An investigation into a personal data leak at Coupang has entered the final stage of sanctions procedures. Industry officials said on May 12 that the Personal Information Protection Commission (PIPC) sent Coupang an advance notice in early April detailing alleged violations of the Personal Information Protection Act and planned measures. The PIPC is reviewing Coupang’s written opinion. The industry is watching for the sanctions level to be finalised as early as June.

Under the PIPC’s rules on investigations and dispositions, investigators must notify the party in advance of the planned measures based on the investigation report and grant at least 14 days for submitting opinions. The advance notice includes the facts forming the grounds for the measures, the planned measures, applicable laws and the deadline for submitting opinions. The specific amount of any administrative fine is known not to be included in the advance notice.

After receiving the advance notice, Coupang requested an extension of the deadline for submitting its opinion, and the PIPC accepted it. Coupang’s submission is reported to include the position that it is difficult to agree with the overall direction of the PIPC’s planned measures. The remaining steps are the PIPC’s review of the submission and referral to a plenary meeting.

With the review taking time because Coupang’s submission is voluminous, it is difficult to reach a conclusion within May. Expectations for a June decision are gaining traction after it was reported that the PIPC has set a policy to wrap up the case in the first half of the year.

Some also expect an administrative fine at the highest level to date, given the scale of damage. According to an announcement by a public-private joint investigation team under the Ministry of Science and ICT, 33,673,817 records containing users’ names and email addresses were confirmed to have been leaked from Coupang’s "Edit My Information" page. The current Personal Information Protection Act allows an administrative fine of up to 3 percent of average sales over the previous three years in the event of a leak.

A revised Personal Information Protection Act including a "punitive administrative fine" special provision allowing an administrative fine of up to 10 percent of total sales in cases of large-scale leaks caused by intent or gross negligence has passed the National Assembly. It is scheduled to take effect in September, so it does not apply to the Coupang case.

Coupang Inc, Coupang’s parent company, posted revenue of about 49 trillion won last year, and a simple application of 3 percent would put the statutory maximum administrative fine at about 1.5 trillion won. Revenue not directly related to the violation must be excluded from the calculation, and mitigating factors under the relevant notice must also be reflected, so the actual administrative fine is not expected to reach that level. The largest administrative fine imposed by the PIPC to date was about 134.8 billion won, levied last year over an SK Telecom USIM information leak.