The Personal Information Protection Commission (the “PIPC”) announced proposed amendments to the Enforcement Decree of the Personal Information Protection Act (the “Proposed Amendments”) on June 1 and June 2, 2026, as a follow-up to the amended Personal Information Protection Act (the “Amended PIPA”), which was promulgated on March 10, 2026 and will take effect on September 11, 2026. The key aspects of the Proposed Amendments are summarized below.
|
1.
|
Strengthening the Effectiveness of Administrative Penalties
|
|
(1)
|
Detailed Standards and Procedures for Calculating Administrative Penalties
The Amended PIPA provides that administrative penalties of up to 10% of total revenue may be imposed for repeated or serious violations (Article 64-2(2)). The Proposed Amendments set out detailed standards and procedures for calculating and imposing such penalties (Article 60-2 and Annex 1-5).
-
Calculation procedure: The PIPC will determine a “base amount” by multiplying the revenue related to the violation (i.e., total revenue minus revenue unrelated to the violation) by a rate reflecting the severity of the violation (the "base rate"). Under the Proposed Amendments, the base amount may be increased in certain cases, after which further adjustments (increases or reductions) will be applied to determine the final penalty.
|
–
|
Grounds for increasing the base amount: The base amount will be increased where penalties of up to 10% of total revenue may be imposed under the Amended PIPA, namely: (i) where a violator commits a willful or grossly negligent repeat violation within three years of a prior penalty; (ii) where a violator commits a willful or grossly negligent violation affecting 10 million or more data subjects; or (iii) where personal information is leaked due to non-compliance with a corrective order.
|
|
–
|
Factors considered: In determining the rate and extent of any increase, the PIPC will comprehensively consider: (i) the nature and severity of the willful misconduct, gross negligence, repeat violation, or non-compliance; (ii) the circumstances giving rise to such conduct; and (iii) the scale of harm to data subjects (including whether 10 million or more data subjects are affected).
|
|
|
(2)
|
New Reduction Mechanism for Privacy-Protection Investments
The Amended PIPA allows for reductions in administrative penalties where “grounds prescribed by Presidential Decree” exist, including investments in and operation of budget, personnel, facilities, and equipment for personal information protection (Article 64-2(6)). The Proposed Amendments require that such reductions be applied to the base amount prior to first- and second-stage adjustments, and set out detailed criteria, thresholds, and limits (Articles 60-2(5) and (7) and Annex 1-5).
-
Factors considered: In applying reductions based on privacy protection investments, the PIPC will consider: (i) the scale and continuity of investments in budget, personnel, facilities, and equipment; (ii) the substance and effectiveness of the data controller's privacy protection framework, including the roles of the business owner or representative and the Chief Privacy Officer (CPO), organizational structure, and staffing; and (iii) additional efforts to enhance personal information security measures.
-
Ceiling and conditions: Reductions may not exceed 40% of the base amount. No reduction is available where the violation was willful or grossly negligent.
In addition, with respect to grounds for not imposing penalties under the Amended PIPA (Article 64-2(7)(4)), the Proposed Amendments provide that penalties may be waived where no harm has occurred to data subjects (or any harm is minor), the data controller has remedied the violation (including through technical assistance in the case of SMEs and small businesses), and the criteria set forth in PIPC guidelines are satisfied (Article 60-2(6)).
|
|
2.
|
Strengthening Prevention of and Response to Data Breaches
|
|
(1)
|
Board Resolution and PIPC Reporting for CPO Designations
The Amended PIPA requires certain data controllers to obtain board approval for the designation, change, or removal of a CPO and to report such actions to the PIPC (Article 31). The Proposed Amendments specify the entities subject to these requirements and the applicable procedures (Article 32).
|
–
|
Data controllers with annual revenue or income of KRW 180 billion or more that process either
(i) sensitive information or unique identification information of at least 50,000 data subjects, or
(ii) personal information of at least 1 million data subjects
|
|
–
|
Universities with 20,000 or more enrolled students
|
|
–
|
Tertiary general hospitals processing large volumes of sensitive information
|
|
–
|
Public system operating institutions
|
|
|
(2)
|
Mandatory ISMS-P Certification
The Amended PIPA requires major data controllers with significant impact to obtain personal information protection certification (ISMS-P certification) on a mandatory basis (Article 32-2). The Proposed Amendments define the entities subject to this requirement (Article 34-9).
-
Scope of application: ISMS-P certification is mandatory for: (i) operators of major public systems designated by the PIPC; (ii) mobile telecommunications carriers; (iii) identity verification agencies; and (iv) entities with prior-year total revenue of at least KRW 1 trillion and at least KRW 10 billion in revenue from information and communications services, where the average daily number of domestic data subjects whose personal information was stored or managed during the three months preceding the end of the prior year was 30 million or more.
-
Deadline: Entities subject to mandatory certification must obtain ISMS-P certification by December 31, 2028 (Supplementary Provisions, Article 3).
|
|
(3)
|
Changes to Data Breach Notification and Reporting Requirements
The Amended PIPA requires data controllers to notify data subjects without delay not only upon becoming aware of a data breach, but also upon recognizing a likelihood of a breach (Article 34). The Proposed Amendments elaborate on notification requirements, timing, and content (Articles 30-2, 39, 39-2, 40, and 48-7).
-
Notification requirements and timing: Notifications must be made at early stages where a likelihood of breach is identified. Specifically:
(i) Where a data controller becomes aware of unauthorized access to its personal information processing systems or devices used by personnel, and objective circumstances indicate that personal information may have been breached, notification must be made within 72 hours of awareness, even if affected data subjects cannot yet be identified.
(ii) Where it is objectively confirmed that personal information is being unlawfully traded or distributed, and there is a high likelihood that additional data subjects beyond those already identified are affected, notification must be made within 72 hours of awareness.
-
Content of notifications: Notifications and reports must cover not only cases where personal information has been lost, stolen, or leaked, but also where it has been forged, altered, or damaged.
The Proposed Amendments also revise penalty standards so that cases resulting only in corrective orders or warnings (without monetary penalties) will be treated as prior violations, thereby increasing penalties for repeat offenses. Penalty amounts for individual violations have also been increased (Article 63 and Annex 2).
|
The legislative pre-announcement period for the Proposed Amendments runs through July 13, 2026. Following review by the Ministry of Government Legislation and other procedural steps, the amendments are expected to be finalized and take effect on September 11, 2026, in line with the Amended PIPA. In preparation, data controllers should review their current investments and operations relating to personal information protection (including budget, personnel, facilities, and equipment), as well as their CPO designation processes, ISMS-P certification readiness, and incident response protocols (including breach notification and reporting procedures). Continued monitoring of further developments, including the promulgation and implementation of the amended Enforcement Decree and related PIPC guidance, is recommended.
[Korean Version]