South Korea's Personal Information Protection Commission on Wednesday shared key first-half results and future plans through a work report.
The commission said it strengthened corporate accountability in connection with large-scale personal data leak incidents in the first half by imposing strong economic penalties commensurate with the seriousness of violations.
The commission said the total amount of administrative fines increased to 608.4 billion won in the first half of 2026 from 167.8 billion won in 2025 and 61.2 billion won in 2024. Major sanctions were imposed on Coupang (624.7 billion won), three luxury goods companies (36.0 billion won), Lotte Card (9.6 billion won), Duo (1.2 billion won) and the National Research Foundation of Korea (700,000,000 won), among others.
The commission said it also strengthened the effectiveness of sanctions against personal data leak incidents by introducing a punitive administrative fine system.
It set up a mechanism to impose fines of up to 3 percent of revenue, and up to 10 percent of revenue in cases of serious or repeated violations. It also changed the revenue 기준 so that it is set at the larger of the three-year average or the previous year's revenue, instead of the three-year average. The commission also said it improved the practical personal data protection and management environment by checking whether measures such as corrective orders and corrective recommendations were carried out.
The commission also conducted advance status checks of personal data in high-risk private sectors such as public mutual aid companies and finance, as well as in the public sector handling large volumes of personal data, as part of proactive preventive inspections and management. It also overhauled the information security and personal data protection management system, known as ISMS-P, and built a preventive protection system by establishing a basis for incentives for personal data protection investment.
The commission said it supported the deletion of personal data posted during childhood or adolescence, known as an eraser service, and the deletion of exposed or illegally distributed posts, and strengthened responses to rights infringements such as personal data impersonation. It also fully revised guidelines on the processing of pseudonymised data to improve the efficiency of pseudonymisation and launched a help desk to support innovation in public-sector AX.
It expanded the scope of direct transfer, or download, of personal information to all areas so that the public can use mydata more freely.
In the second half, the commission will focus on ensuring citizens' rights through the settling-in of preventive systems, supporting AX innovation and building a system for the safe use of data. It will conduct regular and ad hoc inspections in areas closely tied to daily life, such as customer centres, edtech and nursing hospitals, and in sectors holding large-scale or sensitive information where incidents can have major ripple effects. It will also strengthen support and oversight for inspections by each ministry and their affiliated and subordinate agencies through a public inspection task force. It plans to tightly manage systems including joint inspections of systems deemed insufficient through self-checks among 387 major public systems and public-facing systems holding at least 50 million resident registration numbers, covering 11 types.