On Friday, January 31, 2025, a bill proposing an amendment to the Personal Information Protection Act (“PIPA”) was introduced (the “Proposed Amendment”) to the National Assembly.
The Proposed Amendment primarily aims to establish a legal basis for utilizing personal information beyond its original collection purpose when deemed necessary for AI technology development or performance enhancement, subject to the review and approval of the Personal Information Protection Commission (“PIPC”). To achieve this purpose, the Proposed Amendment sets out the requirements, procedures, and the PIPC’s ex-post supervisory authority to ensure the safe processing of personal data, among others.
|
1. |
Requirements for Utilizing Personal Information Beyond Its Original Collection Purpose for AI Technology Development |
-
When processing information, such as video, audio, images, symbols, and text, anonymization or pseudonymization would make AI technology development significantly difficult due to the inherent characteristics of the data and its relevance to AI and technological advancements;
-
When appropriate safeguards, as outlined by Presidential Degree, are in place, such as processing personal data in a secure environment with technical, administrative, and physical protective measures; and
-
When the purpose of AI technology development includes one of the following, and the risk of unjustly infringing on the interests of data subjects or third parties is significantly low:
|
– |
Advancing public interest; or |
|
– |
Protecting the rights and interests of data subjects or third parties, or contributing to broader social benefits (e.g., fostering AI innovation). |
Under Article 28-12(2) of the Proposed Amendment, data controllers must obtain a review and approval from the PIPC on whether these requirements are satisfied. The PIPC may impose conditions necessary to ensure the protection of data subjects’ rights and the safe processing of personal information.
Meanwhile, Article 28-12(3) of the Proposed Amendment requires that if the processing involves personal information that includes sensitive information or unique identification information exceeding a certain threshold or if it affects the rights and interests of data subjects, which will be both further specified in the Presidential Decree, data controllers must conduct an assessment to propose necessary safeguard measures and required improvements based on the impact of processing beyond the original collection purpose on the interests of data subjects or third parties, as well as the identification of potential risks (the “Risk Assessment”). The results of the Risk Assessment must be submitted to the PIPC.
|
2. |
Privacy Policy Disclosure Requirement and Matters Related to Ex-post Supervisory Authority of the PIPC |
-
If the review and approval for personal data processing beyond its original collection purpose was obtained through false or otherwise fraudulent means;
-
If the requirements under Article 28-12(1) of the Proposed Amendment or the conditions imposed through conditional approval are not met;
-
If, due to significant changes in circumstances, it is determined that achieving the purpose of personal information processing (such as AI technology development) is clearly impossible;
-
If the processing of personal information for AI technology development does not commence within six months from the date of the PIPC’s approval without a valid reason; or
-
If a required Risk Assessment is not conducted or if the results of the Risk Assessment are not submitted to the PIPC.
The Proposed Amendment aligns with the “Revolutionizing the Personal Data Regulatory Framework in the AI Era” initiative included in the PIPC’s Key Policy and Enforcement Plan for 2025 text,[1] announced on January 13, 2025.
If enacted, the Proposed Amendment would ease current regulations by making it easier to secure training data for AI development and improvement. However, companies looking to utilize personal information would still be subject to stringent requirements, including strict compliance procedures, disclosure obligations, and ongoing regulatory oversight. These regulatory requirements could pose practical challenges.
Given that in-depth discussions during the legislative process are anticipated, companies doing business in or planning to enter the AI sector should closely monitor developments in the legislative process.
[1] Please refer to the “Personal Information Protection Commission Announced Key Policy and Enforcement Plan for 2025” for further information (Link).
