Skip Navigation

Amendment to the PIPA Passed by the National Assembly


The plenary session of the National Assembly voted to pass the proposed amendments to the Personal Information Protection Act (“PIPA”) on February 27, 2023.  The amendments (“Amended PIPA”) will come into force six months after the promulgation by the President.
The amendment bill that was ultimately passed by the National Assembly had been partially revised during the review by the Legislation and Judiciary Committee since the version that was initially passed by the National Policy Committee (“NPC”) last year (“NPC Version”).  Please refer to our previous newsletter (Link) for the details of the NPC Version.  The key changes from the NPC Version are explained below.


  • The Amended PIPA adds a provision that allows data subjects to withdraw their data transmission requests (Article 35-2, Paragraph (5)).

  • The Amended PIPA excludes automatic decisions issued by administrative authorities from the scope of automated decisions (Article 37-2, Paragraph (1)) for the sake of consistency with the Framework Act on Administrative Affairs, which provides that an automatic decisions may be imposed only in accordance with other laws.  The data subject’s right to object to an automatic decision by an administrative authority is expected to be discussed in relation to the law that provides for the grounds for such decision.

  • Under the current PIPA, a data controller may process “pseudonymized data” without the consent of the data subject for the purpose of compiling statistics, conducting scientific research and preserving records for the public interest (Article 28-2, Paragraph (1)).  The NPC Version included “pseudonymization of personal information” itself in the scope of processing that can be performed without the consent of the data subject, but the Amended PIPA excludes this due to concerns that it can be misunderstood as expanding the scope of pseudonymization.

  • The NPC Version stipulated that if it would be impossible for the central government or a local government to perform its legal duties if it had to publicly display the fact that the government was filming in the course of operating a mobile visual data processing device, it did not have to notify such fact.  The NPC Version also provided that in such case, the central or the local government would be required to give an ex post facto notice to data subjects that it was filming, as well as the purpose, date, time, and place of filming.  However, the Amended PIPA deleted this exception because of the concerns that this could lead the government to use drones to surveil civilians.  In conclusion, if the central or a local government uses a mobile visual data processing device, it must without exception display that it is doing so to the data subjects (Article 25-2, Paragraph (3)).

  • The NPC Version required the data controller’s “compliance with the Guidelines on Preparation of a Privacy Policy” be considered in assessing a privacy policy’s compliance with the PIPA.  However, this was seen as inconsistent with Article 30, Paragraph (4) of the PIPA which only recommends data controllers to comply with the Guidelines on Preparation of a Privacy Policy.  The Amended PIPA now reads that “whether matters required under the PIPA are included in the privacy policy” would be considered in assessing a privacy policy’s compliance with the PIPA (Article 30-2, Paragraph (1), Item one of the PIPA).

Other than the above, the Amended PIPA is not significantly different from the NPC Version.  Other the key details and implications are as follows:

Integrated Regulations on Personal Information Processing

[Key Points]

  • Expand the duty to notify details of use and third party provision of personal information and the duty to designate a local privacy agent to general data controllers.

  • Integrate provisions on obtaining consent to collection and use of personal information, data breach notification and reporting obligation and obligation to take various security measures.

  • Abolition of the obligation to delete or segregate the personal information of dormant users.


  • As the principle of “same conduct, same regulation” will apply to all online and offline data controllers, it will be necessary to ensure compliance with regulations that will be newly applicable.

Shift from Criminal Sanctions to Financial Penalties

[Key Points]

  • Impose an administrative fine of up to 3% of the total sales revenue (the sales revenue not related to the violation will be excluded from the total sales revenue) for major violations.

  • Expand grounds for imposing an administrative fine on general data controllers.

  • Remove criminal penalty for online service providers for failure to obtain consent for collection and use of personal information and for causing data breach due to failure to delete personal information or take protective measures.


  • As the base amount for calculating the administrative fines is increased and the grounds for imposing administrative fines expanded, there is a greater need to comply with the PIPA.

Strengthen the Rights of Data Subjects

[Key Points]

  • Introduce the right to request the transmission of personal information and the right to refuse or request an explanation regarding a decision made based on fully automated processing of personal information.


  • It is necessary to pay attention to the Presidential Decree that will follow the amendment of the PIPA as it will determine matters, such as the scope of information subject to transmission request.


The Amended PIPA is expected to bring about significant changes to the practices of protecting and using personal information, such as introducing the right to request transmission and the right to respond to automated decisions, integrating the previously binary regulations on data controllers and online service providers, and shifting the focus of sanctions to fines.  However, the amendments leave a number of important matters to be determined in the Presidential Decree of the PIPA, such as (i) the method of displaying and notifying filming when operating mobile visual data processing devices, (ii) the scope of information that may be subject to transmission request, and (iii) the standards and procedures for automated decisions and what information must be disclosed for automated processing.  Therefore, it is necessary to keep an eye on how the Presidential Decree of the PIPA will fine-tune the Amended PIPA.


[Korean Version]