1.

Clarification of CEO Accountability

The amended PIPA explicitly designates the business owner or the representative of a data controller as the "ultimate person responsible for the processing and protection of personal information" and requires the owner of the representative to take comprehensive management measures, including the provision of personnel and budget to personal information protection. Additionally, for data controllers meeting criteria to be specified in the Presidential Decree of the PIPA, amended PIPA requires that the appointment and dismissal of the Chief Privacy Officer ("CPO") be approved by the board of directors and that the designation of the CPO be reported to the Personal Information Protection Commission ("PIPC").
 

2.

Expanded Scope of Notification Obligations

Previously, the defined term "breach, etc." in the PIPA referred only to the "loss, theft, or leakage" of personal information. The amended PIPA expands this definition to include "forgery, alteration, or damage" of personal information. Accordingly, notification to data subjects is now required not only in cases of loss, theft, or leakage, but also in cases of forgery, alteration, or damage. Data breach reporting obligations will also apply based on such factors as the type of personal information involved, the pathway of the breach, and the scale of the incident.

Furthermore, while the pre-amendment PIPA required notification to the affected data subjects only upon learning that "a breach, etc. has occurred", the amended PIPA requires notification upon becoming aware of a "possibility of a breach, etc.", to be further defined in the Presidential Decree, taking into account such factors as the type of personal information, the impact on data subjects, and the level of risk.
 

3.

Increase in Maximum Administrative Penalties

The amended PIPA raises the maximum administrative penalty from the previous 3% to 10% of the total revenue in the following circumstances: (1) if a party that has previously been subject to an administrative penalty under the PIPA violates the PIPA again within three years due to willful misconduct or gross negligence; (2) if a violation due to willful misconduct or gross negligence affects 10 million or more data subjects; or (3) if a data breach occurs due to failure to comply with a corrective order issued by the PIPC.

The amended PIPA also includes provisions allowing for reduction of administrative penalties where there is evidence of proactive investment in personal information protection, such as budget, personnel, facilities, and equipment. This amendment is intended to encourage preventive investment by companies.