Report from the Wall Street Journal
In Brief – South Korea’s Personal Information Protection Commission (PIPC), the country’s data protection authority, has imposed a record 624.7 billion won ($410 million) fine on ecommerce giant Coupang, often referred to as Korea’s Amazon. The regulator said that 423.5 billion won was for data-protection violations linked to a breach affecting 37.6 million people, more than 70% of South Korea’s population, and 201.1 billion won for other unauthorized data collection practices by the company. The fine is the largest ever levied by the PIPC against a single company in South Korea, surpassing penalties imposed on SK Telecom and KT. The regulator said that the data breach, which came to light last year, stemmed from inadequate data security controls, with a former Chinese software developer retaining an authentication key after leaving the company and using it to gain unauthorized access to user data including names, phone numbers and residential building entry codes used for package deliveries, for about a year. Coupang, who noted that no user financial or government identification data was compromised, said it would strengthen data-protection measures, work to restore customer trust and is planning an appeal, arguing that its response efforts were not adequately reflected in the regulator’s decision.
Context – The second Trump Administration entered office declaring that foreign regulation of US digital companies was “unacceptable” and could be met by retaliatory tariffs. Seoul’s moves to toughen regulation of digital giants including Apple and Google was criticized by the new USTR straight away. In recent months, the bilateral relationship’s most sensitive economic and security issues have been disrupted by the unique positioning of Coupang, which was founded in South Korea, but is now publicly listed on the Nasdaq, headquartered in Seattle, and proudly claims an American mantle. The company has built an aggressive US lobbying presence focused on the Trump Administration and congressional Republicans and injected its data breach regulatory enforcement complaints into the two countries’ top bilateral talks.