South Korea's ruling bloc on Tuesday agreed to push ahead with amendments to the Personal Information Protection Act to significantly expand corporate liability for personal data breaches, including tougher compensation rules and enforcement measures.

The decision follows a series of high-profile data breach incidents over the past year that have involved major companies and public services, including SK Telecom, Coupang and LG Uplus, which have fueled anxiety over the safety of personal information and exposed limits in existing penalties and investigative powers.

The agreement was reached during a policy consultation held at the National Assembly between the Democratic Party of Korea and the governmental Personal Information Protection Commission, according to a briefing by Rep. Park Sang-hyuk, the party's senior policy spokesperson on social affairs.

Under the proposed revision, the ruling bloc plans to strengthen statutory damages provisions for personal data breaches by shifting the overall burden of proof more clearly onto companies.

Under current law, courts may determine compensation within a statutory cap even when victims cannot prove actual damages. Companies, however, may be exempted from liability if they demonstrate the absence of intent or negligence.

The amendment would remove the "intent or negligence" requirement, effectively requiring companies to assume liability unless they can prove that they fulfilled all required safety measures and bear no responsibility for the breach.

"Repeated large-scale data leaks have sharply heightened public anxiety," Democratic Party policy chief Rep. Han Jeong-ae said. "Legal responsibility for damages must be strengthened regardless of whether negligence can be established."

The ruling bloc also agreed to introduce criminal penalties targeting the illegal distribution of leaked personal data, amid growing concerns over secondary harm.

The revised law would prohibit the purchase, provision or dissemination of personal information when the party involved is aware that the data was obtained through hacking or other illicit means, including circulation on the dark web.

To ensure more effective investigations, the amendment would empower authorities to impose enforcement fines on companies that refuse to cooperate with probes or fail to comply with corrective orders. Authorities would be granted the power to issue evidence preservation orders — such as requiring the retention of access logs — following a data breach. Regular inspections of large-scale personal data handlers are also set to be expanded.

"The Democratic Party agreed to support the administration's call for expedited legislation to ensure the measures are enacted without delay," Park added.

The government additionally proposed introducing emergency protection orders to swiftly prevent the spread of damage after a data breach.