Support Centre

South Korea

Summary

Law: The Personal Information Protection Act 2011 (as amended in 2023) (PIPA)

Regulator: The Personal Information Protection Commission (PIPC)

Summary: On September 30, 2011, the Personal Information Protection Act 2011 (PIPA) (English version with 2020 amendments available here; fully up-to-date version, only available in Korean, here) was enacted, and it entered into force on the same date. The PIPA provides some of the strictest personal information protection requirements in the world, and regulates the collection, usage, disclosure, and other processing of personal data by governmental or private entities as well as individuals. In particular, the PIPA establishes general data protection requirements in South Korea, and addresses data processing notifications, data subject rights, data transfers, and provides for penalties of up to KRW 2 billion (approx. $1.5 million) or 3% of annual revenue for the violation of its provisions. Alongside the PIPA, the regulation of personal information is also governed by the Use and Protection of Credit Information Act 2009 and the Act on Promotion of Information and Communications Network Utilization and Information Protection 2001.

Most recently, in February 2023, the South Korean National Assembly passed amendments to the PIPA most of which entered into effect on September 15, 2023, along with amendments to the Enforcement Decree of the PIPA (the PIPA Enforcement Decree) (English version with 2022 amendments available here; up-to-date version, only available in Korean, here). In particular, the main changes to the PIPA feature data subject rights, the unification of regulations governing online and offline businesses, amendments to the provisions relating to administrative and criminal penalties, requirements for the processing of special categories of personal information, the introduction of rights applying to automated decision-making, rules on data breach notification, and new rules for cross-border data transfers.

With regard to the next steps, the Personal Information Protection Commission (PIPC), the main privacy regulator in South Korea, is currently working on another revision of the PIPA Enforcement Decree which will further implement the 2023 amendments to the PIPA including those on 'MyData' (i.e. the right to data portability). Such amendments to the PIPA Enforcement Decree are to be announced for public comment gradually, starting from October 2023.

With regard to the EU - South Korea data transfers, South Korea received an adequacy decision from the European Commission in 2021, namely the European Commission's adequacy decision for the transfer of personal data from the EU to the Republic of Korea under the General Data Protection Regulation (GDPR). Among other international agreements, South Korea is also a participant in the Asia-Pacific Economic Cooperation Cross Border Privacy Rules (APEC CBPR) system.

News

Insights

August 2024

South Korea: An overview of AI bills

In this Insight article, Sun Hee Kim and Dave Boncheun Koo, from Yulchon LLC, explores the rapid development of artificial intelligence (AI) regulation worldwide, highlighting the EU's Artificial Intelligence Act (the EU AI Act) and South Korea's ongoing legislative efforts. As South Korea introduces new AI bills, the focus shifts between promoting the AI industry and ensuring safety, reflecting the need for a balanced approach in the evolving landscape of AI governance.

July 2024

South Korea: Summary of the PIPC's guidelines for the processing of pseudonymous data

On February 5, 2024, the Personal Information Protection Commission (PIPC) released the revised 'Guidelines for Processing Pseudonymous Data' (the Guidelines). This revision addresses the limitations of the existing guidelines, which only provided processing standards for structured data. The Guidelines aim to establish pseudonymization standards for unstructured data - such as images, videos, audio, and text - which are crucial for the development of artificial intelligence (AI) technologies.

In the Guidelines, the PIPC provides methods and specific examples of pseudonymization regarding unstructured data. In addition, the PIPC explains in more detail the important points to consider for each phase of pseudonymization (pre-preparation, risk review, pseudonymization, appropriateness review, and safe management). As it is not practically possible to eliminate all the various risks that may arise in the course of AI development and use, the Guidelines also focus on post-management. Timothy Dickens, from DR & AJU LLC, explores the different scenarios discussed in the Guidelines where unstructured data was successfully pseudonymized.

June 2024

South Korea: Guidelines for foreign businesses under PIPA

In this Insight article, HoSang Yoon and Hyein Lee, from Shin & Kim LLC, delve into the release of the Guidelines on Applying the Personal Information Protection Act to Foreign Business Operators (the Guidelines), designed to assist foreign businesses in complying with the Personal Information Protection Act (PIPA). Released by the Personal Information Protection Commission (PIPC) on April 4, 2024, the Guidelines provide a comprehensive framework to help foreign businesses meet PIPA requirements and emphasize the importance of adopting robust measures to safeguard the personal data of South Korean users.

May 2024

South Korea: Overview of data retention requirements

In this Insight article, Hyeon Song Lee, Principal at Pine Law Office, explores how the Personal Information Protection Act (PIPA) in South Korea grants personal data rights and sets obligations for data processors. Additionally, he delves into the complex landscape of data retention regulations that extend beyond PIPA, highlighting the necessity for businesses to navigate various individual laws to ensure compliance and avoid potential penalties.

February 2024

South Korea: Digital Bill of Rights - key takeaways

In this Insight article, Kwang Bae Park, Sunghee Chae, and Matt Younghoon Mok, from Lee & Ko, explore South Korea's Digital Bill of Rights, emphasizing its international cooperation principles and the government's preference for self-regulation in the artificial intelligence (AI) industry. It discusses related legislative trends and the evolving stance on AI regulation in a changing global landscape.

November 2023

South Korea: PIPA amendments result in amendments to Enforcement Decree

After thoroughly examining the amendments made to the Personal Information Protection Act (PIPA) in Timothy Dickens' previous Insight article and appreciating the practical and judicious approach taken by the Yoon administration, it would be remiss not to also delve into the revisions made to the Enforcement Decree of the Personal Information Protection Act (Decree), which took effect on September 15, 2023. Much like the symbiotic relationship exemplified by Forrest Gump's analogy, 'Jenny and me was like peas and carrots,' PIPA and the Decree go hand in hand. Any alteration to one necessitates a corresponding adjustment in the other to ensure they harmonize seamlessly.

To better understand these amendments and their practical implications more effectively, this Insight article tries to dissect them into easily digestible, bite-sized portions. Hopefully, this approach will satisfy your appetite for understanding.

October 2023

South Korea: Key aspects of the Amended Personal Information Protection Act and its Enforcement Decree for online businesses in Korea

The Korean National Assembly passed amendments to the Personal Information Protection Act (Amended PIPA) earlier this year, and the Amended PIPA came into effect on September 15, 2023. Based on the Amended PIPA, Korea's Personal Information Protection Commission (PIPC) adopted corresponding amendments to its Enforcement Decree (Amended Enforcement Decree), which has also taken effect.

The Amended PIPA aims to strengthen the protection of data subjects' rights, but at the same time, is also intended to facilitate data controllers' processing of personal data. Detailed criteria and standards for implementing the Amended PIPA are set forth in the Amended Enforcement Decree. In our view, the changes introduced by the Amended PIPA and Amended Enforcement Decree have effectively taken the Korean data protection legal framework to a level closer to the EU's General Data Protection Regulation (GDPR), with certain notable discrepancies still remaining.

In this Insight article, Samuel (Soon-Yub) Kwon, Jongsoo (Jay) YOON, and Jeannie (Yee Jean) Jeong, from Lee & Ko, will discuss some of the key elements of the Amended PIPA and Amended Enforcement Decree and their implications for online service providers and businesses operating in Korea.

May 2023

South Korea: Amendments to PIPA - Key takeaways

On 27 February 2023, the South Korean National Assembly passed a proposal amending the Personal Information Protection Act 2011 ('PIPA'). These amendments are among some of the most extensive amendments to PIPA since its enactment.

In this Insight article, Timothy Dickens, Partner at DR & AJU LLC, provides insight into the amendments to PIPA and their impact on businesses.

Company

Our Policies

Your Rights

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
© OneTrust, LLC. All Rights Reserved.
The materials herein are for informational purposes only and do not constitute legal advice.