South Korea Amends Privacy Law to Authorize Fines of Up to 10% of Total Revenue
Time 2 Minute Read
Categories: International, Cybersecurity, Information Security, Security Breach

On February 12, 2026, South Korea’s National Assembly passed amendments to the Personal Information Protection Act (“PIPA”) authorizing administrative fines of up to 10% of a company’s total revenue in certain high-severity data breach cases.

The changes follow a series of large-scale data breaches across the telecommunications, platform and financial services sectors.

Under the revised framework, the Personal Information Protection Commission (“PIPC”) may seek fines of up to 10% of total revenue where a company:

  • intentionally or with gross negligence commits and repeats a violation within three years;
  • engages in intentional or grossly negligent conduct affecting 10 million or more individuals; or
  • fails to comply with a PIPC corrective order and a breach occurs.

The law also permits fine reductions, to be detailed by presidential decree, where companies demonstrate qualifying investments in privacy safeguards, including staffing, budget and technical measures.

Reporting obligations are expanded to cover forgery, alteration and damage, and in certain cases may require notification upon identifying a meaningful possibility of an incident. The amendments designate the business owner or representative as the “ultimate responsible person” for data protection and require certain organizations to report chief privacy officer designations to the PIPC.

The amendments take effect six months after enactment, subject to transition rules governing the new fine ceiling.

Tags: Personal Information, South Korea
Print Email Twitter/X Linkedin Facebook

You May Also Be Interested In

Time 3 Minute Read
Oklahoma Enacts Comprehensive Consumer Privacy Law

On March 20, 2026, Oklahoma Governor Kevin Stitt signed SB 546 into law, enacting the Oklahoma Consumer Data Privacy Act, which will take effect on January 1, 2027.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 2 Minute Read
UK ICO Publishes Guidance on Recognized Legitimate Interest Basis

On March 23, 2026, the UK Information Commissioner's Office released new guidance clarifying the use of the new recognized legitimate interest lawful basis for processing personal information under UK data protection law.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 2 Minute Read
CalPrivacy Reaches Settlement with Ford Motor Company Over CCPA Opt-Out Right Violations

On March 5, 2026, the California Privacy Protection Agency announced that the agency had reached a settlement with Ford Motor Company resolving an enforcement action against the company that alleged noncompliance with the California Consumer Privacy Act’s opt-out of sale/sharing rights.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 2 Minute Read
UK ICO Fines Reddit £14.47 Million for Failing to Protect Children’s Privacy

On February 24, 2026, the UK ICO announced that it had fined Reddit, Inc. £14.47 million following an investigation into the company’s handling of children’s personal information.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page