1.

Proposed Amendments to Personal Information Protection Act
 

(1)

Introduction of Legal Grounds for Processing Personal Information for AI Development and Performance Enhancement (Amendment bill proposed by National Assembly members Byoung-Dug Min and Dong-Jin Go)

A bill to amend the Personal Information Protection Act (the “PIPA”) (i.e., Bill No. 2207858, proposed by National Assembly member Byoung-Dug Min) has been proposed and is currently under review by the National Policy Committee (the “NPC”). The proposed amendment seeks to establish a legal basis for the processing of personal information necessary for the development of AI technologies without the data subject’s consent under specific conditions. Under the amendment, personal information may be used for the development of AI technologies and enhancement of their performance beyond the original purpose of collection, provided that certain requirements, such as enhanced safety measures and safeguards for data subjects’ rights, are met and that such utilization is subject to deliberation and resolution by the Personal Information Protection Commission (the “PIPC”). Key requirements include: (i) serving the public interest, (ii) ensuring minimal risk of harm to the rights and interests of data subjects or third parties, and (iii) conducting a risk assessment when processing sensitive information, along with other additional protective measures.

Notably, a similar amendment bill (i.e., Bill No. 2208904, proposed by National Assembly member Dong-Jin Go) with certain distinctions, such as requiring streamlined deliberation and resolution procedures, is also pending before the NPC.
 

(2)

New Legal Grounds for Collecting Publicly Disclosed Personal Information (Amendment bill proposed by National Assembly member Tae-Seon Kim)

Another amendment bill (i.e., Bill No. 2208067, proposed by National Assembly member Tae-Seon Kim) clarifying the legal grounds for collecting “publicly disclosed personal information” under specific conditions is also being examined by the NPC. The bill stipulates that, where personal information has been made public by the data subject – either directly or through a third party (e.g., via social media) – such information may be collected without the data subject’s explicit consent, provided it can be objectively recognized that the data subject consented to such disclosure.

In this context, the PIPC published the “Guidelines on the Processing of Publicly Disclosed Personal Information for AI Development and Services” in July 2024, confirming that publicly disclosed personal information may be utilized for AI training and development based on the “legitimate interests” under Article 15 (1) 6 of the PIPA. It remains essential to closely follow how these guidelines will be utilized in upcoming legislative developments.
 

2.

PIPC’s Approval of “Plan for Expanding and Opening AI Datasets”

At its third meeting, conducted on February 20, 2025, the National Artificial Intelligence Committee approved the “Plan for Expanding and Opening AI Datasets,” as set forth by the PIPC. Under this initiative, the PIPC has signaled a policy direction focused on diversifying and clarifying the legal bases for processing large volumes of user data held by companies and public institutions. The goal is to facilitate the effective use of such data in the development and enhancement of AI services.

Traditionally, the utilization of user data held by businesses for AI development or enhancement required such businesses to obtain separate consent from individual data subjects pursuant to Article 18 of the PIPA. Going forward, however, distinct legal grounds will be established for different scenarios: (i) AI training aimed at enhancing AI services may be categorized as “use within the original purpose” under Article 15 (1) of the PIPA, (ii) the development of new AI services reasonably related to current offerings may qualify as “additional provision” under Article 15 (3) of the PIPA, and (iii) the development of entirely new, unrelated AI services may rely on either the (a) pseudonymization exception under Article 28-2 of the PIPA or (b) other newly introduced legal bases. With additional guidelines and policies expected from the PIPC, the utilization of data for AI purposes is likely to become more accessible going forward.
 

3.

Korea Communications Commission’s Issuance of User Protection Guidelines for Generative AI Services

On March 28, 2025, the Korea Communications Commission (the “KCC”) released the User Protection Guidelines for Generative AI Services (the “Guidelines”), setting forth fundamental principles and implementation plans for the protection of AI service users. The Guidelines present four fundamental principles that developers and service providers should pursue when using generative AI services, along with six implementation strategies to observe these principles. The four fundamental principles are as follows: (i) generative AI services should uphold human dignity, protect personal rights and ensure meaningful human oversight and control, (ii) the working principles, outputs and impacts of AI systems should be explained in a clear and comprehensible manner, (iii) measures must be in place to minimize unforeseen harm and to prevent the malicious use or manipulation of AI services, and (iv) efforts must be made to prevent discrimination and unfair outcomes for users.

Although the Guidelines are not legally binding and do not impose explicit obligations on service providers, they primarily function as a statement of principles and best practices. Nonetheless, these Guidelines are likely to serve as a prima facie standard in the KCC’s future regulatory interpretations and enforcement. They may also serve as references for the introduction of regulations and legislation, such as the pending “AI User Protection Act” (tentative title). Stakeholders are advised to keep a close watch on further developments in this area.