SOUTH KOREA Law and Practice Contributed by: Brian Tae-Hyun Chung, Haewon Han, Ari Yoon and Jisoo Yoo, Kim & Chang
The PIPC, the KCC, the FSC and the MSIT have the authority to conduct investigations, for example through requests for information and on-site inspections. While the KISA does not have law enforcement authority, it often con - ducts investigations on behalf of the PIPC and the KCC. Although investigations are often initiated when data controllers report a data breach or personal information infringement to the regulators, the regulators also conduct regular, as well as ad hoc, inspections based on the relevant laws and regulations. The regulators including PIPC, KCC and FSC, issue an annual work plan at the begin - ning of each year, and this helps businesses to anticipate industry sectors that may be a target each year. Investigations can also be triggered when there is media coverage of a specific inci - dent or issue. 1.3 Enforcement Proceedings and Fines Regulators must provide a written notice before commencing an investigation, as well as prior to imposing an administrative disposition. In order for an administrative disposition to be lawful, not only should the procedures be lawful, but also the content of such disposition must satisfy the principle of proportionality. Where a data controller intends to object to an administrative fine, it may do so in writing and go through a trial. For other administrative disposi - tions, it may file an administrative appeal or an administrative lawsuit. The administrative fine and the administrative penalty are both monetary sanctions for admin - istrative violations, but they differ in the nature and severity of the offences they address. Typi - cally, administrative fines are imposed for minor violations and have a maximum amount speci -
fied by law. In contrast, administrative penalties are reserved for more serious violations, with the maximum amount determined as a percentage of the violator’s revenue. In practice, administrative fines are calculated based on a predetermined amount according to the type and number of violations. These fines can be adjusted – either increased or decreased – by considering factors such as the severity, duration, motive and damage caused by the violation, as well as other legal criteria. Gener - ally, administrative penalties cannot exceed 3% of the violator’s total revenue, although revenue unrelated to the violation is to be excluded from this calculation. Administrative penalties may also be adjusted based on factors like the num - ber and duration of violations, the profits gained, voluntary corrective actions and efforts to miti - gate damage. Previously, the maximum base amount for administrative penalties was set at “no more than 3% of the revenue related to the violation”. However, with the implementation of the amend - ed PIPA in 2023, this base amount was changed to “no more than 3% of the total revenue”, while allowing for the exclusion of unrelated revenues. Consequently, with the burden of proving the irrelevance to the violation shifted to the data controller, the amounts of imposed administra - tive penalties have been increasing. 1.4 Data Protection Fines in Practice Below are key regulatory actions taken by the PIPC and KCC from 2022 to 2024. As regula - tions have recently been strengthened, it is important to proactively assess potential legal violation risks and identify conduct that may be problematic for effective risk management.
389 CHAMBERS.COM
Powered by FlippingBook