개인정보 유출사고의 형사처벌과 행정처분에 대한 연구 -개정 개인정보 보호법과 SK텔레콤 침해사고를 중심으로-

This paper analyzes how the 2023 comprehensive amendment of the Personal Information Protection Act shifted the sanctioning framework for personal data breaches from a criminal-penalty-centered model to one centered on economic sanctions, and applies this shift to the large-scale SK Telecom personal data breach in order to examine, in an integrated manner, the issues of criminal liability, administrative sanctions, and civil damages. First, focusing on the amended provisions, it systematically organizes the content and functions of the rules on criminal penalties, administrative fines, penalty surcharges, and damages, and analyzes in particular the background and meaning of expanding the ceiling of penalty surcharges from “sales related to the violation” to “up to 3% of total annual revenue,” as well as the impact of abolishing criminal sanctions for violations of security safeguard obligations. Next, by comparing major domestic breach cases such as LG Uplus with the administrative and criminal sanction regimes of 19 foreign jurisdictions, the paper positions the characteristics and limitations of the Korean sanction system in an international context. Building on this legal analysis, the study examines the technical and managerial causes of the SK Telecom incident—such as storing account information in plaintext, failure to encrypt core identifiers, and delayed reporting—by linking them to potential violations of statutory duties under the Personal Information Protection Act, including security safeguard obligations, breach notification and reporting obligations, and the duty to designate responsible officers. The analysis finds that, under the 2023 amended law, the SK Telecom case constitutes a typical example in which a large-scale penalty surcharge, administrative fines, corrective orders, and civil liability for damages are cumulatively imposed. While the deletion of criminal provisions makes it difficult to impose criminal sanctions solely for violations of security safeguard obligations, the strengthened economic sanctions and punitive damages regime partially compensate for deterrence. However, the paper argues that enhancing penalty surcharges alone is insufficient to prevent large-scale breaches, and that it is necessary to simultaneously improve concrete management systems, such as clarifying governance responsibility for top management and the chief privacy/security officer, increasing security personnel and budgets, encrypting core personal data, and ensuring prompt breach notification and forensic response. Through this analysis, the paper evaluates the strengths and weaknesses of the revised sanctioning framework under the Personal Information Protection Act and seeks to contribute to future legislative and policy directions that harmonize economic sanctions, criminal sanctions, and civil remedies.