(C) Tech in Asia

SEOUL — Public outcry for severe punishment against Coupang continues to grow following the massive data breach involving 33.7 million customer records. However, concerns are mounting that the e-commerce giant may once again leverage its participation in a ‘self-regulation pact’ to significantly reduce the fine levied by the Personal Information Protection Commission (PIPC). This fear is well-founded, as Coupang has twice previously succeeded in receiving substantial reductions in fines, amounting to billions of won, by citing its involvement in this very mechanism.

The Self-Regulation Loophole

Analysis of data submitted by the PIPC to Democratic Party lawmaker Kim Seung-won revealed that Coupang received fine reductions in two past personal data breaches by invoking its participation in the 'Public-Private Cooperative Self-Regulation' agreement. The self-regulation pact is a system where private companies draft and adhere to their own personal information protection protocols. In exchange, the PIPC agrees to reduce the administrative fine should a future data breach occur. Coupang joined this pact in July 2022.

A clear precedent was set during the PIPC's handling of Coupang's December 2023 incident, where personal information of 22,440 customers and recipients was leaked. During the penalty assessment in November of last year, Coupang cited its participation in the self-regulation pact, its 'active cooperation' with the investigation, and its acquisition of an Information Security Management System-Personal Information (ISMS-P) certification as reasons for mitigation.

As a result of these mitigation steps, the initial fine of 4.277 billion won ($3.25 million USD) was drastically reduced, and Coupang was ultimately fined only 1.31 billion won ($1 million USD). In the same month, when the PIPC penalized Coupang Eats for leaking the data of 135,000 delivery drivers, the fine was similarly slashed from 1.238 billion won to 278 million won (approximately $212,000 USD), citing the company's participation in the self-regulation agreement.

Experts Question Efficacy and Reliability

The current crisis has heightened speculation that Coupang will once again seek to exploit the self-regulation system, which allows for a maximum fine reduction of 40%. This possibility has led to widespread skepticism regarding the reliability of 'self-investigation,' where penalties are reduced based on protocols created by the private entity itself.

Hwang Seok-jin, a professor at Dongguk University's Graduate School of International Information Security, strongly criticized the system. "Private self-regulation amounts to little more than writing a simple log in front of the house—it can hardly be considered an effective security measure," he stated, questioning the substantive protection offered.

Lawmaker Kim Seung-won has urged the government to thoroughly review the potential for abuse in the fine reduction system and implement necessary supplementary measures. "The government must address the possibility of the fine reduction being misused," Kim stressed.

In response to the "slap-on-the-wrist" concerns, the PIPC has offered a cautious defense, stating that "mitigation due to self-regulation participation is not mandatory" and that it will "strictly apply mitigation factors in the process of calculating the administrative fine."

Meanwhile, the fallout from the current data breach has been immediately measurable. Coupang's daily active users (DAU) on December 2nd dropped to 17,804,511, a reduction of over 180,000 users from the previous day's 17,988,845, indicating a tangible impact on customer confidence. The ongoing scandal underscores the critical need for robust, mandatory security measures rather than protocols subject to self-assessment and regulatory leniency.

[Copyright (c) Global Economic Times. All Rights Reserved.]