CFE Home
KOR

Punitive Surcharges Can’t Protect Personal Information

Writer
Gwang yong Go

As major telecommunications companies such as SK Telecom, KT, and LG Uplus have recently experienced a series of large-scale hacking incidents and personal data leaks, social anxiety is spreading. In SK Telecom’s case in particular, the Personal Information Protection Commission (hereinafter PIPC) imposed a record-high administrative fine of KRW 134.7 billion over the leak of customer information affecting more than 23 million people. However, controversy over fairness has emerged, with criticism that “punitive administrative fines” are being imposed excessively even when there was no actual damage or unjust enrichment by the company.


The crux of the problem does not lie in the sheer size of the fine. If the government focuses only on “making an example” through punishment, it will inevitably produce side effects by increasing market uncertainty and undermining companies’ capacity for future investment. In particular, at a time when investment in new industries such as artificial intelligence and data-based services is in full swing, if fines in the hundreds of billions of won become routine, there is a serious risk of damaging the competitiveness of the IT industry as a whole.


Google collected personal information without consent and used it for advertising, yet it was fined only KRW 69.2 billion. By contrast, SK Telecom was itself a victim of hacking and gained no improper benefit, yet it was hit with a fine more than twice as large. The essence of the administrative fine system lies in disgorging unjust enrichment. Imposing a fine in the KRW 130 billion range based solely on its punitive character, in a situation where there was no unjust enrichment, is not only excessive but also unreasonable.


When sanctions lose their sense of fairness in this way, regulation can instead undermine trust in policy. Administrative fines should fundamentally serve to recover gains obtained through illegal acts, while punitive sanctions should be applied only in a limited manner on the basis of separate legal grounds and social consensus. If, as now, regulatory agencies can impose top-level fines at their discretion regardless of whether there was unjust enrichment, this constitutes an unpredictable risk for companies and is effectively no different from “regulation by fines.”


As the PIPC emphasizes, personal information protection is no longer a secondary management item but a core task of corporate management. But if the means of achieving this is reduced solely to “stronger regulation and higher fines,” the balance is lost. Security investment should be made through companies’ autonomous judgment and long-term strategy, and the government should focus on establishing the institutional foundation that makes this possible.


What is needed now is not “punishment” but “innovation.” Since private IT companies are also victims of hacking, they should be guaranteed about one year of institutional grace and preparation time so they can independently build advanced security systems. As attacks by global hacking groups become increasingly sophisticated and prolonged, it is impossible for companies to establish a perfect defense system in a short period of time. Rather than taking a regulation-only approach, the government should present a flexible implementation plan that enables the private sector to proactively advance its security capabilities.


At the same time, national-level support and backing are also essential. Personal information protection has the character of a public good that is difficult for companies to bear alone. Accordingly, the government should promote innovation in security technology through R&D support and strengthen public-private cooperation systems to lay the groundwork for a joint response to cyber threats. Rather than simply resorting to ex post punishment after incidents occur, it is a wiser approach to create an institutional environment in which security investment can continue proactively.


In short, administrative fines are a means of recovering illegal gains, not a mechanism for victim relief or strengthening security. The government’s role lies in moving away from punitive regulation and building the foundation for genuinely strengthening the public’s personal information protection and cybersecurity capabilities. In addition, this should serve as an opportunity to promote investment and growth in IT companies’ information security R&D in the AI and big data era, as well as in the cybersecurity market worth approximately $200 billion.


Gwang yong Go, Policy Director, Center for Free Enterprise (CFE)


Original title: 징벌적 과징금으로 개인정보보호 못 한다

Author: Gwang yong Go

Date: 2025-09-15

Source: https://www.cfe.org/bbs/bbsDetail.php?cid=press&idx=28074