Support Centre

South Korea


Law: The Personal Information Protection Act 2011 (as amended in 2023) ('PIPA')

Regulator: The Personal Information Protection Commission ('PIPC')

Summary: The PIPA came into effect in 2011 and provides some of the strictest personal information protection requirements in the world. Alongside the PIPA, the regulation of personal information is also governed by the Use and Protection of Credit Information Act 2009 and the Act on Promotion of Information and Communications Network Utilization and Information Protection 2001. All three of these Acts have recently been significantly amended, resulting in a more streamlined approach to personal data protection. These amendments have been particularly aimed at introducing the concept of pseudonymized data and opening its use.

Most recently, in February 2023, the South Korean National Assembly passed amendments to the PIPA most of which entered into effect in September 2023 along with amendments to the Enforcement Decree of the PIPA ('the PIPA Enforcement Decree') (English version with 2022 amendments available here; up-to-date version, only available in Korean, here). In particular, the main changes to the PIPA feature, among other things, data subject rights, the unification of regulations governing online and offline businesses, amendments to the provisions relating to administrative and criminal penalties, requirements for the processing of special categories of personal information, the introduction of rights applying to automated decision-making, rules on data breach notification, and new rules for cross-border data transfers.

With regard to the next steps, the PIPC is currently working on another revision of the PIPA Enforcement Decree which will further implement the 2023 amendments to the PIPA including those on 'MyData' (i.e. the right to data portability). Such amendments to the PIPA Enforcement Decree are to be announced for public comment gradually, starting from October 2023.

With regard to the EU – South Korea data transfers, South Korea received an adequacy decision from the European Commission in 2021, namely the European Commission's adequacy decision for the transfer of personal data from the European Union to the Republic of Korea under the General Data Protection Regulation. Among other international agreements, South Korea is also a participant in the Asia-Pacific Economic Cooperation Cross Border Privacy Rules ('APEC CBPR') system.


In this Insight article, Kwang Bae Park, Sunghee Chae, and Matt Younghoon Mok, from Lee & Ko, explore South Korea's Digital Bill of Rights, emphasizing its international cooperation principles and the government's preference for self-regulation in the artificial intelligence (AI) industry. It discusses related legislative trends and the evolving stance on AI regulation in a changing global landscape.

After thoroughly examining the amendments made to the Personal Information Protection Act (PIPA) in Timothy Dickens' previous Insight article and appreciating the practical and judicious approach taken by the Yoon administration, it would be remiss not to also delve into the revisions made to the Enforcement Decree of the Personal Information Protection Act (Decree), which took effect on September 15, 2023. Much like the symbiotic relationship exemplified by Forrest Gump's analogy, 'Jenny and me was like peas and carrots,' PIPA and the Decree go hand in hand. Any alteration to one necessitates a corresponding adjustment in the other to ensure they harmonize seamlessly.

To better understand these amendments and their practical implications more effectively, this Insight article tries to dissect them into easily digestible, bite-sized portions. Hopefully, this approach will satisfy your appetite for understanding.

The Korean National Assembly passed amendments to the Personal Information Protection Act (Amended PIPA) earlier this year, and the Amended PIPA came into effect on September 15, 2023. Based on the Amended PIPA, Korea's Personal Information Protection Commission (PIPC) adopted corresponding amendments to its Enforcement Decree (Amended Enforcement Decree), which has also taken effect.

The Amended PIPA aims to strengthen the protection of data subjects' rights, but at the same time, is also intended to facilitate data controllers' processing of personal data. Detailed criteria and standards for implementing the Amended PIPA are set forth in the Amended Enforcement Decree. In our view, the changes introduced by the Amended PIPA and Amended Enforcement Decree have effectively taken the Korean data protection legal framework to a level closer to the EU's General Data Protection Regulation (GDPR), with certain notable discrepancies still remaining.

In this Insight article, Samuel (Soon-Yub) Kwon, Jongsoo (Jay) YOON, and Jeannie (Yee Jean) Jeong, from Lee & Ko, will discuss some of the key elements of the Amended PIPA and Amended Enforcement Decree and their implications for online service providers and businesses operating in Korea.

On 27 February 2023, the South Korean National Assembly passed a proposal amending the Personal Information Protection Act 2011 ('PIPA'). These amendments are among some of the most extensive amendments to PIPA since its enactment.

In this Insight article, Timothy Dickens, Partner at DR & AJU LLC, provides insight into the amendments to PIPA and their impact on businesses.

In this report, OneTrust DataGuidance provides a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and Law on Personal Information Protection Act (PIPA).

The report examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of the PDPO with the  GDPR.

You can access the latest version of the report here.