Could Coupang’s Record Privacy Fine Become a Trigger for U.S.-Korea Trade Frictions?

Lapses in security management and unauthorized data collection uncovered
Regulatory intensity exceeds cases involving Meta and Amazon
Coupang immediately pushes back as activity emerges within U.S. political circles

South Korea’s Personal Information Protection Commission (PIPC) has imposed a fine of approximately $416 million on Coupang over a data breach affecting 37.5 million individuals. The penalty represents the most severe sanction in the history of South Korea’s privacy regulation regime and ranks among the largest ever imposed in connection with a global personal data breach. With Coupang immediately initiating legal challenges and related developments emerging within U.S. political circles, the case is expected to generate significant repercussions.

$282 Million for Data Breach, $134 Million for Unauthorized Collection of User Activity Data

On June 11, the PIPC announced that it had voted to impose a fine of approximately $416.5 million and an administrative penalty of roughly $11,200 on Coupang for violations of personal data protection laws. The commission cited failures to fulfill security obligations and the collection of personal information without a legal basis. It also imposed a fine of approximately $165,000 on subsidiary Coupang Fulfillment Services (CFS) for violations involving the collection and use of personal information and restrictions on the handling of sensitive data. The latest penalty is more than five times larger than the previous record fine of approximately $89.9 million imposed in connection with SK Telecom’s USIM hacking incident.

The PIPC concluded that Coupang failed to prevent a large-scale data breach by neglecting fundamental security management systems, including authentication-signing key management and access controls. In addition to the breach itself, the commission simultaneously sanctioned three categories of violations: unauthorized personal data collection and a subsidiary’s employment-restriction list. According to the PIPC investigation, the breach occurred when a former Coupang employee, acting as a hacker, used an authentication-signing key to create forged authentication tokens and gain access to member information modification pages and delivery-address management pages. The compromised information involved 33,222,472 members (based on accounts) and 4,338,368 non-members (based on phone numbers).

The PIPC stated that “the failure to securely manage authentication methods for data subjects and the neglect of access controls designed to prevent illegal access and security incidents constituted violations of security protection obligations.” The commission added that its investigation also uncovered violations involving breach-notification and data-deletion requirements, failure to ensure the independence of the Chief Privacy Officer (CPO), and obstruction of the investigation. The PIPC determined that the incident resulted not from a sophisticated cyberattack but from deficiencies in basic security management systems and oversight failures. The fine associated with the breach amounted to approximately $282.4 million, while the administrative penalty related to notification and deletion violations totaled about $11,200.

Separately, the PIPC imposed an additional fine of approximately $134.1 million on Coupang for collecting activity records from news websites and other online shopping platforms through its Coupang Partners marketing program. From December 2024 through February of this year, Coupang allegedly collected and stored the online activity records of 11,170,613 users who visited 15,645,338 third-party webpages and apps without obtaining consent. The company reportedly stored visited URLs, app names, access times, and IP addresses in its internal database alongside member numbers and device identifiers.

The PIPC also issued a corrective order regarding so-called “hijack advertisements,” in which users were forcibly redirected to the Coupang app even without clicking an advertisement. The commission took issue with Coupang’s failure to adequately manage and supervise advertising partners that published deceptive advertisements. It also sanctioned Coupang Fulfillment Services. CFS had placed 71 police-beat reporters with no history of employment at its logistics centers on an employment-restriction list under the pretext of “spreading false information.” The PIPC viewed the practice as the collection and use of personal information without legal grounds and imposed a fine of approximately $147,000.

About 1.6 Times Larger Than the Fine Imposed on Meta After a 533 Million-User Data Leak

Following the announcement of the penalty, some industry observers argued that the scale of the fine was excessive. Even when compared with international precedents, the sanction ranks among the largest privacy-related penalties ever imposed. The previous record-holder was Meta, which was fined approximately $253 million by Ireland’s Data Protection Commission in 2021 after the personal information of 533 million Facebook users—including IDs, names, birth dates, and phone numbers—was exposed. The fine imposed on Coupang is roughly 60% larger.

Viewed within the broader landscape of global privacy enforcement, however, it is difficult to characterize the Coupang penalty as the largest ever imposed. In 2021, Luxembourg’s National Commission for Data Protection (CNPD) fined Amazon’s European entity approximately $712 million for failing to properly obtain user consent in connection with the processing of personal information for targeted advertising.

Meta has also faced substantial penalties in the United States. In 2024, the company agreed to pay $1.4 billion to the State of Texas over allegations that it collected facial-recognition information from users’ photos and videos without authorization. Earlier, the U.S. Federal Trade Commission (FTC) imposed a $5 billion penalty after determining that Meta had violated a privacy agreement with the agency and allowed developers using its social-login service to collect personal information not only from users who logged in but also from individuals included in those users’ friend lists.

That same year, credit-reporting company Equifax reached a settlement worth $575 million with the FTC, the Consumer Financial Protection Bureau (CFPB), and the attorneys general of all 50 U.S. states following a cyberattack that exposed Social Security numbers, names, birth dates, addresses, credit-card numbers, and other personal information due to the company’s failure to apply a security patch. Of that amount, $300 million was allocated to a victim-compensation fund, while an additional $125 million could be added depending on the volume of claims, bringing the total settlement value to as much as $700 million.

Coupang Plans Administrative Lawsuit to Challenge the Fine

The concern is that the latest penalty could evolve in a direction far removed from its original objective of strengthening personal data protection. Coupang is a U.S. company listed on the New York Stock Exchange (NYSE). As a result, the South Korean government has faced various forms of pressure from political and administrative circles in the United States. On Jan. 22, GreenOaks and Altimeter—investors in NYSE-listed Coupang Inc., the U.S. parent company that wholly owns Coupang’s Korean operating entity—petitioned the Office of the United States Trade Representative (USTR) to initiate a Section 301 investigation, arguing that the South Korean government’s treatment of Coupang was problematic. In the petition, they claimed that South Korean authorities were unfairly targeting an American company by mobilizing government-wide investigations and regulatory actions in response to Coupang’s data-breach incident.

The investors further argued that the South Korean government’s investigations and regulatory measures were intended to create a more favorable environment for domestic Korean companies and Chinese competitors, urging the U.S. government to respond. They also sent a notice of intent to initiate investor-state dispute settlement (ISDS) proceedings against President Lee Jae-myung and South Korea’s Ministry of Justice. Subsequently, the U.S. House Judiciary Committee invited Harold Rogers, Coupang Korea’s interim representative, to provide testimony in a closed-door session. During Prime Minister Kim Min-seok’s visit to Washington, Vice President JD Vance reportedly raised the Coupang issue. At a House Foreign Affairs Committee hearing on June 3, Representative Darrell Issa stated that “South Korea’s democracy has tilted sharply to the left and is opening more channels toward China,” adding that the country was “suppressing American companies, including Meta and Coupang.”

Given the unpredictability of the Trump administration and the responses of U.S. lawmakers who have previously engaged with the Coupang issue, there is a strong possibility that pressure will intensify again following the latest fine. U.S.-based global digital news outlet Semafor reported on June 11 under the headline “Trump Allies Stoke the Coupang-Korea Feud” that Republican figures were stepping forward to defend Coupang. Citing a source familiar with the matter, the outlet reported that “U.S. Trade Representative Jamieson Greer is personally working to find a solution to address Coupang’s concerns.” The report also stated that support for Coupang has been growing in the United States as the company increasingly utilizes a network of pro-Trump MAGA-aligned lobbyists.

Coupang has also made clear that it intends to challenge the sanctions through litigation. In a statement issued on June 11, the company said, “We deeply recognize our responsibility for causing concern among customers and the public as a result of this data-leak incident,” while adding that “it is regrettable that proactive measures taken to prevent secondary damage following last year’s data breach and explanations based on clear facts were not sufficiently reflected in the PIPC’s decision.” The company stated that it plans to file an administrative lawsuit with the Seoul Administrative Court and actively pursue legal remedies. Following the announcement of the PIPC’s decision, U.S.-based parent company Coupang Inc. also made its intentions clear in a Form 8-K filing with the U.S. Securities and Exchange Commission (SEC), stating that it “will seek judicial review of the PIPC’s findings and sanctions” and pursue litigation.