addition, amendments to the law are being discussed to include claims for damagesin collective actions under the Personal Information Protection Act, which are currently limited to demands for cessation of infringing behavior, in order to provide victims with substantial financial compensation. the establishment of a so-called "Personal Information Damage Recovery Support Fund" that would use fines imposed for violations to recover damages is also under consideration. These measures will mark a major turning point in South Korea's privacy protection system, shifting the focus from administrative sanctions to victim relief.
2. changing behavior of businesses and consumers
at the end of the day, privacy breaches are a matter of trust, not technology. businesses need tolegislate that the CEO is the final authority for handling and protecting personal information, driving security awareness and investment at the executive level. Rather than trying to hide or minimize incidents, it is imperative that they disclose information quickly and transparently and immediately implement practical safeguards such as blocking overseas logins, real-time alerts, and enforcing two-factor authentication by default.
consumers, too, need to adopt basic security measures such aschanging passwords, blocking international logins, and reinforcing the habit of not storing more sensitive information on platforms than necessary. in addition to holding companies accountable, the Coupang incident is a call to action for our entire society to step up its digital safety game. it's time for a change in how we create safe digital environments that are no longer just about formal certifications and theoretical fines, but about real consequences and victim redress.