Skip Navigation

Proposed Amendment to the Enforcement Decree of the PIPA


The amended Personal Information Protection Act (“PIPA”), which focuses on issues such as (i) strengthening the rights of data subjects, (ii) integrating and updating regulations on processing personal information by regular data controllers and online service providers, and (iii) shifting from criminal penalties to economic sanctions, will come into force on September 15, 2023. Accordingly, on May 19, 2023, the Personal Information Protection Commission (“PIPC”) announced the proposed amendments to the Enforcement Decree of the PIPA (the “Proposed Amendments”) to align the current Enforcement Decree with the amended PIPA and to provide more details on the amended PIPA provisions.
The Proposed Amendments, following a 40-day opinion-canvassing period (from May 19, 2023 to June 28, 2023), will come into effect on September 15, 2023, together with the amended PIPA. Moreover, the plan to further amend the Enforcement Decree in relation to the PIPA amendments that will come into force on March 15, 2024, namely (i) the right to request transmission of personal information, (ii) the data subject’s rights regarding automated decisions, and (iii) the evaluation of the level of personal information protection at public institutions, will be announced in the second half of this year.
The key issues covered by the Proposed Amendments are as follows:


Key Details

Requirements for Processing Personal Information

  • (How to obtain consent) Legitimate consent must satisfy the following conditions: (i) consent is obtained at the free will of the data subject, (ii) details regarding consent must be specific and clear, (iii) the text of the consent form must be plain and easy to understand, and (iv) the data subject must be provided with a way to clearly express his/her consent.

Mobile Visual Data Processing Device

  • (Definition of mobile visual data processing devices) Mobile visual data processing devices are classified into (i) devices that are worn on the human body and clothes, such as glasses and watches (“wearable devices”), (ii) devices that can be easily carried by people, such as mobile phones and digital cameras (“portable devices”), and (iii) devices that are fixed and attached to/hung from movable objects, such as vehicles and drones (“attached/hung devices”).

  • (How to notify filming) The relevant provision stipulates that when using mobile visual data processing devices, the fact that filming is taking place must be displayed and notified by means of light, sound, signboards, written statements, announcements or other similar means. If it is difficult to display and notify filming due to the nature of the filming method used (e.g., drone), the notification may be made by another means specified by the Personal Information Protection Commission (e.g., notice on the website).

Restriction on Overseas Transfer of Personal Information

  • (Recognition of level of personal information protection) The Proposed Amendments provide for the matters and procedures to be considered when recognizing the level of personal information protection offered by certain countries and international organizations (deliberation by the expert committee on overseas transfer and collection of opinions from relevant ministries).

  • (Criteria for suspension order) In determining whether the PIPC should order a suspension of overseas transfer, the PIPC must consider (i) the type and size of personal information that has been transferred overseas or is expected to be transferred additionally, (ii) the severity of the violation of the relevant regulations, (iii) whether the damage is serious or irreparable, and (iv) whether there is a clear benefit to the data subject.

Privacy Policy Evaluation System

  • (Subject of evaluation) The target of evaluation will be selected by considering (i) the type and amount of revenue of the data controller, (ii) the type (e.g., sensitive information and unique identification information) and volume of personal information processed, (iii) the basis, form and method of processing personal information, (iv) whether any violation of privacy law has occurred, and (v) the characteristics of data subjects (e.g., children and juveniles).

  • (Assessment criteria) The assessment criteria include (i) whether the privacy policy meets all statutory requirements, (ii) whether the privacy policy is written in plain language, and (iii) whether the privacy policy is easily accessible.

Integration of Online and Offline Regulations

  • (Notification of history of using and/or providing personal information) A data controller must notify data subjects of the history of using and/or providing their personal information periodically (i) if the data controller processes sensitive information or unique identification information of 50,000 or more data subjects on a daily average basis during the three months immediately preceding the end of the previous year or (ii) if the data controller processes personal information of 1 million or more data subjects.

  • (Which data controllers must designate a domestic privacy agent) Data controllers that meet one of the following thresholds must designate a domestic privacy agent: (i) the data controller had a total revenue of KRW 1 trillion or more in the previous fiscal year, (ii) the data controller stored and managed the personal information of 1 million or more domestic data subjects on a daily average basis during the three months immediately preceding the end of the previous year, or (iii) the PIPC has requested the data controller to submit certain materials and decided that the data controller needs to designate a domestic privacy agent.

  • (Notification and reporting of personal information leakages) In the event of a personal information leakage, the data controller must notify the affected data subjects within 72 hours of becoming aware of the leakage. The data controller must also report to the regulator within 72 hours if (i) the personal information of 1,000 or more data subjects has been leaked, (ii) sensitive information or unique identification information has been leaked, or (iii) personal information has been leaked through illegal access from the outside.

Personal Information Dispute Mediation

  • (Exceptions to dispute mediation) A data controller may refuse to participate in a dispute mediation (i) if a lawsuit has been filed prior to the filing of an application for dispute mediation, (ii) if the dispute has already been concluded by a settlement, conclusive court decision or a decision by a dispute mediation body under another statute, or (iii) if an application is filed to re-mediate a case that has been decided or closed by the Dispute Mediation Committee.

  • (Prior notice of examination for dispute mediation) The Dispute Mediation Committee must give the data controller subject to mediation a seven day written notice of its examination, including the purpose, period, place, scope and details of the examination.

Detailed Standards and Procedures for Imposing Administrative Penalties

  • (Criteria for determining revenue unrelated to violation) The following revenues may be excluded from the base revenue from which penalty is calculated for being unrelated to the violation: (i) revenue from goods or services that are clearly unrelated to personal information processing and (ii) revenue for which the data controller has submitted evidence showing that it is not from goods or services directly or indirectly affected by the violation.

  • (Exceptions to administrative penalties) Relevant parties may be exempted from administrative penalties if the violation is remedied and falls under the criteria to be further notified by the PIPC.

  • (Seriousness of the violation when calculating the base fine) Violations are categorized into four grades: (i) a very serious violation, (ii) a serious violation, (iii) a moderate violation, and (iv) a minor violation.

Detailed Standards and Procedures for Imposing Administrative Fines

  • (Additional grounds for reduction or exemption of administrative fines) Additional grounds for reduction or exemption of an administrative fine include (i) implementation of measures to compensate damages and to prevent further harm, (ii) having made efforts to protect personal information, such as obtaining the relevant information protection certification and making voluntary personal information protection activities, and (iii) voluntary reporting of violations.


Companies are advised to keep monitoring the progress of the Proposed Amendments and additional notifications and guidelines to be published by the PIPC.


[Korean Version]