On September 24, the Personal Information Protection Commission (the “PIPC”) unveiled the “Pseudonymized Information System and Operation Innovation Plan” during the 4th National Affairs Ministerial Meeting. This initiative follows the 1st Core Regulation Rationalization Strategy Meeting (held on September 15, 2025, and presided over by the President). The plan aims to establish a robust foundation for the effective use of high-quality data, a critical element in enhancing AI competitiveness, by improving the systems and processes surrounding pseudonymized information. The main points are summarized below:
|
1.
|
Creation of Environment for Active Data Sharing
|
|
(1)
|
Cost Reduction and Support for Pseudonymization
The PIPC is set to drastically lower the costs associated with pseudonymization. The PIPC will implement a “one-stop support system for pseudonymization” for the public sector, managed by specialized institutions designated by the PIPC. The PIPC will also verify the adequacy of pseudonymization performed by these institutions. Additionally, the PIPC will pursue a legislation to establish a trustworthy body for certifying the adequacy of both pseudonymization and anonymization processes.
|
|
(2)
|
Alleviation of Legal Risks
Starting November, the PIPC will introduce the “No Action Letter” system, allowing organizations to confirm within 30 days whether an unclear case constitutes a violation of law. If the PIPC deems such case as outside the scope of a regulatory action, it will be exempted from sanctions, unless circumstances materially change. Furthermore, by year-end, the PIPC plans to issue guidelines addressing key conflict points between AI technology and the pseudonymized information system, as well as indemnification guidance for public officials acting without willful misconduct or gross negligence.[1]
|
|
(3)
|
Incentives for Provision and Use
From the second half of this year, public institutions will receive additional points (up to 10) for supplying pseudonymized or synthetic information in the “Public Data and Data-Based Administrative Evaluation.” For private companies, provision of such data will positively influence their “corporate ESG evaluation index,” which is considered in credit ratings and financial reviews. The PIPC also plans to release “Guidelines on Pseudonymized Information Processing Fees” within this year, allowing public institutions to recoup pseudonymization costs from the processing fee revenues.
|
|
2.
|
More Efficient Processing of Pseudonymized Information
|
|
(1)
|
Streamlining Pseudonymization Process
The pseudonymization process, previously averaging 310 days from consultation to data release, will be made significantly more flexible. The PIPC will assess the risk levels based on “data risk” and “vulnerability of the processing environment,” and it will customize the pseudonymization processes depending on the risk level within this year. The PIPC will also clarify legal provisions to enable:
- Confirmation of the adequacy of unstructured data by sample surveys post-pseudonymization for large datasets and
- Exemption of Institutional Review Board review and individual consent requirement under the Bioethics Act when pseudonymizing health and medical data.
|
|
(2)
|
Facilitating Pseudonymized Data Combination
The PIPC will issue legal interpretations to allow the combination of pseudonymized datasets by using connecting information[2], accompanied by safeguards to mitigate privacy risks. The PIPC is also considering legislation to allow unique identification information (e.g., resident registration numbers) to be combined in specific public interest cases, such as disease treatment and policy research.
|
|
(3)
|
Building Operational Infrastructure
The PIPC will prepare a Prime Minister's Directive, to be effective from 2026, which will delineate the roles and responsibilities of the persons responsible for pseudonymized data at the entities providing pseudonymized data in the public sector. The PIPC will support the institutions to establish internal governance system before the Directive takes effect.
|
|
3.
|
Maximization of Utility of Pseudonymized Information
|
|
(1)
|
Minimizing Data Loss
The PIPC plans, within this year, to prepare a legislation bill to regulate the matters relating to the “Pseudonymization Adequacy Review Committee” in order to ensure that pseudonymization results in minimal data loss and that pseudonymization can take place at a consistently reasonable level. The PIPC will also improve access to the “Privacy Innovation Zone” (formerly the Privacy Safety Zone).[3]
|
|
(2)
|
Building Capacity and Expertise
The PIPC will provide expanded support, such as acquisition of expert personnel, to training professionals and advancing technology to safeguard and utilize personal information and to strengthen the expertise of the Pseudonymized Data Utilization Support Center.
|
|
(3)
|
Promoting Use Cases and Innovation
By year-end, the PIPC will publish online detailed use cases (such as combination rates and data schemas). Furthermore, the PIPC will develop data innovation promotion models by developing leading examples of pseudonymized data combination.
|
For companies, these changes mean more clarity regarding pseudonymization requirements and new opportunities to leverage pseudonymized data in a variety of services, including AI. We recommend monitoring the forthcoming guidelines and considering strategic use of no-action letters and innovation zones to manage legal risks and expand data use possibilities.
[1] A system under which a follow-up administrative sanction will not be imposed when a no-action letter is issued, unless special circumstances arise.
[2] Information generated by one-way encryption of resident registration numbers.
[3] It is a data analysis environment directly certified and managed by the PIPC to ensure the safety of data processing, allowing for the flexible use of pseudonymized data. Currently, five data analysis spaces are in operation.
[Korean Version]
