On March 13, 2025, the data portability regime provided under Article 35-2 of the Personal Information Protection Act (“PIPA”) was first introduced for the healthcare and telecommunications sectors. Recently, the Personal Information Protection Commission (“PIPC”) announced a draft amendment to the Enforcement Decree of the PIPA (the “Proposed Amendment”), which will expand the data portability right to all sectors. The key details of the Proposed Amendment according to the PIPC’s legislative announcement dated June 23, 2022 (available in Korean, Link) are as follow.
 

• Self-Transmission Requests, where personal information is transmitted directly to the data subject; and
   

• Third Party Transmission Requests, where personal information is sent to a third party, such as a specialized personal information management institution.
   

Article 35-2, Paragraphs (1) and (2) of the PIPA further differentiate the scope of personal information transmitters for each type of request:
 

• Entities required to respond to the requests for transmission to the data subject (“Transmitters”); and
   

• Entities required to respond to the requests for transmission to third-parties (“Third Party Transmitters”).
   

However, the current Enforcement Decree of the PIPA does not distinguish between both types of personal information transmitters. This approach is inconsistent with the intent of the PIPA, which is generally understood to provide a broader right to request self-transmission than the right to request third-party transmission. Furthermore, the current Enforcement Decree limits both the right to request self-transmission and the right to request third-party transmission to the healthcare, telecommunications, and energy sectors.

The Proposed Amendment introduces a clear distinction between Transmitters and Third-Party Transmitters. Notably, it (i) removes explicit references to specific industries with respect to Transmitters and (ii) allows an entity to qualify as a Transmitter if it possesses a certain level of data processing capability.

In sum, under the Proposed Amendment, an entity will qualify as a Transmitter if it meets certain thresholds, such as processing sensitive or unique identification information of 50,000 or more individuals, or processing personal information of 1 million or more individuals, with annual sales revenue of KRW 150 billion or more. Entities that meet these criteria are required to transmit personal information to the data subject upon request.
 

The Proposed Amendment also introduces detailed regulations regarding the transmission of personal information. For instance, when automated tools are used to fulfill an agent’s request for personal information transmission, both the Transmitter and the agent must follow a pre-agreed transmission method (Articles 42-5 and 42-6 of the Proposed Amendment). Additionally, the Amendment expands the role of specialized personal information management institutions to include the management and analysis of personal transmission information, further supporting data subjects in exercising their rights (Article 42-9).

The Proposed Amendment is expected to take effect in 2025. Following a 40-day pre-legislative notice period ending on August 4, 2022, the Proposed Amendment will undergo a review by the Ministry of Government Legislation and require the Cabinet approval before promulgation and enforcement.

The Proposed Amendment lays the groundwork for extending the data portability right to all industries. Accordingly, companies outside of the healthcare, telecommunications, and energy sectors should note that, depending on factors such as sales revenue and the size of their data holdings, they may become subject to the transmission obligations. It is therefore important to monitor ongoing legislative developments and proactively prepare for technical and operational changes necessary to comply with the new requirements.

[Korean Version]