South Korea

Summary

Law: The Personal Information Protection Act 2011 (as amended in 2023) ('PIPA')

Regulator: The Personal Information Protection Commission ('PIPC')

Summary: The PIPA came into effect in 2011 and provides some of the strictest personal information protection requirements in the world. Alongside the PIPA, the regulation of personal information is also governed by the Use and Protection of Credit Information Act 2009 and the Act on Promotion of Information and Communications Network Utilization and Information Protection 2001. All three of these Acts have recently been significantly amended, resulting in a more streamlined approach to personal data protection. These amendments have been particularly aimed at introducing the concept of pseudonymized data and opening its use.

Most recently, in February 2023, the South Korean National Assembly passed amendments to the PIPA

most of which entered into effect in September 2023 along with amendments to the Enforcement Decree of the PIPA ('the PIPA Enforcement Decree') (English version with 2022 amendments available here; up-to-date version, only available in Korean, here). In particular, the main changes to the PIPA feature, among other things, data subject rights, the unification of regulations governing online and offline businesses, amendments to the provisions relating to administrative and criminal penalties, requirements for the processing of special categories of personal information, the introduction of rights applying to automated decision-making, rules on data breach notification, and new rules for cross-border data transfers.

With regard to the next steps, the PIPC is currently working on another revision of the PIPA Enforcement Decree which will further implement the 2023 amendments to the PIPA including those on 'MyData' (i.e. the right to data portability). Such amendments to the PIPA Enforcement Decree are to be announced for public comment gradually, starting from October 2023.

With regard to the EU – South Korea data transfers, South Korea received an adequacy decision from the European Commission in 2021, namely the European Commission's adequacy decision for the transfer of personal data from the European Union to the Republic of Korea under the General Data Protection Regulation. Among other international agreements, South Korea is also a participant in the Asia-Pacific Economic Cooperation Cross Border Privacy Rules ('APEC CBPR') system.

Browse more content in South Korea

All Guidance Notes

All News

All Insights

News

05 December 2023

South Korea: KISA and Defense Agency sign MoU to strengthen cyber threat responses

29 November 2023

South Korea: PIPC confirms applicability of PIPO requirements to domestic airlines

27 November 2023

International: UK and South Korea sign partnership to advance cooperation on digital issues

22 November 2023

South Korea: PIPC announces forthcoming amendments to the PIPA Enforcement Decree

14 November 2023

International: South Korea and Romania sign MoU to facilitate cyber threat response

13 November 2023

International: US and South Korea sign MoU outlining best practices for sharing cyber threat and cybersecurity best practices

03 November 2023

South Korea: PIPC launches joint consultative body for policymaking on AI

18 October 2023

South Korea: PIPC publishes standards for disciplinary action for violations of personal information protection laws

16 October 2023

South Korea: PIPC fines Shinil Electronics KRW 224M for data security failures

12 October 2023

South Korea: PIPC announces pilot Preliminary Adequacy Review System

12 October 2023

South Korea: PIPC announces enactment of regulations on overseas transfer of personal information

05 October 2023

South Korea: PIPC to launch AI privacy task force

Insights

November 2023

South Korea: PIPA amendments result in amendments to Enforcement Decree

After thoroughly examining the amendments made to the Personal Information Protection Act (PIPA) in Timothy Dickens' previous Insight article and appreciating the practical and judicious approach taken by the Yoon administration, it would be remiss not to also delve into the revisions made to the Enforcement Decree of the Personal Information Protection Act (Decree), which took effect on September 15, 2023. Much like the symbiotic relationship exemplified by Forrest Gump's analogy, 'Jenny and me was like peas and carrots,' PIPA and the Decree go hand in hand. Any alteration to one necessitates a corresponding adjustment in the other to ensure they harmonize seamlessly.

To better understand these amendments and their practical implications more effectively, this Insight article tries to dissect them into easily digestible, bite-sized portions. Hopefully, this approach will satisfy your appetite for understanding.

October 2023

South Korea: Key aspects of the Amended Personal Information Protection Act and its Enforcement Decree for online businesses in Korea

The Korean National Assembly passed amendments to the Personal Information Protection Act (Amended PIPA) earlier this year, and the Amended PIPA came into effect on September 15, 2023. Based on the Amended PIPA, Korea's Personal Information Protection Commission (PIPC) adopted corresponding amendments to its Enforcement Decree (Amended Enforcement Decree), which has also taken effect.

The Amended PIPA aims to strengthen the protection of data subjects' rights, but at the same time, is also intended to facilitate data controllers' processing of personal data. Detailed criteria and standards for implementing the Amended PIPA are set forth in the Amended Enforcement Decree. In our view, the changes introduced by the Amended PIPA and Amended Enforcement Decree have effectively taken the Korean data protection legal framework to a level closer to the EU's General Data Protection Regulation (GDPR), with certain notable discrepancies still remaining.

In this Insight article, Samuel (Soon-Yub) Kwon, Jongsoo (Jay) YOON, and Jeannie (Yee Jean) Jeong, from Lee & Ko, will discuss some of the key elements of the Amended PIPA and Amended Enforcement Decree and their implications for online service providers and businesses operating in Korea.

May 2023

South Korea: Amendments to PIPA - Key takeaways

On 27 February 2023, the South Korean National Assembly passed a proposal amending the Personal Information Protection Act 2011 ('PIPA'). These amendments are among some of the most extensive amendments to PIPA since its enactment.

In this Insight article, Timothy Dickens, Partner at DR & AJU LLC, provides insight into the amendments to PIPA and their impact on businesses.

May 2023

EU - South Korea: GDPR v. PIPA

In this report, OneTrust DataGuidance provides a means of analyzing and comparing data protection requirements and recommendations under the General Data Protection Regulation (GDPR) and Law on Personal Information Protection Act (PIPA).

The report examines and compares the scope, main definitions, legal bases, data controller and processor obligations, data subject rights, and enforcement capacities of the PDPO with the  GDPR.

You can access the latest version of the report here.

July 2022

South Korea

Summary

Browse more content in South Korea

News

Insights

Get the Latest News

Thanks for signing up!

Company

Our Policies

Your Rights

Follow us