South Korea Promulgates Sweeping PIPA Amendments: 10% Revenue Fines, CEO Liability, and Privacy Investment Incentives (September 2026)

On March 10, 2026, South Korea promulgated its most significant amendments to the Personal Information Protection Act (PIPA) since the 2023 overhaul. Taking effect on September 11, 2026, the new legislation fundamentally changes corporate risk assessments by raising administrative fines to 10% of total turnover, introducing statutory liability for CEOs, and establishing a mandatory penalty reduction mechanism for documented privacy investments.

Key Legislative Reforms

• Elevated Fine Ceiling (Up to 10% of Total Revenue): While the baseline fine remain at 3%, the PIPC can seek administrative fines of up to 10% of total revenue for severe, high-risk scenarios, specifically:
  1. Intentional or grossly negligent repeat violations within a three-year period.
  2. Intentional or grossly negligent breaches affecting 10 million or more individuals.
  3. A data breach occurring after a company fails to comply with a formal PIPC corrective order.
• Mandatory Fine Reductions for Privacy Investment: In a major push for proactive compliance, the amendment requires the PIPC to reduce administrative fines for companies that can demonstrate verified, documented investments in privacy safeguards (including dedicated budgets, staffing, equipment, and systems), provided the violation did not involve intent or gross negligence.
• CEO Accountability & CPO Independence: The business owner or representative is formally designated as the "ultimate responsible person" for data protection, creating a statutory duty to supervise compliance. For larger organizations, Chief Privacy Officers (CPOs) must secure an adequate budget and report directly to the CEO and board. Any CPO appointment, reassignment, or dismissal must be approved by the board and reported to the PIPC.
• Earlier Breach Notification Threshold: The notification threshold is lowered. Businesses are required to notify data subjects as soon as there is a "reasonable likelihood" or "meaningful possibility" of an incident, before the breach is fully verified. Additionally, the scope of notifiable events is expanded to include the forgery, alteration, or destruction/damage of personal data (bringing ransomware and data corruption into scope).
• Mandatory ISMS-P Certification: Designated large-scale data controllers must obtain integrated Personal Information & Information Security Management System (ISMS-P) certification starting July 1, 2027.

Verbatim Evidence

From South Korea Amends Privacy Law to Authorize Fines of Up to 10% of Total Revenue:

"On February 12, 2026, South Korea’s National Assembly passed amendments to the Personal Information Protection Act (“PIPA”) authorizing administrative fines of up to 10% of a company’s total revenue in certain high-severity data breach cases." "The amendments designate the business owner or representative as the 'ultimate responsible person' for data protection and require certain organizations to report chief privacy officer designations to the PIPC."

From South Korea Rewrites Data Protection Law With Higher Fines and CEO Accountability:

"Signed on 10 March 2026 and effective from 11 September 2026, the reform raises the maximum fine to 10% of total turnover, introduces personal supervisory liability for CEOs and requires earlier breach notification." "If a violation is not caused by intent or gross negligence, the PIPC is required to reduce the penalty for organisations that can demonstrate verified investment in privacy, covering dedicated budget, personnel, equipment and systems."