Privacy & Cybersecurity Law Blog

On February 12, 2026, South Korea’s National Assembly passed amendments to the Personal Information Protection Act (“PIPA”) authorizing administrative fines of up to 10% of a company’s total revenue in certain high-severity data breach cases.

The changes follow a series of large-scale data breaches across the telecommunications, platform and financial services sectors.

Under the revised framework, the Personal Information Protection Commission (“PIPC”) may seek fines of up to 10% of total revenue where a company:

• intentionally or with gross negligence commits and repeats a violation within three years;
• engages in intentional or grossly negligent conduct affecting 10 million or more individuals; or
• fails to comply with a PIPC corrective order and a breach occurs.

The law also permits fine reductions, to be detailed by presidential decree, where companies demonstrate qualifying investments in privacy safeguards, including staffing, budget and technical measures.

Reporting obligations are expanded to cover forgery, alteration and damage, and in certain cases may require notification upon identifying a meaningful possibility of an incident. The amendments designate the business owner or representative as the “ultimate responsible person” for data protection and require certain organizations to report chief privacy officer designations to the PIPC.

The amendments take effect six months after enactment, subject to transition rules governing the new fine ceiling.