South Korea — Enforcement & Penalties

The Personal Information Protection Commission (PIPC, 개인정보보호위원회) is South Korea's independent data-protection supervisory authority under the Personal Information Protection Act (PIPA). Originally established in 2011 as an advisory body under the Ministry of the Interior and Safety, the PIPC was reorganized in 2020 (Act No. 16930, effective 5 August 2020) as a ministerial-level central administrative agency with comprehensive enforcement powers over all personal-information processing in South Korea.

Organizational structure and independence

The PIPC comprises nine commissioners appointed by the President of South Korea (Article 7-2 PIPA). The Chairperson and Vice Chairperson serve as full-time standing commissioners and are appointed on the recommendation of the Prime Minister. Two commissioners are proposed by the Chairperson, two by the negotiation body of the political party to which the President belongs or belonged, and three by another negotiation body.

Article 7(2) PIPA provides that the PIPC's investigation and adjudication of personal-information matters "shall not be supervised" by the Prime Minister, ensuring decisional independence. The PIPC is a central administrative agency under Article 2 of the Government Organization Act, with the Chairperson treated as a minister for administrative purposes.

Scope of enforcement authority

Under Article 7-8 PIPA, the PIPC performs the following core functions:

• Investigation and audits: The PIPC may conduct both periodic and ad hoc on-site investigations of personal-information controllers and processors to verify compliance with PIPA obligations. The PIPC may request submission of materials and documents (Article 63 PIPA).

• Corrective orders: The PIPC may issue binding corrective orders requiring controllers to cease unlawful processing, implement protective measures, delete or destroy personal information, or suspend cross-border transfers (Article 64 PIPA). Failure to comply with a corrective order is itself a violation subject to administrative fines (Article 75(2) PIPA).

• Administrative fines and penalty surcharges: Article 7-9 PIPA authorizes the PIPC to impose administrative fines (과징금, penalty surcharges) and administrative sanctions (과태료, administrative fines). The detailed assessment criteria—including base rates, severity grades, and mitigating factors—are specified in Appendix 2 of the Enforcement Decree of PIPA (Presidential Decree, last amended September 2023).

• Disciplinary recommendations: The PIPC may recommend to the head of a public authority or agency that responsible personnel be reprimanded for significant violations of personal-information law (Article 65(2) PIPA, with detailed criteria published September 2023 under Article 58 of the Enforcement Decree).

2020 consolidation of enforcement jurisdiction

Prior to the August 2020 PIPA amendments, enforcement authority was fragmented among three agencies: the Ministry of the Interior and Safety enforced PIPA for public and private sectors, the Korea Communications Commission (KCC) regulated online service providers under the Act on Promotion of Information and Communications Network Utilization and Information Protection, and the Financial Services Commission (FSC) supervised credit-information handlers. The 2020 reform consolidated investigation, adjudication, and penalty authority in the PIPC, unifying enforcement under a single regulator. Sectoral regulators retain cooperation and consultation roles, but the PIPC holds primary jurisdiction over administrative fines and breach determinations for all personal-information processing.

Delegation of complaint handling

Article 62(2) PIPA designates the Korea Internet & Security Agency (KISA) as the specialized institution to receive and handle reports of personal-information infringements. KISA operates the Personal Information Infringement Report Call Center (tel. 118). The PIPC investigates reported cases according to its investigation plan and notifies complainants of the results. For financial-institution breaches (banks, securities companies, insurance companies, credit-information companies, debt-collection agencies), reports are directed to the Financial Services Commission hotline (1332, www.fscs.kr).

Source: PIPC — About Us (Greetings) Source: PIPC — Reporting on Infringement of Personal Information Source: PIPC — Laws & Regulations

The administrative penalty surcharge (과징금, gwajingeum) is the PIPC's primary economic sanction for personal-information violations under the Personal Information Protection Act (PIPA). Article 34-2 PIPA, as amended effective 15 September 2023 (Act No. 19234, 14 March 2023), authorizes the PIPC to impose a penalty surcharge of up to 3% of the controller's total annual revenue for specified violations, calculated on the average annual sales for the past three business years.

Scope and calculation base — total revenue since September 2023

Prior to the September 2023 amendments, penalty surcharges applied only to online information and communications service providers (ICSPs) and were capped at 3% of the revenue related to the violation. The 2023 reform unified enforcement across all personal-information controllers—both offline and online, both domestic and foreign—and broadened the base to 3% of total revenue, which is a significantly wider penalty exposure than the prior related-revenue standard.

The PIPC retains discretion to exclude revenue demonstrably unrelated to the violation when calculating the final assessment, but Article 34-2(2) PIPA places the burden of proof on the controller to establish that a particular revenue stream was generated from acts unrelated to the violation. In the absence of such proof, the surcharge is calculated against the full average three-year revenue base. The detailed assessment methodology—base rates, severity grades, aggravating and mitigating factors, and exclusion criteria—is specified in Appendix 2 of the Enforcement Decree of PIPA (Presidential Decree No. 34421, as amended September 2023).

Triggering violations under Article 34-2(1) PIPA

The PIPC may impose a penalty surcharge for the following violations enumerated in Article 34-2(1):

1. Processing personal information beyond the scope of consent or the lawful bases specified in Article 15(1) (Article 15(2) violation);
2. Providing personal information to a third party without consent or a lawful basis (Article 17(1) violation);
3. Outsourcing personal-information processing to a third party without notice or consent (Article 26(2) violation);
4. Cross-border transfer of personal information without compliance with the notification and consent requirements, or without reliance on an alternative lawful mechanism such as an adequacy determination, standard contract, or certification (Article 28-2 violation, as amended effective 15 September 2023);
5. Failure to designate a domestic representative when required under Article 39-12 PIPA (applicable to foreign controllers with annual revenue exceeding KRW 1 trillion, processing personal data of more than one million Korean data subjects per day on average during the prior three months, or upon PIPC request under Article 63(1));
6. Security breach or negligence resulting in the leakage, alteration, or loss of personal information (Article 29 violation);
7. Failure to notify data subjects of cross-border processing when outsourcing or storing personal information abroad for contract performance (Article 28-2(1)(2) violation, applicable to the notification requirement in force since 15 September 2023).

The penalty surcharge is imposed in addition to any corrective order under Article 64 PIPA, and failure to comply with the corrective order itself is separately sanctionable under Article 75(2) PIPA (administrative fine up to KRW 100 million).

2023 shift from criminal sanctions to administrative penalties

The September 2023 PIPA amendments partially decriminalized personal-information violations by replacing imprisonment and criminal fines with the Article 34-2 penalty surcharge for many offenses. Prior to the reform, controllers who provided personal information to a third party without consent faced imprisonment for up to five years or a criminal fine of up to KRW 50 million under Article 71 PIPA. The 2023 amendments removed that criminal liability for ordinary controllers and replaced it with the administrative penalty surcharge, reserving criminal penalties (Articles 71–73 PIPA) for more egregious conduct such as knowingly receiving stolen personal information, arbitrarily manipulating video surveillance equipment, or processing pseudonymized information with intent to re-identify a specific individual.

However, the shift to economic sanctions has increased penalty exposure in absolute terms: the 3% revenue cap far exceeds the prior KRW 50 million criminal fine for large controllers. The PIPC's 8 May 2024 penalty of KRW 7.5 billion (approximately USD 5.2 million) against Golfzon—the largest administrative penalty imposed on a domestic company—demonstrates the new regime's deterrent reach. Foreign controllers have also faced substantial assessments: in July 2024 the PIPC fined AliExpress KRW 1.978 billion for cross-border transfer violations, and in January 2025 the PIPC imposed KRW 5.9 billion on KakaoPay and KRW 2.4 billion on Apple Distribution International Limited for failing to notify users of cross-border data processing via a service relationship with Alipay.

Enforcement trends and PIPC discretion

The PIPC's 2024 enforcement priorities included proactive inspections in key sectors (financial services, telecommunications, e-commerce, cross-border data flows), expanded use of the penalty surcharge to replace criminal sanctions, and heightened scrutiny of foreign operators under the extraterritorial-scope provisions of Article 2(2) PIPA. The April 2024 Guidelines on Applying the Personal Information Protection Act to Foreign Business Operators confirmed that PIPA applies when goods or services are provided to Korean data subjects, when personal information is processed in a manner that directly or significantly affects Korean data subjects, or when the operator maintains a place of business within South Korean territory—a broad interpretation consistent with the GDPR's targeting test.

Controllers subject to a PIPC investigation should anticipate detailed revenue-disclosure requests under Article 63 PIPA and should prepare contemporaneous documentation segregating revenue streams unrelated to the alleged violation if they wish to argue for a reduced calculation base under Article 34-2(2).

Source: Personal Information Protection Act (PIPA) — Act No. 19234, effective 15 September 2023 Source: PIPC — Laws & Regulations

The Personal Information Protection Act (PIPA) retains criminal liability for egregious personal-information violations, notwithstanding the 2023 shift from criminal sanctions to administrative penalty surcharges for many ordinary processing violations. Articles 70 through 73 PIPA establish a three-tier sentencing structure based on the gravity of the offense, with imprisonment terms ranging from three to ten years and fines from KRW 30 million to KRW 100 million. Criminal proceedings under PIPA are prosecuted by the public prosecutor's office following investigation and referral by the Personal Information Protection Commission (PIPC), or upon direct complaint by a data subject when the controller has violated the data subject's rights under Article 4 PIPA.

Article 70 — imprisonment up to 10 years (most severe tier)

Article 70 PIPA provides for imprisonment with labor for not more than ten years or a fine of not exceeding KRW 100 million (approximately USD 70,000 as of 2026) for the following offenses:

1. Acquisition or use of personal information through theft or fraudulent means in violation of Article 59 PIPA (as amended 24 July 2015). This offense criminalizes a person who steals personal information from a controller or processor, or obtains it through deception, fraud, or other unlawful means (for example, social engineering, hacking, or impersonation). The ten-year maximum is the highest penalty tier in PIPA and reflects the legislature's determination that theft of personal data is analogous in harm to theft of property or other valuable assets.

1. Receipt or use of stolen personal information with knowledge that it was obtained unlawfully. A person who knowingly receives, uses, or discloses personal information obtained by another person through theft or fraud is subject to the same ten-year maximum as the original thief, reflecting joint criminal liability for downstream exploitation of stolen data.

Article 70 does not require proof of financial gain or intent to cause harm; knowledge that the personal information was unlawfully obtained is sufficient for conviction. The ten-year ceiling applies even when the defendant is a natural person acting outside an organizational context (for example, an individual hacker or data broker).

Article 71 — imprisonment up to five years (intermediate tier)

Article 71 PIPA, as amended 14 March 2023 (effective 15 September 2023), provides for imprisonment with labor for not more than five years or a fine of not exceeding KRW 50 million for the following offenses:

1. Intentional re-identification of pseudonymized personal information in violation of Article 28-5(1) or Article 28-6(3) PIPA. PIPA permits processing of pseudonymized data for statistical analysis, scientific research, and public-records management without consent (Article 28-2), but Article 28-5 prohibits any person from processing pseudonymized information with the intent or for the purpose of re-identifying a specific data subject. A person who deliberately reverses pseudonymization to identify an individual—for example, by combining pseudonymized datasets with auxiliary data to isolate a unique individual—commits a criminal offense under Article 71.

1. Unlawful access to or leakage of personal information processed by a video-information processing device in violation of Article 25(5) PIPA. Video-information processing devices (CCTV, surveillance cameras, dashcams, and other recording equipment) are subject to heightened restrictions under PIPA, including installation notice, purpose limitation, retention-period limits, and viewing-access controls. A person who accesses recorded video footage without authorization, leaks footage to a third party, or uses footage for a purpose incompatible with the original collection purpose commits a criminal offense. This provision applies to employees of the controller (for example, building-security staff who improperly access CCTV feeds), as well as third parties who hack into surveillance systems.

1. Arbitrary manipulation or alteration of a video-information processing device to perform functions not disclosed in the installation notice or to operate the device in a manner that violates Articles 25(1)–(4) PIPA. For example, a building owner who installs a CCTV camera with facial-recognition capability but does not disclose that capability in the posted notice commits a criminal offense if the camera is later activated to perform facial recognition without updating the notice and obtaining consent.

The five-year maximum under Article 71 reflects legislative concern about the intrusive nature of video surveillance and the heightened privacy harm from re-identification of pseudonymized data. Prior to the 2023 PIPA amendments, Article 71 also criminalized providing personal information to a third party without consent (former Article 71(2)), but that offense was removed from the criminal tier and replaced with the administrative penalty surcharge under Article 34-2(1)(2) PIPA.

Article 72 — imprisonment up to three years (least severe criminal tier)

Article 72 PIPA, as amended 14 March 2023, provides for imprisonment with labor for not more than three years or a fine of not exceeding KRW 30 million for the following offense:

1. Violation of Article 59 PIPA by processing personal information beyond the scope permitted for a person who became aware of personal information in the course of performing duties under PIPA or another Act. Article 59 PIPA imposes a confidentiality obligation on current and former employees of the PIPC, designated complaint-handling institutions (such as the Korea Internet & Security Agency, KISA), and sectoral regulators who obtain access to personal information in the course of investigating complaints, conducting audits, or performing other official duties. A PIPC investigator who discloses personal information obtained during an on-site inspection to a third party for personal gain, or who uses that information for a purpose unrelated to the official investigation, commits a criminal offense under Article 72.

This provision also applies to employees of private-sector controllers and processors who process personal information beyond the scope of their duties, but the three-year maximum is reserved for violations by persons who obtained the information because of their official or employment status under PIPA (Article 59), as distinct from theft or fraud under Article 70.

Article 73 — attempt liability

Article 73 PIPA provides that an attempt to commit any offense under Articles 70 or 71 is punishable. PIPA does not criminalize attempts to commit Article 72 offenses. Attempt liability attaches when a person takes a substantial step toward committing the offense but does not complete it—for example, a person who initiates a re-identification algorithm against pseudonymized data with intent to identify a data subject but is stopped before the algorithm completes, or a person who begins unauthorized access to a CCTV system but is detected and blocked before viewing any footage.

The sentencing range for an attempt is the same as for the completed offense under Articles 70–71 (up to ten or five years, respectively), but South Korean courts have discretion to mitigate the sentence under Article 25 of the Criminal Act when the attempt did not result in harm.

Confiscation of criminal proceeds — Article 74 PIPA

Article 74 PIPA authorizes the court to confiscate any money, goods, or other profits acquired by a person who has violated Articles 70 through 73 in relation to the violation, or to collect the equivalent value if confiscation is impossible (for example, if the proceeds have been spent or transferred). Confiscation or collection may be levied in addition to the imprisonment or fine imposed under Articles 70–72. For example, if a data broker knowingly purchased stolen personal information for KRW 10 million and resold it for KRW 50 million, the court may confiscate the KRW 50 million gross proceeds (or collect that value if the funds are no longer available) in addition to imposing a sentence of up to ten years' imprisonment and a fine of up to KRW 100 million.

Prosecution discretion and the 2023 decriminalization trend

The March 2023 PIPA amendments narrowed the scope of criminal liability by removing several offenses from Articles 70–72 and replacing them with administrative penalty surcharges under Article 34-2. Prior to the reform, a controller who provided personal information to a third party without consent faced criminal liability (imprisonment up to five years or a fine of up to KRW 50 million under former Article 71(2)). The 2023 amendments eliminated that criminal exposure for ordinary controllers and replaced it with an administrative fine of up to 3% of total revenue, reserving criminal penalties for theft, intentional re-identification, and video-surveillance violations.

However, the PIPC retains discretion to refer cases to the public prosecutor even when an administrative penalty has been imposed. In practice, the PIPC refers for criminal prosecution only when the violation involves intentional misconduct, significant harm to data subjects, or refusal to comply with corrective orders. The shift from criminal to administrative enforcement reflects a legislative judgment that economic sanctions are more effective than imprisonment for deterring ordinary processing violations by corporate controllers, while preserving imprisonment for natural persons who commit theft, fraud, or other intentional harms.

Interplay with administrative penalties

Article 75 PIPA clarifies that no additional administrative fine shall be imposed under Article 75 for any act subject to criminal penalties under Articles 70–73. However, the PIPC may impose an administrative penalty surcharge under Article 34-2 before referring the case for criminal prosecution, and the surcharge is not automatically refunded if the prosecutor declines to indict or the court acquits the defendant. Controllers subject to both criminal investigation and an administrative penalty proceeding should coordinate their legal strategy to avoid inconsistent defenses.

Source: Personal Information Protection Act (PIPA) — Act No. 19234, effective 15 September 2023, Articles 70–74

The Personal Information Protection Act (PIPA) grants data subjects a private right of action to claim compensatory and punitive damages directly from personal-information controllers and processors who violate PIPA obligations. Articles 39 through 39-3 PIPA establish a three-tier civil-liability framework: (1) general tort-based damages under Article 39(1) PIPA, requiring proof of fault and actual harm; (2) statutory damages under Article 39-2 PIPA (up to KRW 3 million per violation) when the amount of loss is difficult to prove but a qualifying breach occurred; and (3) punitive damages under Article 39-3 PIPA of up to five times actual damages when the violation resulted from intentional or grossly negligent conduct. This private-enforcement regime operates in parallel with the Personal Information Protection Commission's (PIPC) administrative penalty surcharge under Article 34-2 PIPA and criminal penalties under Articles 70–73 PIPA, giving data subjects independent standing to seek compensation without awaiting PIPC enforcement action.

Article 39(1) — general damages for fault-based violations

Article 39(1) PIPA provides that a personal-information controller or processor who violates PIPA obligations and thereby causes property damage or mental suffering to a data subject shall be liable to compensate for the resulting damages. This provision adopts a fault-based negligence standard consistent with the Korean Civil Act (Articles 750–751): the data subject must prove (i) that the controller violated a PIPA obligation (for example, processed personal information without a lawful basis under Article 15 PIPA, provided data to a third party without consent under Article 17 PIPA, or failed to implement security measures under Article 29 PIPA), (ii) that damage occurred (pecuniary loss or mental distress), (iii) causation between the violation and the harm, and (iv) that the controller acted with intent or negligence.

Burden of proof on the controller — Article 39(2) reversal

Article 39(2) PIPA reverses the burden of proof on fault once the data subject establishes that a PIPA violation occurred and that damage resulted. The statute provides that "when personal information has been infringed, the relevant personal information controller shall be liable for such damage," and the controller may avoid liability only if it proves that "there was no intention or negligence on its part." This reversal places the burden on the controller to affirmatively demonstrate that it took all reasonable measures to comply with PIPA and that the violation occurred despite those measures (for example, a security breach caused by a novel zero-day exploit against which the controller had implemented state-of-the-art defenses).

In practice, Korean courts have interpreted the reversed burden narrowly: a controller that did not implement baseline security measures required under Article 29 PIPA and the Security Safeguard Standards (Notification No. 2023-63 of the PIPC, effective 15 September 2023) will not satisfy the no-fault defense merely by showing that the breach was committed by a sophisticated third-party attacker. The controller must demonstrate specific, documented compliance efforts (encryption of sensitive data at rest and in transit, access controls, penetration testing, and incident-response planning) and show that the breach was unforeseeable notwithstanding those measures.

Compensable harm — pecuniary and non-pecuniary damages

Article 39(1) compensates both property damage and mental suffering (정신적 고통). Property damage includes direct financial loss such as fraudulent charges on a credit card after a data breach, identity-theft remediation costs, and loss of business reputation for a legal-entity data subject. Mental suffering encompasses emotional distress, anxiety, and loss of privacy, which Korean courts treat as compensable non-pecuniary harm analogous to pain and suffering in personal-injury cases.

However, Korean courts have imposed a high evidentiary bar for non-pecuniary damages in data-breach cases. The Supreme Court of Korea, in a February 2026 decision involving encrypted email-address leaks, held that a data subject must prove that the leaked information was sufficiently sensitive and identifiable to cause actual mental distress; the mere fact that a breach occurred does not, without more, establish compensable mental harm. The Court ruled that lower courts should consider the nature of the leaked data (highly sensitive categories such as resident registration numbers, health records, or financial account details versus less-sensitive identifiers such as encrypted email addresses), the identifiability of the data subject (whether the leaked data included the data subject's name or other direct identifiers), and the risk of misuse (whether the data was accessed by malicious third parties or remained within a controlled environment). This decision sharply limits Article 39(1) damages for low-sensitivity breaches and signals that controllers may successfully defend mental-distress claims by showing that leaked data was anonymized, encrypted, or otherwise not linked to an identifiable individual.

Article 39-2 — statutory damages of up to KRW 3 million

Article 39-2 PIPA, as amended effective 15 September 2023, authorizes Korean courts to award statutory damages of up to KRW 3 million (approximately USD 2,100 as of June 2026) per violation when a data subject proves that personal information was lost, leaked, stolen, altered, or damaged due to the controller's intent or negligence, but the exact amount of damages is difficult to prove. This provision eliminates the need for the data subject to quantify pecuniary or non-pecuniary harm, shifting the court's inquiry from damages calculation to whether a qualifying breach occurred.

The KRW 3 million cap is a statutory ceiling, not a presumptive award. Courts retain full discretion to award any amount from zero to KRW 3 million based on the severity of the violation, the sensitivity of the data, the number of data subjects affected, and the controller's degree of fault. In practice, Korean district courts have awarded statutory damages in the range of KRW 100,000 to KRW 500,000 per plaintiff in class-action data-breach cases (for example, the ongoing Coupang litigation as of June 2026, involving claims by thousands of data subjects for a December 2024 breach of delivery-address and contact data).

Statutory damages do not apply when no compensable harm exists

The Supreme Court of Korea clarified in February 2026 that Article 39-2 does not impose a damages-compensation obligation where no actual damage exists, notwithstanding that a technical breach occurred. The Court held that statutory damages are available only when the data subject proves that the breach caused at least some minimal harm (for example, a risk of identity theft, increased spam, or emotional distress), even if the exact quantum is difficult to measure. A controller may therefore defeat a statutory-damages claim by proving affirmatively that the leaked data was encrypted and the encryption key was not compromised, that no third party accessed the data, or that the data subject took no remedial action and suffered no identifiable harm. This holding has been criticized by privacy advocates as undermining the deterrent purpose of statutory damages, but it reflects the Court's textualist interpretation of Article 39-2's requirement that "damages" (損害) must have occurred.

Article 39-3 — punitive damages up to five times actual damages

Article 39-3 PIPA, as amended effective 15 September 2023 (Act No. 19234, 14 March 2023), authorizes courts to award punitive damages of up to five times the amount of actual damages (property damage plus non-pecuniary harm under Article 39(1)) when the controller violated PIPA intentionally or with gross negligence and the violation caused harm to the data subject. Prior to the 2023 amendments, Article 39-3 authorized punitive damages of up to three times actual damages; the September 2023 reform raised the multiplier to five to align South Korea's punitive-damages regime with the deterrent reach of the EU GDPR's administrative fines and the U.S. state statutory-damages frameworks.

Triggering standard — intent or gross negligence

Punitive damages under Article 39-3 require proof that the controller acted with intent (고의, deliberately violated PIPA knowing the conduct was unlawful) or gross negligence (중대한 과실, reckless disregard for PIPA obligations). Ordinary negligence—failure to comply with PIPA despite a reasonable effort—does not support punitive damages. Korean courts have defined gross negligence in the data-protection context as a failure to implement baseline security measures required under Article 29 PIPA and the Security Safeguard Standards when the controller knew or should have known that personal information was at significant risk of leakage or misuse. Examples from PIPC enforcement actions that would likely satisfy the gross-negligence standard include storing unencrypted resident registration numbers in plaintext databases accessible via the internet, failing to patch known critical vulnerabilities for months after vendor disclosure, or processing special-category personal information (health, biometric, or financial data) without access controls or audit logging.

Punitive damages are calculated as a multiple of actual damages

Article 39-3 punitive damages are calculated as a multiple of the actual damages awarded under Article 39(1)—both pecuniary and non-pecuniary harm. If a court awards KRW 1 million in actual damages for identity-theft remediation costs and emotional distress, the court may award up to an additional KRW 5 million in punitive damages (5× KRW 1 million) for a total recovery of KRW 6 million. However, if the court finds that the data subject suffered no actual damages—or awards only nominal damages—the punitive-damages multiplier applies to that nominal base, resulting in a de minimis punitive award.

This structure has limited the deterrent reach of Article 39-3 in practice. The Incheon District Court, in a 2021 decision (2021Na74344), held that Article 39-3 punitive damages should be calculated only on objectively quantifiable pecuniary harm (property damage), not on non-pecuniary mental distress, because mental distress is inherently subjective and difficult to prove with precision. The Court reasoned that allowing punitive damages to be multiplied against non-pecuniary awards would introduce excessive uncertainty and expose controllers to unpredictable liability. This interpretation remains contested—other district courts have applied the multiplier to total damages including mental distress—but it reflects a conservative judicial posture that limits punitive damages to cases where the data subject can prove concrete financial loss.

Interplay with statutory damages under Article 39-2

Article 39-3 punitive damages are awarded in addition to compensatory damages under Article 39(1), but Korean courts have not yet definitively ruled on whether punitive damages may be stacked on top of statutory damages under Article 39-2. The statutory text is ambiguous: Article 39-3 refers to "the amount of damages prescribed in paragraph (1)," which is the general compensatory-damages provision, not the statutory-damages provision in Article 39-2. The more restrictive reading—adopted by several district courts—holds that a data subject who elects statutory damages under Article 39-2 (because actual damages are difficult to prove) forfeits the right to punitive damages under Article 39-3, because there is no proven "actual damages" base to multiply. The more plaintiff-friendly reading holds that statutory damages are a legislatively defined proxy for actual damages when proof is difficult, and courts should therefore apply the punitive multiplier to the statutory award (for example, 5× KRW 3 million = KRW 15 million total). As of June 2026, no appellate court has resolved this split, and practitioners advising data subjects should plead both theories in the alternative.

No punitive damages have been awarded in published data-breach cases as of June 2026

Despite the availability of punitive damages under Article 39-3 since the 2014 introduction of the provision (and the 2023 expansion to a 5× multiplier), no reported Korean appellate decision has affirmed a punitive-damages award in a personal-information breach case. District courts have repeatedly declined to award punitive damages on the grounds that the data subject failed to prove objectively quantifiable actual damages (pecuniary loss) or that the controller's conduct, while negligent, did not rise to the level of gross negligence or intent. The ongoing Coupang class-action litigation (filed in 2025 following a December 2024 breach affecting millions of delivery addresses and phone numbers) is widely viewed as a test case for whether Korean courts will begin awarding meaningful punitive damages under the expanded Article 39-3 framework, but as of mid-2026 no judgment has been entered.

Article 39-11 — liability-guarantee measures for large controllers

Article 39-11 PIPA, added by the September 2023 amendments, requires personal-information controllers who meet revenue and data-volume thresholds specified in the Enforcement Decree to take necessary measures to guarantee their ability to compensate for damages, including purchasing liability insurance, joining mutual-aid associations, or accumulating reserves. The detailed thresholds are set forth in Article 48-8 of the Enforcement Decree (Presidential Decree No. 34421, as amended September 2023): controllers with annual revenue exceeding KRW 10 billion (approximately USD 7 million) and processing personal information of more than 1 million data subjects must establish a liability-guarantee mechanism. The PIPC may exempt controllers who demonstrate that their financial condition is sufficient to cover expected liabilities without insurance or reserves.

Failure to comply with Article 39-11 is subject to an administrative fine of up to KRW 30 million under Article 75(2)(14) PIPA, but does not create an independent cause of action for data subjects. The liability-guarantee requirement is intended to ensure that large controllers have sufficient assets to satisfy judgments in mass data-breach cases, addressing a concern that emerged after several early PIPA class actions were settled for de minimis amounts because the defendant controllers lacked insurance coverage or liquid assets.

Class actions and representative litigation under the Securities-Related Class Action Act

South Korea does not have a general class-action statute for consumer or privacy claims. Data subjects injured by the same PIPA violation may file individual lawsuits or may consolidate their claims through joint litigation (共同訴訟) under Article 65 of the Korean Civil Procedure Act, in which multiple plaintiffs join as co-parties in a single action. Joint litigation does not bind absent class members and does not provide for opt-out or settlement-approval procedures analogous to U.S. Federal Rule of Civil Procedure 23.

However, the Securities-Related Class Action Act (Act No. 6012, enacted 2001) permits representative class actions for certain securities-fraud claims, and Korean courts have occasionally allowed representative actions in non-securities consumer cases by analogical application when the claims involve a large number of similarly situated plaintiffs and common questions of law and fact. The Coupang data-breach litigation filed in 2025 is structured as a joint action by approximately 10,000 named plaintiffs represented by a consumer-rights organization, but the court has not certified it as a formal class action. Settlement of joint actions requires individual consent from each plaintiff, which poses practical challenges when the plaintiff group is large.

Data subjects who lack the resources to file individual lawsuits may file a complaint with the PIPC under Article 62 PIPA (via the Korea Internet & Security Agency's toll-free hotline at 118 or online at www.pipc.go.kr), but the PIPC's administrative investigation and corrective order do not create a civil judgment or award damages. Data subjects must file a separate civil action in district court to recover compensation under Articles 39–39-3.

Source: Personal Information Protection Act (PIPA) — Act No. 19234, effective 15 September 2023, Articles 39, 39-2, 39-3, 39-11 Source: PIPC — Laws & Regulations

Administrative fines (과태료, gwataeryo) under Article 75 of the Personal Information Protection Act (PIPA) constitute a third enforcement tier between the administrative penalty surcharge (과징금, gwajingeum) under Article 34-2 PIPA and criminal penalties under Articles 70–73 PIPA. Unlike the penalty surcharge—which is calculated as a percentage of the controller's total revenue (up to 3% under current law, rising to 10% for high-severity violations effective 11 September 2026)—Article 75 administrative fines are fixed-sum monetary sanctions capped at specified Korean Won amounts, with the maximum penalty of KRW 100 million (approximately USD 70,000 as of June 2026) reserved for the most serious non-criminal violations.

Article 75 administrative fines are imposed by the Personal Information Protection Commission (PIPC) through administrative adjudication, without the need for criminal prosecution or judicial conviction. The controller may appeal an Article 75 fine to the Seoul Administrative Court within 60 days of the PIPC's decision under the Administrative Litigation Act (Article 20). Administrative fines are enforceable as tax debts under Article 69 of the Framework Act on National Taxes if the controller fails to pay within 60 days of the decision becoming final.

Four-tier fine structure under Article 75 PIPA

Article 75 PIPA establishes a four-tier monetary-penalty structure based on the severity of the violation, as detailed in Appendix 2 of the Enforcement Decree of PIPA (Presidential Decree No. 34421, as amended September 2023 and March 2024). The tiers are:

1. Tier 1 — administrative fines up to KRW 100 million

The maximum KRW 100 million administrative fine applies to violations that directly undermine the PIPC's investigative and enforcement authority, but fall short of the threshold for criminal prosecution under Articles 70–73 PIPA. The following violations trigger Tier 1 fines:

• Failure to comply with a corrective order issued by the PIPC under Article 64 PIPA (Article 75(2)(1) PIPA). A corrective order may require the controller to cease unlawful processing, implement protective measures, delete or destroy personal information, or suspend cross-border transfers. A controller that fails to comply with the corrective order within the deadline specified by the PIPC is subject to a fine of up to KRW 100 million, and the PIPC may impose successive daily penalties (each capped at KRW 100 million) for continued non-compliance. This provision is the PIPC's primary enforcement tool for compelling compliance when a controller refuses to remedy a violation identified during an investigation or audit.

• Obstruction of a PIPC investigation or on-site inspection under Article 63 PIPA (Article 75(2)(2) PIPA). A controller that refuses to submit materials or documents requested by the PIPC, denies PIPC investigators physical access to offices or business premises, provides false or misleading information during an investigation, or destroys or conceals records subject to PIPC review commits an administrative offense punishable by up to KRW 100 million. This penalty tier reflects the legislature's determination that obstruction of the supervisory authority's investigative powers is among the most serious administrative (as opposed to criminal) violations under PIPA.

The KRW 100 million tier is calibrated to deter willful non-cooperation with the PIPC without triggering the criminal-prosecution threshold. Controllers that obstruct investigations with intent to conceal underlying PIPA violations may face both the Article 75(2) administrative fine and referral to the public prosecutor for criminal charges under Article 71 or 72 PIPA if the obstruction rises to the level of intentional misconduct.

2. Tier 2 — administrative fines up to KRW 50 million

The KRW 50 million tier applies to procedural and disclosure violations that create significant compliance gaps but do not involve direct refusal of PIPC authority. Triggering violations include:

• Failure to notify data subjects of cross-border processing as required under Article 28-2(1) PIPA when outsourcing or storing personal information abroad for contract performance (Article 75(3)(1) PIPA, as amended effective 15 September 2023). The notification must inform the data subject of the identity of the foreign processor, the countries to which data will be transferred, the date and manner of transfer, and the contact details of the foreign processor. A controller that transfers personal information to a foreign processor without providing this notice is subject to a fine of up to KRW 50 million, irrespective of whether the transfer itself was lawful under one of the mechanisms in Article 28-2(2) PIPA (consent, adequacy determination, standard contract, or certification). This provision reflects the PIPC's enforcement priority on cross-border-transfer transparency following the 2023 PIPA amendments, which harmonized South Korean law with the GDPR's Chapter V transfer regime.

• Failure to prepare or maintain a processing register (Article 29-2 PIPA) when the controller processes personal information of more than one million data subjects on average during the prior three months (Article 75(3)(2) PIPA). The processing register must document the purpose of processing, categories of personal information, retention periods, third-party recipients, and cross-border transfers. The PIPC may request the processing register at any time during an investigation under Article 63 PIPA, and failure to produce a compliant register is independently sanctionable.

• Failure to conduct a data-protection impact assessment (DPIA) when required under Article 33 PIPA (Article 75(3)(3) PIPA). A DPIA is mandatory when processing biometric data for identification purposes, processing personal information of 1 million or more data subjects for commercial purposes, or processing sensitive personal information (race, ethnicity, political opinions, health, sexual orientation, criminal history) of 100,000 or more data subjects. A controller that begins processing operations subject to the DPIA trigger without completing the assessment and obtaining PIPC review (if required under Article 33(4)) commits an administrative offense punishable by up to KRW 50 million.

3. Tier 3 — administrative fines up to KRW 30 million

The KRW 30 million tier applies to governance and structural-compliance violations that do not directly involve data processing or data-subject rights but undermine the controller's organizational accountability framework. Key violations include:

• Failure to designate a Chief Privacy Officer (CPO) when required under Article 31(1) PIPA (Article 75(4)(1) PIPA). A CPO must be designated by controllers processing personal information of 1 million or more data subjects on average during the prior three months, or upon PIPC request. The CPO must have at least three years of experience in data-protection compliance (Article 32(2) of the Enforcement Decree). The 10 March 2026 PIPA amendments (effective 11 September 2026) further require large controllers meeting revenue and volume thresholds specified in the Enforcement Decree to obtain Board of Directors approval for CPO appointments and to report the CPO designation to the PIPC. Failure to designate a CPO or to report the designation when required triggers a fine of up to KRW 30 million.

• Failure to obtain mandatory ISMS-P certification (Personal Information & Information Security Management System certification) when required under Article 47 of the Act on Promotion of Information and Communications Network Utilization and Information Protection (Network Act), now incorporated by reference into PIPA as amended March 2026 (Article 75(4)(2) PIPA). Mandatory ISMS-P certification applies to private-sector controllers meeting criteria specified in the Enforcement Decree (including integrated circuit chip manufacturers, telecommunications service providers, e-commerce platforms exceeding KRW 10 billion annual revenue, and online service providers processing personal information of more than 1 million users). Controllers subject to the mandatory certification requirement must obtain ISMS-P certification from the Korea Internet & Security Agency (KISA) and renew the certification every three years. Operating without valid certification exposes the controller to a fine of up to KRW 30 million.

4. Tier 4 — administrative fines up to KRW 20 million

The KRW 20 million tier applies to disclosure and notification violations that do not involve cross-border processing or breach notification, but impair data-subject transparency. Triggering violations include:

• Failure to designate a domestic representative when required under Article 39-12 PIPA (Article 75(5)(3) PIPA). Foreign controllers with annual revenue exceeding KRW 1 trillion, processing personal data of more than one million Korean data subjects per day on average during the prior three months, or upon PIPC request under Article 63(1) must designate a domestic representative in South Korea. The domestic representative serves as the point of contact for the PIPC and data subjects, and must have authority to respond to PIPC requests, receive service of corrective orders and administrative fines, and handle data-subject complaints. The 2 October 2025 amendments (effective 2 April 2026) further require that the domestic representative be a Korean legal entity established by or controlled by the foreign controller, rather than a third-party service provider. Failure to designate a compliant domestic representative or to update the designation within six months of the 2 April 2026 effective date triggers a fine of up to KRW 20 million.

• Failure to provide a compliant privacy notice at the time of collection under Article 15(2) or Article 17(2) PIPA (Article 75(5)(1) PIPA). The privacy notice must inform the data subject of the purpose of processing, categories of personal information collected, retention period, and the right to refuse consent and the consequences of refusal. A controller that collects personal information without providing the required notice, or that provides an incomplete or misleading notice (for example, bundling consent for non-essential processing with consent for contract performance in violation of the unbundling requirement under Article 22(2) PIPA), is subject to a fine of up to KRW 20 million.

Interplay with the administrative penalty surcharge (Article 34-2) and criminal penalties (Articles 70–73)

A single PIPA violation may expose the controller to overlapping enforcement actions across multiple tiers:

• Administrative fine (Article 75) + penalty surcharge (Article 34-2): The PIPC may impose both an Article 75 administrative fine (for a procedural violation such as failure to conduct a DPIA) and an Article 34-2 penalty surcharge (for a substantive processing violation such as processing personal information beyond the scope of consent) if the same conduct violates multiple PIPA obligations. The two sanctions serve distinct purposes: the administrative fine penalizes non-compliance with structural and procedural safeguards, while the penalty surcharge penalizes unlawful data processing and is calibrated to the controller's revenue to achieve deterrence. Article 34-2(4) PIPA clarifies that the penalty surcharge does not preclude additional administrative fines under Article 75.

• Administrative fine (Article 75) + criminal penalty (Articles 70–73): Article 75(6) PIPA provides that no administrative fine shall be imposed under Article 75 for any act subject to criminal penalties under Articles 70–73 PIPA. This exclusion prevents double jeopardy when the PIPC refers a case for criminal prosecution. However, the PIPC may impose an administrative fine under Article 75 before determining whether to refer the case for prosecution, and the fine is not automatically refunded if the prosecutor declines to indict. In practice, the PIPC imposes Article 75 fines first and reserves criminal referrals for cases involving intentional theft of personal information (Article 70), intentional re-identification of pseudonymized data (Article 71), or repeated obstruction of investigations after the controller has been fined under Article 75(2).

2026 penalty-surcharge increase does not affect Article 75 fine caps

The 10 March 2026 PIPA amendments (Act No. 20509, effective 11 September 2026) raised the maximum administrative penalty surcharge under Article 34-2 from 3% to 10% of total revenue for high-severity violations involving repeated intentional or grossly negligent conduct affecting 10 million or more data subjects, or failure to comply with a corrective order followed by a breach. However, the amendments did not increase the Article 75 administrative-fine caps, which remain fixed at KRW 100 million, KRW 50 million, KRW 30 million, and KRW 20 million as specified in the September 2023 Enforcement Decree. As a result, the relative deterrent weight of Article 75 fines has declined for large controllers: a KRW 100 million administrative fine (approximately USD 70,000) is de minimis compared to a 10% revenue penalty surcharge for a global platform processing tens of millions of Korean users.

The PIPC has signaled in its 2026 enforcement priorities that it will increasingly rely on the Article 34-2 penalty surcharge as the primary economic sanction for substantive processing violations, reserving Article 75 fines for procedural and governance failures (failure to designate a CPO, failure to obtain ISMS-P certification, failure to designate a domestic representative) and for smaller controllers whose revenue base makes the percentage-based penalty surcharge impractical. The fixed-sum structure of Article 75 administrative fines ensures that procedural violations remain sanctionable even when the controller processes minimal personal information or generates negligible revenue from the violation.

Enforcement Decree Appendix 2 — detailed calculation methodology

The final administrative fine imposed within each tier is determined by the PIPC according to the criteria specified in Appendix 2 of the Enforcement Decree of PIPA (Presidential Decree No. 34421, as amended September 2023 and March 2024). The Enforcement Decree establishes:

• Base fine amounts for each violation (typically 30–50% of the statutory cap for a first-time violation);
• Aggravating factors that increase the fine (repeated violations within three years, refusal to cooperate with the PIPC investigation, failure to remediate after notice, significant harm to data subjects);
• Mitigating factors that reduce the fine (voluntary self-reporting, prompt corrective action, demonstrated privacy-safeguard investments in personnel and systems, minimal harm to data subjects).

The PIPC retains discretion to impose any fine amount from zero up to the statutory cap, but the Enforcement Decree Appendix 2 presumptive amounts create predictability for controllers assessing penalty exposure. Controllers subject to a PIPC investigation should anticipate that failure to cooperate (refusal to submit documents, delay in responding to information requests, denial of access to systems during on-site inspections) will trigger upward adjustments within the applicable tier, and that voluntary remediation (proactive DPIA completion, immediate CPO designation, rapid breach containment and notification) will support mitigating arguments.

Cross-reference to other guides

Practitioners advising foreign controllers on South Korean compliance exposure should cross-reference the European Union — Enforcement & Penalties guide for the GDPR administrative-fine framework (up to EUR 20 million or 4% of global turnover under Article 83 GDPR), which served as the model for the PIPC's tiered penalty structure under Articles 34-2 and 75 PIPA. The EU-Korea adequacy decision adopted 17 December 2021 (Commission Implementing Decision (EU) 2021/2254) recognizes South Korea as providing adequate data-protection safeguards for personal data transferred from the EU, but the decision predates the March 2026 PIPA amendments and the 10% penalty-surcharge increase; the European Commission will monitor whether the heightened enforcement posture affects the adequacy determination in the 2025–2027 review cycle.

Foreign controllers subject to the domestic-representative requirement should also consult the parallel requirements under the California — Enforcement & Penalties guide (California Consumer Privacy Act regulations requiring designated agents for service under 11 CCR § 7000 et seq.) and the United Kingdom — Enforcement & Penalties guide (UK GDPR Article 27 representative requirement for non-UK controllers offering goods or services to UK data subjects).

Source: Personal Information Protection Act (PIPA) — Act No. 19234, effective 15 September 2023, Article 75 Source: PIPC — Laws & Regulations