B2 · Upper Intermediate
19 min
data privacye-commercetech regulationcorporate accountability
A $408 Million Sorry
Cuatrocientos millones de razones para leer la letra pequeña
Coupang, South Korea's e-commerce giant, just received the largest data breach fine in South Korean history: over $400 million. Fletcher and Octavio dig into what this means for digital privacy across Asia and whether record fines actually make tech companies behave differently.
Coupang, el gigante surcoreano del comercio electrónico, acaba de recibir la multa por violación de datos más grande de la historia de Corea del Sur: más de cuatrocientos millones de dólares. Fletcher y Octavio exploran qué significa esto para la privacidad digital en Asia y si las sanciones millonarias realmente cambian el comportamiento de las grandes empresas.
6 essential B2-level terms from this episode, with translations and example sentences in Spanish.
| Spanish | English | Example |
|---|---|---|
| brecha de datos | data breach | La brecha de datos expuso la información personal de millones de usuarios. |
| multa | fine / penalty | La comisión impuso una multa histórica a la empresa por no proteger los datos de sus clientes. |
| negligencia | negligence | Los reguladores concluyeron que la brecha fue resultado de negligencia corporativa, no de un ataque sofisticado. |
| disuasorio | deterrent | Las multas elevadas tienen un efecto disuasorio sobre las empresas que no invierten en seguridad. |
| asimetría de la información | information asymmetry | La asimetría de la información entre la empresa y el usuario es uno de los problemas centrales de la privacidad digital. |
| autenticación en dos pasos | two-factor authentication | Activar la autenticación en dos pasos reduce significativamente el riesgo de que alguien acceda a tu cuenta. |
The company that built itself on the promise of next-day delivery just got delivered a bill it really wasn't expecting.
Four hundred and eight million dollars.
That's what South Korea's data protection regulator handed Coupang this week for exposing the personal information of millions of its users.
Sí, y lo que me parece importante destacar desde el principio es que no estamos hablando de cualquier empresa.
Yes, and what seems important to highlight from the start is that we're not talking about just any company.
Coupang es, en muchos sentidos, el Amazon de Corea del Sur.
Coupang is, in many ways, the Amazon of South Korea.
Tiene más de veinte millones de usuarios activos en un país de cincuenta y dos millones de personas.
It has more than twenty million active users in a country of fifty-two million people.
Es una parte enorme de la economía digital coreana.
It's a huge part of the South Korean digital economy.
Right, and for listeners who haven't heard of Coupang, think of it as what Amazon would look like if it had been engineered specifically for an extremely dense, extremely fast urban population.
Seoul is one of the most connected cities on earth.
These people expect their groceries at two in the morning.
Exacto.
Exactly.
Y la multa, que en wones surcoreanos son más de seiscientos veinticuatro mil millones, fue impuesta por la Comisión de Protección de Información Personal, que en Corea se conoce como la PIPC.
And the fine, which in South Korean won is more than 624 billion, was imposed by the Personal Information Protection Commission, known in Korea as the PIPC.
Dijeron que la brecha expuso datos personales de millones de cuentas.
They said the breach exposed personal data from millions of accounts.
Nombres, direcciones, números de teléfono, historiales de compras.
Names, addresses, phone numbers, purchase histories.
Purchase histories.
That detail doesn't get enough attention.
It's not just that someone has your address.
It's that they potentially know you bought medication, or fertility tests, or books about addiction, or whatever you ordered at midnight when you thought nobody was looking.
Tienes razón, y eso es algo que los reguladores coreanos entendieron bien en este caso.
You're right, and that's something the Korean regulators understood well in this case.
No se trata solo del volumen de datos expuestos, sino de la sensibilidad de esos datos.
It's not just about the volume of exposed data, but the sensitivity of that data.
En Corea del Sur, la ley de protección de datos, que se llama la PIPA, es bastante estricta.
In South Korea, the data protection law, called the PIPA, is quite strict.
Fue reformada significativamente en 2023 para alinearla más con el modelo europeo del RGPD.
It was significantly reformed in 2023 to align it more closely with the European GDPR model.
Walk me through the history there, because I think a lot of people assume data privacy regulation is a European thing.
That Asia sort of looked the other way.
Ese es un malentendido común.
That's a common misunderstanding.
Corea del Sur tiene una de las leyes de protección de datos más antiguas de Asia.
South Korea has one of the oldest data protection laws in Asia.
La primera versión de la PIPA se aprobó en 2011.
The first version of PIPA was passed in 2011.
Mucho antes de que muchos países europeos terminaran de implementar el RGPD.
Long before many European countries finished implementing the GDPR.
El problema, como ocurre en muchos lugares, no era la ley en sí, sino la capacidad y la voluntad política de aplicarla con sanciones realmente significativas.
The problem, as in many places, wasn't the law itself but the capacity and political will to enforce it with truly significant penalties.
Which brings us to the number.
Four hundred and eight million.
That's not a slap on the wrist.
Even for a company the size of Coupang, which listed on the New York Stock Exchange in 2021 and was valued at around sixty billion dollars at its peak, that's a number that lands.
Es la multa más grande en la historia de Corea del Sur por una violación de datos.
It's the largest fine in South Korean history for a data breach.
Y eso es importante, porque las multas anteriores eran ridículamente pequeñas en comparación.
And that matters, because previous fines were ridiculously small by comparison.
Cuando las sanciones son insignificantes, las empresas simplemente las incorporan como un coste operativo.
When penalties are negligible, companies just absorb them as an operating cost.
Es más barato pagar la multa que invertir seriamente en seguridad.
It's cheaper to pay the fine than to seriously invest in security.
That calculus is something I've seen play out in other industries.
Environmental violations, workplace safety.
Companies literally budget for fines.
It's cheaper to break the rule than to follow it, until the rule gets teeth.
Exactamente.
Exactly.
Y hay un paralelo claro con Europa.
And there's a clear parallel with Europe.
Antes del RGPD, las multas por protección de datos en muchos países europeos eran también muy bajas.
Before the GDPR, data protection fines in many European countries were also very low.
Fue cuando la regulación estableció que las sanciones podían llegar al cuatro por ciento de la facturación global anual cuando las empresas empezaron a tomárselo en serio.
It was when the regulation established that penalties could reach four percent of global annual revenue that companies started taking it seriously.
No es coincidencia.
That's not a coincidence.
Let's talk about Coupang itself for a moment, because the company's story is genuinely interesting.
Bom Kim founded it.
Korean-American, Harvard Business School, built this thing from scratch and turned it into what some people called the most sophisticated logistics network in Asia.
Sí, y lo que hizo Coupang fue construir su propia infraestructura de entrega en lugar de depender de terceros.
Yes, and what Coupang did was build its own delivery infrastructure instead of relying on third parties.
Sus repartidores, que se llaman 'Coupang Men', trabajan directamente para la empresa.
Its delivery workers, called 'Coupang Men', work directly for the company.
Eso les dio un control extraordinario sobre la experiencia del cliente, pero también significa que acumulan una cantidad enorme de datos sobre los hábitos de consumo de los coreanos.
That gave them extraordinary control over the customer experience, but it also means they accumulate an enormous amount of data about Koreans' consumption habits.
And SoftBank was an early major investor.
Masayoshi Son put something like three billion dollars into Coupang.
So this is a company that had serious money behind it from very early on.
Lo cual hace que la brecha de seguridad sea aún más difícil de justificar.
Which makes the security breach even harder to justify.
No es una startup sin recursos.
This isn't a cash-strapped startup.
Es una empresa con miles de millones en capital que no invirtió lo suficiente en proteger los datos de sus usuarios.
It's a company with billions in capital that didn't invest enough in protecting its users' data.
Eso, para mí, es lo más preocupante del asunto.
That, for me, is the most troubling part of this whole thing.
Tell me about the breach itself, because the reporting I've seen is a bit thin on specifics.
What actually happened?
Los detalles técnicos completos no son públicos todavía, pero lo que se sabe es que la PIPC encontró que Coupang no cumplió con sus obligaciones de gestión de seguridad.
The full technical details aren't public yet, but what is known is that the PIPC found Coupang failed to meet its security management obligations.
Básicamente, no protegió adecuadamente los sistemas donde se almacenaban los datos personales, y eso permitió que millones de registros quedaran expuestos.
Essentially, it didn't adequately protect the systems where personal data was stored, and that allowed millions of records to be exposed.
No es un ataque sofisticado de estado contra estado.
This isn't a sophisticated state-on-state attack.
Es negligencia corporativa.
It's corporate negligence.
That distinction matters.
There's a version of this story where you get hacked by a nation-state actor and there's a real argument about how much responsibility falls on the company.
But negligence is different.
That's a choice, or a series of choices, about where to put the money.
Completamente de acuerdo.
Completely agree.
Y fíjate que esto no es un caso aislado en el sector tecnológico.
And notice this isn't an isolated case in the tech sector.
En los últimos años hemos visto brechas masivas en empresas de comercio electrónico en toda Asia, desde Indonesia hasta India.
In recent years we've seen massive breaches at e-commerce companies across Asia, from Indonesia to India.
La región tiene una adopción digital rapidísima pero a veces las prácticas de seguridad no siguen el mismo ritmo.
The region has extremely rapid digital adoption but sometimes security practices don't keep pace.
I was in Jakarta in 2019 covering something completely unrelated, and I spent an afternoon with a cybersecurity researcher there who told me that Southeast Asian consumers were, at that point, dramatically more exposed to data theft than European or American consumers.
Not because they were less sophisticated, but because the regulatory environment hadn't caught up.
Y ese es el punto clave.
And that's the key point.
La tecnología se expande mucho más rápido que la legislación.
Technology expands much faster than legislation.
Siempre ha sido así.
It's always been that way.
Pero lo que estamos viendo ahora en Asia, con esta multa en Corea, con la nueva ley de protección de datos en India, con las regulaciones cada vez más estrictas en Japón, es que los reguladores están empezando a ponerse al día.
But what we're seeing now in Asia, with this fine in Korea, with the new data protection law in India, with increasingly strict regulations in Japan, is that regulators are starting to catch up.
Y lo hacen con multas que la gente nota.
And they're doing it with fines that people notice.
Let's talk about whether fines actually work, because I have some skepticism here.
Meta has paid billions in GDPR fines.
Google, Amazon, TikTok.
And yet data breaches keep happening.
If I'm a cynic, the fine is just the cost of doing business at scale.
Es una crítica justa, y hay investigadores que han estudiado esto.
It's a fair criticism, and there are researchers who have studied this.
La evidencia es mixta.
The evidence is mixed.
Las multas por sí solas no son suficientes, pero sí forman parte de un ecosistema regulatorio más amplio que incluye auditorías obligatorias, requisitos técnicos específicos y, en algunos casos, responsabilidad personal de los directivos.
Fines alone aren't enough, but they are part of a broader regulatory ecosystem that includes mandatory audits, specific technical requirements and, in some cases, personal liability for executives.
Cuando el CEO puede ir a la cárcel, la conversación en la sala de juntas cambia.
When the CEO can go to prison, the conversation in the boardroom changes.
Personal liability.
That's the thread I always find interesting.
Corporations don't go to jail.
The people who make decisions do, in theory.
Though in practice, it rarely seems to work out that way in tech.
En Corea del Sur hay disposiciones legales que permiten enjuiciar a los responsables individuales de una empresa por violaciones graves de la ley de protección de datos.
In South Korea there are legal provisions that allow the prosecution of individual company officers for serious violations of the data protection law.
No es solo una multa para la empresa.
It's not just a fine for the company.
Queda por ver si eso ocurrirá en este caso, pero la posibilidad existe, y eso es un factor disuasorio diferente al de una simple multa financiera.
Whether that happens in this case remains to be seen, but the possibility exists, and that's a different deterrent from a simple financial penalty.
Let me ask you something about the timing of this, because it strikes me as significant.
We are in the middle of a war that has disrupted global supply chains, closed the Strait of Hormuz, sent oil markets into chaos.
And here comes a four-hundred-million-dollar fine in South Korea for a data breach.
Is there a connection there, or is this purely coincidental timing?
Probablemente es coincidencia en términos de la investigación, que lleva mucho tiempo en marcha.
It's probably coincidence in terms of the investigation, which has been underway for a long time.
Pero sí creo que hay un contexto más amplio relevante.
But I do think there's a broader relevant context.
Cuando el mundo está geopolíticamente tenso, los datos personales se vuelven más valiosos y más vulnerables al mismo tiempo.
When the world is geopolitically tense, personal data becomes more valuable and more vulnerable at the same time.
Los actores estatales que buscan información sobre ciudadanos de países rivales tienen más incentivos para explotar brechas de seguridad en plataformas comerciales.
State actors looking for information about citizens of rival countries have more incentives to exploit security gaps in commercial platforms.
That's a dimension I hadn't fully considered.
Your shopping history on a Korean e-commerce platform potentially tells a foreign intelligence service a great deal about who you are, where you live, maybe even what your health situation looks like.
The commercial and the national security angles aren't as separate as they used to be.
Exacto.
Exactly.
Y es por eso que países como Corea del Sur, que tiene un vecino con capacidades cibernéticas importantes al norte, tratan la seguridad de los datos de manera muy seria.
And that's why countries like South Korea, which has a neighbor with significant cyber capabilities to the north, treat data security very seriously.
Corea del Norte tiene uno de los programas de ciberespionaje más activos del mundo.
North Korea has one of the most active cyber espionage programs in the world.
La frontera entre hackeo criminal y hackeo estatal es muy borrosa.
The border between criminal hacking and state hacking is very blurry.
Let's bring this back to the consumer level for a moment, because I think there's a risk of this becoming too abstract.
What does this fine mean for an ordinary person who uses Coupang to order their groceries?
Should they be worried?
Should they delete their account?
Lo primero que deberían hacer es cambiar la contraseña si no lo han hecho ya, activar la autenticación en dos pasos y revisar qué datos tienen guardados en la plataforma.
The first thing they should do is change their password if they haven't already, activate two-step authentication, and review what data they have saved on the platform.
En cuanto a si borrar la cuenta, eso ya es una decisión personal.
As for whether to delete the account, that's a personal decision.
Pero lo que me parece importante es que la multa, en teoría, debería obligar a Coupang a mejorar sus sistemas.
But what I think matters is that the fine, in theory, should force Coupang to improve its systems.
El dinero tiene que ir a algún sitio, y debería ir a la seguridad.
The money has to go somewhere, and it should go to security.
In theory.
Though the fine goes to the regulator, not directly to improving security infrastructure.
That's one of the persistent criticisms of this enforcement model.
Cierto, y es una crítica válida.
True, and it's a valid criticism.
Hay quien propone que una parte de las multas por violación de datos debería destinarse directamente a compensar a los usuarios afectados.
Some propose that a portion of data breach fines should go directly to compensate affected users.
En la Unión Europea se ha debatido esto.
This has been debated in the European Union.
El modelo actual castiga a la empresa, pero los individuos cuya privacidad fue violada raramente reciben compensación directa a menos que presenten demandas individuales.
The current model punishes the company, but the individuals whose privacy was violated rarely receive direct compensation unless they file individual claims.
Which most people never do.
The friction is too high, the amounts are too small on an individual basis, and frankly most people don't even know their data was part of a breach until months or years later.
Hay un término para esto en el debate sobre privacidad: la asimetría de la información.
There's a term for this in the privacy debate: information asymmetry.
La empresa sabe exactamente qué datos tiene y cuándo fueron comprometidos.
The company knows exactly what data it has and when it was compromised.
El usuario no sabe nada hasta que alguien decide contárselo, y a veces eso no ocurre nunca.
The user knows nothing until someone decides to tell them, and sometimes that never happens.
Corea del Sur exige notificación obligatoria a los afectados, lo cual es un paso importante, pero la implementación es siempre complicada.
South Korea requires mandatory notification to those affected, which is an important step, but implementation is always complicated.
Let me ask you about the broader picture across Asia, because I think this fine is a signal of something larger.
India passed its digital personal data protection act a couple of years ago.
Japan has tightened its laws.
Singapore has one of the more robust frameworks in the region.
Is Asia moving toward a genuine GDPR-style consensus, or is it going to remain fragmented?
La respuesta honesta es: las dos cosas a la vez.
The honest answer is: both things at once.
Hay una convergencia real hacia estándares más altos, impulsada en parte por el comercio internacional.
There is real convergence toward higher standards, driven in part by international trade.
Si quieres hacer negocios con Europa, tienes que cumplir con los estándares europeos de protección de datos.
If you want to do business with Europe, you have to meet European data protection standards.
Eso crea presión para que los marcos legales asiáticos se acerquen al RGPD.
That creates pressure for Asian legal frameworks to approach the GDPR.
Pero China va en una dirección muy diferente, donde el estado tiene acceso a los datos que en Europa sería impensable.
But China is moving in a very different direction, where the state has access to data that would be unthinkable in Europe.
China is really the outlier here, isn't it.
They have data protection laws that look modern on paper, but the architecture of those laws is fundamentally different because the state is effectively a permitted party to access almost anything.
It's protection from corporations, not from government.
Esa es una distinción fundamental que a menudo se pasa por alto.
That's a fundamental distinction that's often overlooked.
La privacidad de los datos tiene dos dimensiones: la horizontal, que protege a las personas de las empresas, y la vertical, que protege a las personas del estado.
Data privacy has two dimensions: the horizontal one, which protects people from companies, and the vertical one, which protects people from the state.
Europa intenta hacer las dos cosas.
Europe tries to do both.
China hace bien la primera y la segunda no existe de la misma manera.
China does the first one well and the second doesn't exist in the same way.
Corea del Sur, siendo una democracia liberal con un vecino autoritario, tiene incentivos para tomarse en serio ambas dimensiones.
South Korea, being a liberal democracy with an authoritarian neighbor, has incentives to take both dimensions seriously.
Coupang is also listed on the New York Stock Exchange, which adds another layer here.
American regulators and American investors are now paying attention to what a South Korean data commission decides to do.
The fine becomes part of the company's international financial story.
Y eso es nuevo.
And that's new.
Hace diez años, una multa de un regulador coreano habría sido una nota al pie en los informes financieros de la empresa.
Ten years ago, a fine from a Korean regulator would have been a footnote in the company's financial reports.
Ahora, con empresas tecnológicas asiáticas cotizando en mercados occidentales, la aplicación local tiene repercusiones globales.
Now, with Asian tech companies listed on Western markets, local enforcement has global repercussions.
Es una forma de globalización regulatoria que nadie planeó explícitamente pero que está ocurriendo de todas formas.
It's a form of regulatory globalization that nobody explicitly planned but is happening anyway.
Octavio, where do you think this lands five years from now?
Does this fine get remembered as a turning point, or does it get quietly forgotten the way most corporate fines do?
Creo que depende de lo que ocurra en los próximos doce meses.
I think it depends on what happens in the next twelve months.
Si Coupang mejora visiblemente su seguridad y no hay más brechas, esta multa se recordará como efectiva.
If Coupang visibly improves its security and there are no more breaches, this fine will be remembered as effective.
Si hay otra brecha en dos años, se recordará como insuficiente.
If there's another breach in two years, it will be remembered as insufficient.
Lo que sí creo es que establece un precedente para otros reguladores asiáticos.
What I do believe is that it sets a precedent for other Asian regulators.
El mensaje es claro: es posible multar a una empresa tecnológica grande de verdad.
The message is clear: it's possible to genuinely fine a large tech company.
That precedent argument is the one that carries the most weight for me.
A $408 million fine in Korea doesn't just affect Coupang.
Every compliance officer at every tech company operating in Asia just had a very uncomfortable conversation with their CEO this week.
Así es.
Exactly.
Y la conversación no es 'cómo evitamos que nos pille el regulador'.
And the conversation isn't 'how do we avoid getting caught by the regulator'.
La conversación, si tienen algo de sentido común, es 'cómo evitamos la brecha en primer lugar'.
The conversation, if they have any sense, is 'how do we prevent the breach in the first place'.
Que es exactamente lo que los reguladores quieren que ocurra.
Which is exactly what regulators want to happen.
A veces el sistema funciona.
Sometimes the system works.
Sometimes.
Oye, there was a phrase you used a while back that I want to circle back to, because I've heard it before but I'm not entirely sure I'm using it correctly.
You said 'es preocupante que las empresas no inviertan'.
Why is it 'inviertan' and not 'invierten'?
Because both seem like they could work to me.
Buena pregunta.
Good question.
Cuando usas una expresión valorativa como 'es preocupante', 'es importante', 'es extraño', y la sigues con 'que' más un verbo, ese verbo va en subjuntivo.
When you use a value-laden expression like 'it's worrying', 'it's important', 'it's strange', and follow it with 'que' plus a verb, that verb goes in the subjunctive.
Estás expresando tu reacción subjetiva ante algo, no describiendo un hecho objetivo.
You're expressing your subjective reaction to something, not describing an objective fact.
'Las empresas no invierten' es un hecho.
'Las empresas no invierten' is a fact.
'Es preocupante que no inviertan' es tu valoración de ese hecho.
'Es preocupante que no inviertan' is your assessment of that fact.
So it's almost like a grammatical way of flagging that you've shifted from reporting to opinion.
The subjunctive is the language's way of saying 'this is how I feel about it, not just what's happening'.
Eso es una descripción muy buena, en realidad.
That's actually a very good description.
El subjuntivo aparece donde hay subjetividad: duda, emoción, deseo, valoración.
The subjunctive appears where there's subjectivity: doubt, emotion, desire, assessment.
'Es una pena que Coupang no protegiera los datos de sus usuarios.' 'Es importante que los reguladores actúen.' 'Es increíble que tardaran tanto.' Siempre la misma estructura: valoración más 'que' más subjuntivo.
'It's a shame that Coupang didn't protect its users' data.' 'It's important that regulators act.' 'It's incredible that it took them so long.' Always the same structure: value judgment plus 'que' plus subjunctive.
So if I wanted to say 'it's worrying that the fine isn't larger', I'd say 'es preocupante que la multa no sea más grande'.
'Sea' not 'es'.
Perfecto.
Perfect.
Y no te preocupes si al principio no te sale de forma natural.
And don't worry if it doesn't come naturally at first.
Es uno de los aspectos del español que más cuesta a los angloparlantes, precisamente porque en inglés no tenéis esta distinción morfológica.
It's one of the aspects of Spanish that English speakers find hardest, precisely because in English you don't have this morphological distinction.
Pero cuando lo dominas, puedes matizar muchísimo, que es algo que cualquier buen periodista necesita.
But when you master it, you can add a great deal of nuance, which is something any good journalist needs.