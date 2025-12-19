Coupang removes clause exempting it from hacking liability after order from data protection agency
Published: 19 Dec. 2025, 15:18
Coupang will scrap a controversial clause in its terms of service that exempts the company from liability for damages caused by hacking or illegal access, following a corrective order from Korea’s data protection watchdog. The move, however, is unlikely to silence criticism that the company acted too slowly.
Coupang announced on Thursday that it will delete Article 38, Clause 7 — which says the company is not responsible for damages caused by hacking or unauthorized access — effective Dec. 26.
The clause was added in November last year and drew controversy after Coupang’s recent large-scale data breach, with critics accusing the company of attempting to evade responsibility.
On Dec. 10, the Personal Information Protection Commission (PIPC) ordered Coupang to revise the clause within seven days, ruling that it violated the Personal Information Protection Act’s provisions on security obligations and liability for damages. Under the law, data controllers are required to implement appropriate security measures and must prove the absence of intent or negligence if user harm occurs due to a breach.
With penalties subject to increase if corrective action is not taken within the deadline, critics have argued that Coupang was effectively forced to amend its terms. The company had previously come under fire for continuing to describe the incident as a data “exposure” rather than “leak,” only revising the wording 17 days later following the PIPC’s decision.
Coupang also strengthened provisions related to personal data protection responsibility in its terms of service. Previously, the company vaguely stated that it followed its privacy policy, a formulation criticized for leaving the burden of proof unclear in the event of an incident. The revised clause now specifies that personal data handling procedures, standards and the burden of proving intent or negligence will be addressed in accordance with the Personal Information Protection Act.
In addition, Coupang added a new provision requiring the company to proactively notify users via email, phone calls or text messages if changes to the terms are unfavorable to consumers or deemed significant.
Industry observers say the revisions reflect mounting pressure on the e-commerce giant. On Thursday, the government formed an interagency task force involving the Ministry of Science and ICT, the PIPC, the Financial Services Commission, the Fair Trade Commission, the National Intelligence Service and the National Police Agency. The task force is expected to investigate the data breach and consider whether to suspend Coupang’s business operations.
The National Assembly is also pushing for a joint hearing involving multiple standing committees, including those overseeing land and transport, science and ICT, political affairs and labor and environment.
Public sentiment toward Coupang has worsened since a parliamentary hearing on Wednesday. Coupang Chairman Bom Kim did not attend, drawing criticism that the company sought to deflect responsibility by sending newly-appointed interim CEO Harold Rogers and Chief Information Security Officer Brett Matthes in his place.
Online reactions following the hearing included comments such as, “Watching the Coupang hearing made it feel like the company looks down on Korea,” “I’ll try to get over the withdrawal symptoms of quitting Coupang” and “I expected a sincere explanation and concrete measures, but was disappointed.”
This article was originally written in Korean and translated by a bilingual reporter with the help of generative AI tools. It was then edited by a native English-speaking editor. All AI-assisted translations are reviewed and refined by our newsroom.
BY LIM SUN-YOUNG [[email protected]]
with the Korea JoongAng Daily
