South Korea Data Privacy Laws: PIPA Compliance Guide (2026)
South Korea has built one of the most rigorous data privacy regimes in the Asia-Pacific region. The Personal Information Protection Act, known as PIPA, governs how organizations collect, use, store, and transfer personal information. It applies to every entity that processes personal data within South Korea, regardless of whether that entity is a government agency, a private company, or a foreign business with operations touching Korean users.
This guide covers the current state of PIPA as of 2026, including the landmark amendments that have reshaped enforcement and penalties over the past three years.
What Is PIPA and Who Does It Apply To
PIPA (the Personal Information Protection Act) was enacted on March 29, 2011, and took effect on September 30, 2011. It serves as South Korea's general data protection law, covering all personal information processors in both the public and private sectors.
The law defines "personal information" broadly. It includes any information that can identify a living individual, whether directly or when combined with other data. Names, resident registration numbers, images, biometric information, IP addresses, and location data all fall within this definition.
PIPA applies to:
- South Korean companies and government agencies
- Foreign companies that process personal data of individuals in South Korea
- Data processors acting on behalf of personal information controllers
- Online and offline entities alike (the 2023 amendments harmonized standards that previously differed)
Since the 2023 amendments, there is no longer a separate regulatory track for online service providers. Every personal information processor is subject to the same rules under PIPA.
The Personal Information Protection Commission (PIPC)
The PIPC is South Korea's independent data protection authority. Established as a central administrative agency under the Prime Minister's Office, the PIPC was elevated to full regulatory authority in August 2020 when functions previously held by the Korea Communications Commission and the Ministry of the Interior were consolidated under it.
The PIPC has the power to:
- Investigate data processing practices of any entity
- Issue corrective orders and improvement recommendations
- Impose administrative fines (now up to 10% of revenue under the 2026 amendment)
- Refer criminal cases to prosecutors
- Publish enforcement decisions and name violators
- Approve cross-border data transfer mechanisms
The PIPC has signaled six strategic priorities for 2025 and beyond: adapting the personal data framework for AI, building foundations for innovation in new industries, securing leadership in global data governance, driving the MyData portability era, strengthening its central authority role, and building comprehensive safety nets for data protection.
Consent Requirements Under PIPA
PIPA's consent framework is more granular and demanding than most international equivalents, including the GDPR. South Korean law does not allow a single blanket consent checkbox to cover all data processing activities.
Types of Consent
PIPA distinguishes between several categories that each require their own consent:
-
Collection and use consent. Required for the initial gathering and processing of personal information. The controller must specify the purpose, types of data collected, retention period, and the right to refuse.
-
Third-party provision consent. Separate consent is needed before sharing personal data with any third party. The data subject must be told who will receive the data, why, and what data will be shared.
-
Sensitive information consent. Processing of sensitive categories requires explicit, separate consent. This includes data relating to ideology, beliefs, labor union or political party membership, political opinions, health, sex life, genetic information, criminal history, biometric identifiers, and race or ethnicity.
-
Cross-border transfer consent. Transferring personal data outside South Korea requires separate consent unless an exception applies.
-
Marketing and advertising consent. Using personal data for marketing purposes requires its own distinct consent.
The 2024 Anti-Bundling Rule
The enforcement decree that took effect on March 15, 2024, made explicit what regulators had long expected: companies may collect data without consent only when strictly necessary for contract performance. No bundled or coercive terms are permitted in privacy notices. If a service can function without certain data, consent for that data cannot be made a condition of accessing the service.
Data Subject Rights
PIPA grants individuals a comprehensive set of rights over their personal information. These rights have expanded significantly through the 2023 amendments and the 2025 data portability rules.
Right of Access
Data subjects may request access to the personal information held about them. The controller must respond within 10 days.
Right to Correction
Individuals may request correction of inaccurate personal information. The controller must not use the disputed data until the correction is made.
Right to Deletion
When the purpose of collection has been fulfilled or when consent is withdrawn, the data subject may request deletion. The controller must act without delay unless a legal retention obligation applies.
Right to Suspend Processing
Data subjects may demand that a controller stop processing their personal information. If the controller has a legitimate reason to continue processing (such as a legal obligation), it must notify the data subject of that reason.
Right to Data Portability (March 2025)
Effective March 13, 2025, individuals can request the transfer of their personal data to another service provider or receive it directly in a secure, machine-readable format. This right was introduced in the 2023 PIPA amendments with a phased implementation timeline.
Right to Opt Out of Automated Decision-Making
The 2023 amendments introduced a right to be excluded from significant decisions made solely through automated processing, including AI-driven decisions. The enforcement decree effective March 15, 2024, established detailed rules for how companies must implement this right, including qualification requirements for Chief Privacy Officers overseeing automated decision systems.
Pseudonymization Framework
PIPA includes a structured framework for pseudonymized data that balances privacy protection with data utility. Pseudonymized data is personal information that has been processed so that the individual cannot be identified without additional information, where that additional information is stored separately with technical and organizational safeguards.
Under the framework:
- Pseudonymized data may be used for statistical purposes, scientific research, or public archiving without the data subject's consent
- The organization must maintain strict separation between the pseudonymized dataset and the additional information needed to re-identify individuals
- Internal review committees must assess and approve pseudonymization processes
- Re-identification is prohibited and carries criminal penalties
- If pseudonymized data is inadvertently re-identified, the controller must immediately stop processing and notify the PIPC
This framework was a significant addition because it enabled Korean companies and research institutions to conduct data analytics and AI development using pseudonymized datasets without needing individual consent for each use.
Cross-Border Data Transfers
Transferring personal data out of South Korea is governed by strict rules under PIPA. The 2023 amendments introduced a more structured framework modeled in part on the GDPR's transfer mechanisms.
Lawful Transfer Mechanisms
Personal data may be transferred abroad if one of these conditions is met:
- Separate consent is obtained from the data subject, who must be informed of the recipient, destination country, purpose, and types of data
- Statutory or treaty basis exists for the transfer
- PIPC certification of the recipient's data protection measures (analogous to binding corporate rules or standard contractual clauses)
- Adequacy recognition from the PIPC that the recipient country provides sufficient data protection
Domestic Representative Requirement
As of the March 2025 enforcement decree amendments (fully effective October 2, 2025), foreign businesses that process personal information of individuals in South Korea must appoint a domestic representative. This representative handles privacy inquiries and regulatory communications on behalf of the foreign entity.
Sector-Specific Data Localization
While PIPA itself does not mandate blanket data localization, several sector-specific laws do:
-
Financial data. The Electronic Financial Transactions Act requires that personal credit information and unique identification information processed through cloud computing must remain on servers located in South Korea. The Financial Services Commission enforces this requirement strictly.
-
Healthcare data. The Medical Services Act prohibits storing electronic medical records outside Korea.
-
Public sector cloud. The Act on Promotion of Cloud Computing requires physical network separation for cloud services serving government agencies, with data remaining onshore.
These sector rules create a de facto data localization regime for financial institutions, healthcare providers, and government contractors operating in South Korea.
EU Adequacy Decision
On December 17, 2021, the European Commission adopted an adequacy decision recognizing South Korea as providing an adequate level of data protection. This decision enables personal data to flow freely from the EU and European Economic Area to South Korea without requiring additional transfer safeguards such as standard contractual clauses.
The adequacy decision covers both commercial and regulatory data transfers. However, it does not apply to:
- Transfers of personal credit data to entities supervised by the Financial Services Commission
- Transfers to religious organizations
- Transfers to political parties
As part of the adequacy arrangement, South Korea agreed to additional safeguards for EU data subjects, including enhanced protections around government access to transferred data. These commitments are binding and enforceable by the PIPC and Korean courts.
The adequacy decision placed South Korea alongside Japan, New Zealand, and the United Kingdom as one of the few Asian jurisdictions recognized by the EU as providing equivalent data protection.
Penalties and Enforcement
PIPA's penalty structure has been significantly strengthened through successive amendments, culminating in the February 2026 overhaul that introduced revenue-based fines.
Administrative Fines
The current penalty framework (effective September 11, 2026, following the March 2026 promulgation) includes:
- Standard violations. Administrative fines of up to 3% of revenue related to the violation
- High-severity violations. Fines of up to 10% of total revenue where a company intentionally or with gross negligence commits and repeats a violation within three years, engages in conduct affecting 10 million or more individuals, or fails to comply with a PIPC corrective order
- CEO accountability. The 2026 amendment places personal supervisory liability on the CEO for systemic compliance failures
The law also permits fine reductions where companies demonstrate qualifying investments in privacy safeguards, including dedicated privacy staffing, budget allocations, and technical measures.
Criminal Penalties
PIPA maintains criminal sanctions alongside administrative fines:
- Up to 5 years imprisonment or KRW 50 million fine for ten categories of violations, including providing personal information to a third party without consent and knowingly receiving such information
- Up to 3 years imprisonment or KRW 30 million fine for three categories including unauthorized re-identification of pseudonymized data
- Up to 2 years imprisonment or KRW 20 million fine for five additional categories of violations
Data Breach Notification
Since the 2023 amendments, data breaches must be reported to the PIPC within 72 hours of discovery. Affected data subjects must also be notified. Failure to report can itself trigger enforcement action.
Notable Enforcement Actions
The PIPC has demonstrated a consistent willingness to impose substantial penalties on both domestic and foreign companies.
Meta (2022 and 2024)
Meta has been fined twice under PIPA. In 2022, the PIPC imposed a KRW 30.8 billion fine (approximately $22 million) for unauthorized behavioral data collection used for targeted advertising. In November 2024, Meta received an additional KRW 21.6 billion penalty after the PIPC found it had inferred users' religious beliefs and political views from on-platform activity to power its "ad topics" engine without obtaining separate explicit consent.
The PIPC fined Google KRW 69.2 billion (approximately $50 million) for failing to obtain proper consent for behavioral data collection and for lacking transparency in its data processing policies.
Kakao Pay and Apple (January 2025)
In one of its most significant cross-border enforcement actions, the PIPC levied KRW 8.3 billion in combined penalties against Kakao Pay (KRW 5.9 billion) and Apple Distribution International Limited (KRW 2.4 billion). The investigation revealed that Kakao Pay had sent approximately 40 million users' data to Alipay, which used it to build credit scoring algorithms for Apple Pay without adequate notice or consent. The PIPC ordered Alipay to delete both the transferred data and the algorithm built from it.
Golfzon (May 2024)
The PIPC imposed a KRW 7.5 billion penalty (approximately $5.2 million) on Golfzon following a data breach. This represented the largest penalty imposed on a domestic Korean company at the time.
DeepSeek (2025)
In February 2025, DeepSeek voluntarily withdrew from South Korean app stores after PIPC investigators detected unauthorized API calls to ByteDance servers. In April 2025, the PIPC issued a corrective order requiring DeepSeek to halt unlawful cross-border transfers, delete previously exported data, publish a Korean-language privacy policy, and undergo follow-up compliance audits.
Key Differences Between PIPA and GDPR
While PIPA and the GDPR share structural similarities, several important differences exist:
| Area | PIPA (South Korea) | GDPR (EU) |
|---|---|---|
| Consent granularity | Requires separate consent for each processing purpose | Allows broader legitimate interest basis |
| Sensitive data scope | Includes ideology, political party membership, labor union status | Focuses on racial, ethnic, biometric, health data |
| Consent for marketing | Always requires separate opt-in consent | Allows soft opt-in for existing customers in some cases |
| Maximum fine (2026) | Up to 10% of total revenue | Up to 4% of global annual turnover or EUR 20 million |
| Criminal penalties | Yes, up to 5 years imprisonment | Generally no (left to member states) |
| Breach notification | 72 hours to PIPC | 72 hours to supervisory authority |
| Data portability | Effective March 2025 | Effective since May 2018 |
| Pseudonymization | Explicit statutory framework | Referenced but not separately codified |
| Resident representative | Required for foreign processors (October 2025) | Required for non-EU controllers/processors |
The most significant practical difference is consent. PIPA's requirement for separate, explicit consent for each processing category means that businesses cannot rely on the broader "legitimate interest" basis that the GDPR provides. This makes PIPA compliance more operationally demanding for most organizations.
Compliance Checklist for Organizations
Organizations processing personal data in South Korea should address these requirements:
- Privacy policy. Publish a clear, Korean-language privacy policy that specifies all processing purposes, data categories, retention periods, and third-party recipients
- Consent architecture. Implement separate consent mechanisms for collection, third-party sharing, sensitive data, cross-border transfers, and marketing
- Chief Privacy Officer. Appoint a qualified CPO who meets the credential requirements specified in the 2024 enforcement decree
- Data breach response plan. Establish a 72-hour notification process for both the PIPC and affected individuals
- Cross-border transfer safeguards. If transferring data abroad, ensure a lawful transfer mechanism is in place
- Domestic representative. Foreign companies must appoint a Korean domestic representative by October 2, 2025
- Pseudonymization controls. If using pseudonymized data for research or statistics, establish separation controls and an internal review committee
- Automated decision-making disclosure. If using AI or automated profiling for significant decisions, implement opt-out mechanisms and human review processes
- Retention and deletion. Implement automated processes to delete personal information once the specified retention period expires
- Security measures. Deploy access controls, encryption, and monitoring systems proportionate to the volume and sensitivity of data processed
Sources and References
- Personal Information Protection Act (PIPA) -- Full English Text (Korea Legislation Research Institute)(elaw.klri.re.kr).gov
- Personal Information Protection Commission (PIPC) -- Official English Portal(pipc.go.kr).gov
- European Commission -- Adequacy Decision for the Republic of Korea (December 2021)(eucrim.eu)
- IAPP -- South Korea PIPC Flexes Its Muscles: AI Model Deletion, Cross-Border Transfers and More(iapp.org)
- Hunton Andrews Kurth -- South Korea Amends Privacy Law to Authorize Fines of Up to 10% of Total Revenue(hunton.com)
- IAPP -- South Korea Overhauls PIPA and Ties Fines to CEO Accountability(iapp.org)
- Kim and Chang -- PIPC Key Policy and Enforcement Plan for 2025(kimchang.com)
- Baker McKenzie -- International Data Transfer Rules: South Korea(bakermckenzie.com)
- Baker McKenzie -- Data Localization and Regulation: South Korea(bakermckenzie.com)
- DLA Piper -- Data Protection Laws of the World: South Korea(dlapiperdataprotection.com)
- Chambers and Partners -- Data Protection and Privacy 2026: South Korea(chambers.com)
- EDPB -- Opinion on Draft South Korea Adequacy Decision(edpb.europa.eu).gov