1.

Rigorous Sanctions and Meaningful Compensation Aligned with Public Expectations

The PIPC plans to introduce a special provision for punitive administrative penalty under which companies committing repeated or serious violations of the Personal Information Protection Act (“PIPA”), particularly in cases involving willful misconduct, gross negligence, or significant harm, may face administrative penalties of up to 10% of their total revenue. In addition, the PIPC intends to amend the PIPA to allow class actions not only for injunctions, but also for monetary damages claims, thereby ensuring more effective compensation for victims of data breaches.

Additionally, the PIPC will enhance the credibility of the ISMS-P certification^[1] by introducing preliminary reviews, expanding on-site technical inspections, conducting special audits of companies that experience incidents, and revoking certifications in case of repeated or serious violations. These measures reflect the PIPC’s intent to enhance the effectiveness of the certification system, particularly in light of recent data breach incidents involving ISMS-P certified companies.
 

2.

Strengthening Responsibility and Investment Proportional to Risk

The PIPC will provide incentives, such as mandatory reduction in administrative penalties for companies that actively invest in personal information protection. At least 10% of IT investment resources must be allocated to personal information protection.

By June 2026, the Chief Executive Officer (CEO) will be designated as the ultimate responsible person for personal information processing and protection, with codified management obligations. In addition, companies handling large-scale sensitive personal information will be required to designate a Chief Privacy Officer (CPO) and report such designation to the PIPC.
 

3.

Transition to Preventative and Continuous On-Site Safety Inspections

The scope of preliminary inspections will be expanded to industries processing large volumes of personal information, such as logistics and platform services, as well as sectors handling sensitive or high-risk personal information.

The PIPC will also provide practical and qualitative evaluations and feedback on privacy policies for companies operating in areas closely tied to daily life (e.g., food and beverage ordering services, simple authentication providers) and those utilizing AI or emerging technologies. For small and micro enterprises with limited resources, the PIPC will offer rapid technical support in the event of data breaches and reduce the level of sanctions if corrective measures are taken promptly.
 

4.

Establishing a Personal Information Framework to Support AX (AI Transformation) Innovation

The PIPC will introduce an “AI Special Exception,” permitting the processing of personal information under strict safeguards and subject to deliberation and resolution by the PIPC, in cases where anonymization or pseudonymization alone cannot achieve public interest objectives. Also, the PIPC will expand and refine the legal grounds for the lawful processing of personal information. This framework aims to allow the use of high-quality personal data as AI training datasets to improve AI model performance.

Moreover, the PIPC will introduce (i) a “One-Stop Support System for Pseudonymization” to assist public institutions with pseudonymization and adequate assessments and (ii) a “No-Action Letter System” to promptly resolve legal uncertainties.^[2]
 

5.

Building a Secure MyData Ecosystem

The right to request the transmission of personal information to third parties (i.e., the right to data portability), introduced in the healthcare and telecommunications sector in 2025, will be expanded in 2026 to cover the energy, education, employment, and culture/leisure sectors. By 2027, this right will extend to the welfare, transportation, real estate, and logistics sectors.
 

6.

Protecting Data Subjects’ Rights and Preventing Harm

Currently, data subjects must be notified only when a personal information breach is confirmed. The PIPC plans to amend the law so that the notification obligation will be triggered even when there is merely a possibility of a breach.

The PIPC will also establish a “Personal Information Damage Recovery Support Fund” to utilize administrative penalties for supporting victims and introduce a “Consent Decree System for Damage Recovery,” under which companies responsible for incidents may voluntarily propose corrective measures that, once approved, will facilitate swift recovery.
 

7.

Establishing a Strategic Framework for Cross-Border Data Transfers

The PIPC will permit cross-border transfers of personal information based on Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs). Under this framework, companies may either utilize SCCs adopted by the PIPC or develop their own BCRs, subject to the PIPC’s approval, to enable the transfer of personal information overseas.

Also, the PIPC will introduce a “Cross-Border Transfer Impact Assessment System,” requiring companies to conduct self-assessments when transferring large volume of sensitive personal information overseas. In cases of corporate mergers and acquisitions, companies will be required to undergo a “Pre-Cross-Border Transfer Review.”
 

8.

Additional Initiatives

In addition to the above, the PIPC plans to:
 

• Actively implement a Preliminary Adequacy Review System from the planning stage of AI and other new technologies and services;

• Introduce measures to combat crimes involving deepfake misuse, including a right for data subjects to request deletion of AI-generated synthetic content and corresponding obligations for service providers;

• Enact the Act on Installation and Operation of Visual Information Processing Devices; and

• Strengthen protections for children and adolescents by ensuring the effectiveness of parental consent procedures and advancing discussions on restrictions on targeted advertising.