1.

Revolutionizing the Personal Data Regulatory Framework in the AI Era

The PIPC plans to introduce a special provision in the Personal Information Protection Act (“PIPA”) to address situations where achieving research objectives is difficult through processing pseudonymized data alone (e.g., autonomous driving, AI development). Under this provision, the use of original data will be permitted, subject to appropriate safety measures being in place and the PIPC’s review and approval. With this plan, the PIPC aims to expand the legal grounds for processing personal data by considering the “legitimate interests” of AI developers and the “public interest.”

Additionally, the PIPC will further develop the principle-based personal data governance framework, established last year through public-private collaboration, to establish AI and Data Processing Standards for Major Industries. These standards aim to introduce legal rights enabling individuals to request the deletion of synthetic content generated through the misuse of deepfake technology and to implement measures to prohibit and penalize any acts of synthesizing personal information that would harm human dignity and values.
 

2.

Establishing a Sustainable Foundation for Innovation in New Industries

The PIPC is preparing to propose the enactment of the Act on the Installation and Operation of Visual Data Processing Devices (tentative title). This legislation will specify the principles for processing biometric information and establish measures to safeguard the rights of data subjects. The PIPC will also institutionalize review committees to evaluate the adequacy of pseudonymization practices and promote the effective utilization of pseudonymized data by introducing functionalities to pseudonymize unstructured data to the Pseudonymized Data Support Platform, among others.

Furthermore, the PIPC will prioritize supporting the development of privacy-enhancing technologies (“PETs”) specifically tailored to new industries, such as AI. Once developed, these technologies will be transferred to small and medium-sized enterprises to facilitate commercialization and encourage widespread adoption.
 

3.

Securing Leadership in Global Personal Data Governance

In September 2025, the PIPC will host the Global Privacy Assembly, the world’s largest international conference on personal data protection, in Seoul.

Furthermore, the PIPC aims to strengthen cooperation on cross-border data transfers by establishing mutual recognition frameworks. This plan includes the adoption of an adequacy decision for the EU by the PIPC,^[1] as well as the renewal of the EU’s adequacy decision for Korea, which was initially granted in 2021. Additionally, the PIPC will review additional countries for potential adequacy decisions, including the United States, United Kingdom, and Japan.

The PIPC also outlined plans to strengthen the protection system for overseas transfers by expanding secure mechanisms for personal data transfers, such as introducing Standard Contractual Clauses (“SCC”) and establishing detailed criteria for suspending these transfers when necessary.
 

4.

Unveiling the MyData Era and Driving Tangible Outcomes

The PIPC will fully implement the MyData initiative in the healthcare, telecommunication, and energy sectors. To facilitate this rollout, the PIPC will introduce five leading services in stages, including: (i) personalized chronic disease prevention and management, linking domestic medical records for overseas residents, medication management and prescription support (healthcare sector), (ii) optimal mobile phone plan recommendations (telecommunications sector), and (iii) customized travel planning and optimization.

Moreover, the PIPC will establish a MyData Support Platform to help individuals to exercise their data portability rights, designate specialized institutions for personal data management, conduct continuous monitoring of personal data management practices, and issue guidelines to prevent improper inducement or incentives for data transfers.

The PIPC will also expand the scope of data transferors and transferrable data items within the healthcare and telecommunications sectors, and consider broadening MyData services to other fields, such as education, employment, and leisure, with a focus on enhancing public convenience.
 

5.

Strengthening Its Role as the Central Authority for Personal Data Protection

The PIPC conducted compliance inspections in “three areas closely related to the public” and “three new industries” last year. Building on these efforts, the PIPC will continue carrying out proactive and focused compliance inspections this year in “three key vulnerable sectors of personal protection:” (i) “areas closely tied to daily life,” including sharing platforms, digital finance, real estate and construction, and edutech, (ii) “new technology and new industries,” such as AI application services, including AI agents (virtual assistants), and legal tech, and (iii) “public areas,” including intensive management systems and educational institutions (universities).

These inspections aim to preemptively assess personal data processing practices and ensure compliance with relevant laws, thereby preventing and minimizing potential personal data breaches.

The PIPC also announced plans to enhance its enforcement mechanisms to ensure that overseas businesses cooperate in submitting their revenue data. To enhance user protection, the PIPC will mandate overseas businesses to designate their Korean entity as their local representative. At the same time, it will also establish exemption criteria for minor cases or investigations involving small and medium-sized enterprises.

Additionally, the PIPC said they have plans to enhance its capabilities by (i) establishing a forensic lab which will collect and analyze digital evidence to identify the causes and pathways of data breaches, (ii) operating a case investigation system to systematically manage the entire process of investigations, from submission and investigation to final decision, and (iii) forming a dedicated litigation team to bolster the PIPC’s ability to effectively handle legal challenges.
 

6.

Building Comprehensive and Robust Personal Data Protection Safety Nets

The PIPC will advance its Privacy by Design initiative by expanding pilot certifications for everyday IT devices, such as IP cameras. It will also pursue legislative amendments to introduce statutory certifications and require the use of security-certified IP cameras in publicly used facilities.

Furthermore, the PIPC will introduce new systems to enhance personal data management in public institutions and select key areas for focused support. This initiative will focus on sectors closely tied to people’s daily lives, fields involving large-scale data processing, and areas particularly vulnerable to privacy risks, while providing tailored support suitable for the unique characteristics and scale of self-regulatory organizations
 

7.

Implications

This year, MyData services, based on the right to data portability, are anticipated to be fully implemented in the healthcare, telecommunications, and energy sectors. Concurrently, the development of new technologies, including AI, is expected to gain momentum. In response, the PIPC is committed to addressing the growing demand for the utilization of personal data necessary for technical innovation while simultaneously working to alleviate concerns related to the protection of personal data and the rights of data subjects.

The PIPC has outlined plans to establish sector-specific AI and data processing standards, promote the use of pseudonymized data, and continue compliance inspections and investigations, among other initiatives. Accordingly, clients are advised to gain a thorough understanding of the PIPC’s policy directions and take proactive measures to mitigate potential legal and compliance risks.