On December 15, lawmakers from both the ruling and opposition parties agreed to pass an amendment to the Personal Information Protection Act during the first legislative subcommittee of the National Policy Committee of the National Assembly. The amendment allows the imposition of administrative fines of up to 10 percent of a company’s total revenue in cases where a data breach is caused by intent or gross negligence. The move was prompted by a massive customer data breach involving Coupang.

The key provision of the amendment is the imposition of administrative fines of up to 10 percent of total revenue or KRW 5 billion in cases of repeated or serious data breaches. Under the current Act, administrative fines are capped at three percent of the revenue related to the violation or KRW 2 billion.

However, the amendment does not impose punitive administrative fines for all personal data breach incidents. Such fines would apply only to serious violations, including cases where a company has repeatedly committed violations by intent or gross negligence within the past three years, where a company has caused harm to more than 10 million data subjects by intent or gross negligence, or where personal data breaches result from a company’s failure to comply with corrective orders issued by the government.

For data breaches that are not deemed serious violations, administrative fines will continue to be imposed at up to three percent of a company’s revenue, as under the current framework. Against the backdrop of Coupang’s large-scale personal data breach and the resulting public controversy, the amendment introduces an administrative fine regime that is punitive in nature.

At the same time, there have been growing calls to introduce a punitive damages regime and a class action mechanism in the area of personal data protection, in order to hold companies fully accountable for privacy violations.

President Jae Myung LEE has also indicated that the introduction of a class action regime is necessary, which prompted discussion as to whether the regime may be extended beyond the securities sector and what implications such an extension could have.

In the 22^nd National Assembly, several bills proposing the introduction of class actions for personal data infringement cases across all sectors involving consumer harm have been introduced and remain pending. These include the Class Action Act sponsored by Rep. Hye Ryun BACK, the Consumer Class Action Act sponsored by Rep. Ju Min PARK, and the Personal Information-Related Class Action Act sponsored by Rep. Yong Gi JEON.

As both the ruling and opposition parties share the view that data breach incidents are becoming increasingly serious, related legislation is expected to be discussed in the National Assembly.

As the first-ever Korean law firm to issue specialized legislative journals, D&A Public Sector Relations Group has been publishing the monthly Policy & Business Report since August 2019. The December 2025 issue of the P&B Report conducted a full inspection of legislation proposed to the National Assembly Subcommittee, Standing Committee, and Plenary Session from the opening of the 22nd National Assembly on November 15, 2025, to December 14, 2025, and selected and analyzed legislation with significant impact on corporate activities. In the case of major legislation, key mentions of legislators, members of the Standing Committee, and government officials are included.