Regulator: The Personal Information Protection Commission ('PIPC')
Summary: The PIPA came into effect in 2011 and provides some of the strictest personal information protection requirements in the world. Alongside the PIPA, the regulation of personal information is also governed by the Use and Protection of Credit Information Act 2009 and the Act on Promotion of Information and Communications Network Utilization and Information Protection 2001. All three of these Acts have recently been significantly amended, resulting in a more streamlined approach to personal data protection. These amendments have been particularly aimed at introducing the concept of pseudonymized data and opening its use.
Most recently, in February 2023, the South Korean National Assembly passed amendments to the PIPA
most of which entered into effect in September 2023 along with amendments to the Enforcement Decree of the PIPA ('the PIPA Enforcement Decree') (English version with 2022 amendments available here; up-to-date version, only available in Korean, here). In particular, the main changes to the PIPA feature, among other things, data subject rights, the unification of regulations governing online and offline businesses, amendments to the provisions relating to administrative and criminal penalties, requirements for the processing of special categories of personal information, the introduction of rights applying to automated decision-making, rules on data breach notification, and new rules for cross-border data transfers.
With regard to the next steps, the PIPC is currently working on another revision of the PIPA Enforcement Decree which will further implement the 2023 amendments to the PIPA including those on 'MyData' (i.e. the right to data portability). Such amendments to the PIPA Enforcement Decree are to be announced for public comment gradually, starting from October 2023.
With regard to the EU – South Korea data transfers, South Korea received an adequacy decision from the European Commission in 2021, namely the European Commission's adequacy decision for the transfer of personal data from the European Union to the Republic of Korea under the General Data Protection Regulation. Among other international agreements, South Korea is also a participant in the Asia-Pacific Economic Cooperation Cross Border Privacy Rules ('APEC CBPR') system.