[Statement] The National Assembly’s National Policy Committee Must Include Compensation for Personal Data Breaches Within the Scope of Collective Actions

On December 15, the 1st Legislative Subcommittee of the National Assembly’s National Policy Committee reviewed and passed amendments to the Personal Information Protection Act proposed by lawmakers including Rep. Park Beom-kye (Democratic Party) and Rep. Kim Sang-hoon (People Power Party). The core of the amendment is to raise the maximum administrative fine for large-scale personal data breaches from 3% of annual revenue to as much as 10%.

However, the amendment notably excludes what has been a central social demand and a core issue of public concern: adding “damages” to the scope of collective actions under Article 51 of the Personal Information Protection Act (Subjects of Collective Actions). Despite repeated large-scale personal data breaches, user remedies have once again been sidelined in deference to corporate interests. We strongly condemn the outcome of the subcommittee’s deliberations and urge that the issue be reconsidered before the amendment passes the standing committee.

The root cause of the repeated large-scale data breaches involving companies such as SK Telecom, KT, Lotte Card, and Coupang is not the absence of specific legal obligations in personal data protection or security laws. Rather, while companies are eager to collect and retain massive amounts of personal data and to exploit it for various purposes, including AI development, they have neglected investment in data security. This is because even when massive breaches occur, companies face little more than temporary public criticism, without suffering meaningful economic consequences.

Raising administrative fines may be one way to pressure companies to invest in security. In practice, however, the Personal Information Protection Commission (PIPC) often substantially reduces fines through discretionary decisions, and, critically, none of the penalties provide compensation to the affected users.

In the case of SK Telecom, where the personal data of more than 23 million users (over 27 million records), including SIM card information, was leaked, the fine imposed by the PIPC amounted to 134.8 billion KRW. Although the PIPC is already authorized to impose fines of up to 3% of total annual revenue, the actual fine was less than 1% of SK Telecom’s consolidated annual revenue of 17.9 trillion KRW. It has been reported that the PIPC reduced the initially calculated fine by approximately 50% during the deliberation process.

Among the 38 OECD member countries, only three—Korea, Switzerland, and Türkiye—have not introduced collective redress mechanisms that include monetary damages. Korea is widely regarded as having the most underdeveloped victim remedy system even among these countries. Ultimately, a comprehensive class action system covering all types of consumer harm affecting large numbers of unspecified victims should be introduced. As an initial step, however, collective redress should be established in the field of personal data protection, which is a representative area of small-amount, mass harm and the focal point of recent public concern.

Despite these social demands, it is difficult to understand why the amendment to the Personal Information Protection Act that would add “damages” to the requirements for collective actions was excluded entirely from deliberation. Moreover, the current collective action system already requires prior collective dispute mediation and imposes excessively strict requirements on eligible organizations—issues that clearly require reform. Had the subcommittee truly considered user remedies, it should have addressed these shortcomings and passed an amendment that includes damages within the scope of collective actions.

We urge the National Policy Committee to open a path for collective redress by allowing consumers to seek compensation through collective damages actions for harm caused by large-scale personal data breaches.

December 16, 2025

Digital Justice Network; Korea Alliance for Progressive Medical Care; Digital Information Committee of Lawyers for a Democratic Society (Minbyun); Open Net Korea ; Korean Confederation of Trade Unions; Institute for Information Rights; People’s Solidarity for Participatory Democracy; Korea Consumer Organizations Council