▲ Personal Information Protection Commission Nameplate
The Personal Information Protection Commission (PIPC) is set to review sanctions against SK Telecom (SKT) at a full meeting today (27th) following a large-scale leak of customer USIM information.
The final decision, including possible fines, could be made as early as today, drawing significant attention.
The PIPC will hold the meeting at 2 PM today at the Government Complex in Seoul behind closed doors to discuss the sanctions against SKT.
The specific amount of fines and the severity of the sanctions will be finalized after the commissioners’ discussions.
If the sanctions are approved, the PIPC plans to hold a briefing on the 28th to explain the results. However, if additional data is deemed necessary, the conclusion could be postponed.
Previously, the PIPC completed most of its investigation procedures and issued a preliminary notice of disposition to SKT late last month. The investigation into SKT was initiated on April 22nd, following the customer data breach.
The preliminary notice includes the details of the violations, applicable laws, details of the proposed actions, the deadline for submitting opinions, and a list of evidence materials.
During the investigation, the PIPC is reported to have focused on whether SKT complied with its duty to take safety measures.
In the telecommunications industry, there is speculation that the PIPC, having repeatedly stated its intention to handle the hacking incident strictly “according to law and principle,” may impose the largest-ever fine in history.
Under the Personal Information Protection Act, fines can be imposed up to 3% of sales revenue, excluding revenues not related to the data leak.
However, companies must prove the revenue unrelated to the violations. Based on last year’s SK Telecom’s wireless business revenue (12.77 trillion KRW), some analyses suggest that the fine could reach the mid-300 billion KRW range.
Conversely, if SKT’s efforts for victim relief and prevention measures are considered, the actual level of sanctions could be adjusted to around 100 billion KRW.
The largest fine imposed by the PIPC so far was a total of 100 billion KRW in September 2022, 69.2 billion KRW to Google and 30.8 billion KRW to Meta, both for violating the Personal Information Protection Act by collecting user data without consent for personalized online advertising.
Focusing solely on data breach incidents, the largest fine was 15.1 billion KRW imposed on Kakao in May last year for the “KakaoTalk Open Chatroom data leak” incident.
(Photo provided by the Personal Information Protection Commission, Yonhap News)