South Korea Data Privacy Laws: PIPA Compliance Guide (2026)

South Korea's data privacy is governed by the Personal Information Protection Act (PIPA), enacted March 29, 2011, and enforced by the Personal Information Protection Commission (PIPC). PIPA applies to every entity that processes personal data in South Korea and, under a March 2026 amendment, authorizes fines up to 10% of total revenue for serious violations.

South Korea has built one of the most rigorous data privacy regimes in the Asia-Pacific region. The Personal Information Protection Act, known as PIPA, governs how organizations collect, use, store, and transfer personal information. It applies to every entity that processes personal data within South Korea, regardless of whether that entity is a government agency, a private company, or a foreign business with operations touching Korean users.

This guide covers the current state of PIPA as of 2026, including the landmark amendments that have reshaped enforcement and penalties, and the record fines that signal a new era of regulatory seriousness.

What Is PIPA and Who Does It Apply To

PIPA (the Personal Information Protection Act) was enacted on March 29, 2011, and took effect on September 30, 2011. It serves as South Korea's general data protection law, covering all personal information processors in both the public and private sectors.

The law defines "personal information" broadly. It includes any information that can identify a living individual, whether directly or when combined with other data. Names, resident registration numbers, images, biometric information, IP addresses, and location data all fall within this definition.

PIPA applies to:

• South Korean companies and government agencies
• Foreign companies that process personal data of individuals in South Korea
• Data processors acting on behalf of personal information controllers
• Online and offline entities alike (the 2023 amendments harmonized standards that previously differed)

Since the 2023 amendments, there is no longer a separate regulatory track for online service providers. Every personal information processor is subject to the same rules under PIPA.

The Personal Information Protection Commission (PIPC)

The PIPC is South Korea's independent data protection authority. Established as a central administrative agency under the Prime Minister's Office, the PIPC was elevated to full regulatory authority in August 2020 when functions previously held by the Korea Communications Commission and the Ministry of the Interior were consolidated under it.

The PIPC has the power to:

• Investigate data processing practices of any entity
• Issue corrective orders and improvement recommendations
• Impose administrative fines (up to 10% of revenue under the 2026 amendment)
• Refer criminal cases to prosecutors
• Publish enforcement decisions and name violators
• Approve cross-border data transfer mechanisms
• Grant outbound adequacy recognitions for foreign jurisdictions

The PIPC has signaled six strategic priorities for 2025 and beyond: adapting the personal data framework for AI, building foundations for innovation in new industries, securing leadership in global data governance, driving the data portability era, strengthening its central authority role, and building comprehensive safety nets for data protection.

The 2020 Data Three Laws Reform

The foundation of modern Korean data protection was laid in January 2020, when the National Assembly passed amendments to three data-related laws at once. These became known as the "data three laws" reform.

The three laws amended were PIPA, the Act on Promotion of Information and Communications Network Utilization and Information Protection (Network Act), and the Act on Use and Protection of Credit Information (Credit Information Act). The reforms came into force on August 5, 2020.

The package accomplished three things. First, it consolidated enforcement authority. Regulatory powers had been fragmented across the Korea Communications Commission, the Ministry of the Interior and Safety, and other agencies. The 2020 reform centralized data protection enforcement under the newly empowered PIPC. Second, it introduced the pseudonymization framework. Korean law for the first time created a formal legal category for pseudonymized data, allowing its use for statistical purposes, scientific research, and public archiving without individual consent. Third, it eliminated the separate online track. The Network Act's personal information provisions were folded into PIPA, ending the long-standing regulatory bifurcation between online and offline data handling.

The 2020 reform was widely seen as South Korea modernizing its data law to attract international data partnerships and set the groundwork for the EU adequacy decision.

The 2023 PIPA Amendment

On February 27, 2023, the National Assembly passed a comprehensive amendment to PIPA that took effect on September 15, 2023. A supplemental enforcement decree took effect on March 15, 2024.

The 2023 amendment made several significant changes:

New data subject rights. The amendment added a right to data portability and a right to opt out of automated decision-making. The portability right became effective on March 13, 2025. The automated decision-making opt-out took effect on September 15, 2024.

Harmonized breach notification. The 2023 amendment eliminated the previous dual-track system where online providers had only 24 hours while offline controllers had 5 days. All personal information controllers are now subject to a uniform 72-hour notification requirement for both regulators and affected data subjects.

Cross-border transfer framework. The 2023 amendment introduced a structured set of lawful transfer mechanisms modeled on the GDPR, replacing a patchwork of consent-heavy rules with a clearer set of pathways.

Replacement of criminal sanctions with administrative fines for certain violations. Some violations that previously carried criminal penalties were converted to administrative fines, reducing the risk of over-criminalization while maintaining deterrence.

CPO qualification requirements. The enforcement decree effective March 15, 2024, established specific credential requirements for Chief Privacy Officers and introduced rules for AI-facilitated automated decisions.

The March 2026 PIPA Amendment

The most consequential update to PIPA since the 2023 overhaul was passed by the National Assembly on February 12, 2026, and promulgated on March 10, 2026. Most provisions take effect on September 11, 2026. The ISMS-P certification mandate takes effect on July 1, 2027.

This amendment has three main pillars: higher penalties, CEO accountability, and investment incentives.

New Penalty Ceiling: Up to 10% of Total Revenue

The existing 3% revenue-based fine remains the baseline for standard violations. The 2026 amendment adds a higher tier that can reach 10% of a company's total revenue. This elevated ceiling applies in three circumstances:

• A company intentionally or with gross negligence commits a violation and then repeats it within three years
• A single incident involves intentional or grossly negligent conduct affecting 10 million or more data subjects
• A company fails to comply with a formal PIPC corrective order, and a breach results

For context, a 10% of total revenue fine would represent a materially larger exposure for large corporations than the pre-2026 framework. The PIPC's record fine against SK Telecom in August 2025 -- KRW 134.7 billion under the prior regime -- signals how the regulator will use an even larger ceiling.

CEO and Board Accountability

The 2026 amendment makes the CEO (or business owner/representative director) the ultimate responsible person for the organization's data protection compliance. For organizations above a scale threshold to be defined by enforcement decree, appointing, reassigning, or removing the Chief Privacy Officer now requires a formal board resolution and must be reported directly to the PIPC.

The CPO must manage specialist privacy staff, control an adequate budget, and report directly to both the CEO and the board. The previous SK Telecom case illustrated exactly the problem the law targets: the PIPC found that SK Telecom had limited its CPO's role to IT services only, leaving telecom infrastructure entirely outside privacy oversight.

Privacy Investment Incentives

The 2026 amendment provides a reduction mechanism for companies that invest in privacy. When a violation is not caused by intent or gross negligence, the PIPC is required to reduce the penalty for organizations that can demonstrate verified investment in privacy, covering dedicated budget, qualified personnel, equipment, and systems. Specific reduction formulas will be set by presidential decree.

Expanded Breach Notification Scope

The 2026 amendment broadens what counts as a notifiable incident. Previously, only loss, theft, and leakage of personal information triggered notification obligations. Under the new rules, forgery, alteration, and damage to personal information are also covered, including cases linked to ransomware attacks. Organizations must also notify when they discover a meaningful possibility of an incident, even before the breach is confirmed.

Mandatory ISMS-P Certification

From July 1, 2027, designated large-scale data controllers must obtain and maintain certification under the Information Security and Personal Information Management System (ISMS-P) standard. This is a combined security and privacy certification administered by the Korea Internet and Security Agency (KISA).

Consent Requirements Under PIPA

PIPA's consent framework is more granular and demanding than most international equivalents, including the GDPR. South Korean law does not allow a single blanket consent checkbox to cover all data processing activities.

Types of Consent

PIPA distinguishes between several categories that each require their own consent:

Collection and use consent. Required for the initial gathering and processing of personal information. The controller must specify the purpose, types of data collected, retention period, and the right to refuse.

Third-party provision consent. Separate consent is needed before sharing personal data with any third party. The data subject must be told who will receive the data, why, and what data will be shared.

Sensitive information consent. Processing of sensitive categories requires explicit, separate consent. This includes data relating to ideology, beliefs, labor union or political party membership, political opinions, health, sex life, genetic information, criminal history, biometric identifiers, and race or ethnicity.

Cross-border transfer consent. Transferring personal data outside South Korea requires separate consent unless an exception applies. Since September 16, 2025, transfers to EU countries no longer require this consent under the mutual adequacy arrangement.

Marketing and advertising consent. Using personal data for marketing purposes requires its own distinct consent.

The 2024 Anti-Bundling Rule

The enforcement decree that took effect on March 15, 2024, made explicit what regulators had long expected: companies may collect data without consent only when strictly necessary for contract performance. No bundled or coercive terms are permitted in privacy notices. If a service can function without certain data, consent for that data cannot be made a condition of accessing the service.

Legal Bases Beyond Consent

PIPA does permit limited processing without consent in specific circumstances: when required by statute or treaty, when necessary for contract performance, when necessary to protect life or safety, and when processing publicly available data under the legitimate interests provision. The PIPC's August 2025 generative AI guidelines confirmed that the legitimate interests basis can be used for processing publicly available personal data to train AI models, provided the organization implements adequate safeguards including source verification, data contamination prevention, and output filters.

Data Subject Rights

PIPA grants individuals a comprehensive set of rights over their personal information.

Right of Access. Data subjects may request access to the personal information held about them. The controller must respond within 10 days.

Right to Correction. Individuals may request correction of inaccurate personal information. The controller must not use the disputed data until the correction is made.

Right to Deletion. When the purpose of collection has been fulfilled or when consent is withdrawn, the data subject may request deletion. The controller must act without delay unless a legal retention obligation applies.

Right to Suspend Processing. Data subjects may demand that a controller stop processing their personal information. If the controller has a legitimate reason to continue, it must notify the data subject of that reason.

Right to Data Portability. Effective March 13, 2025, individuals can request the transfer of their personal data to another service provider or receive it directly in a secure, machine-readable format. This right mirrors GDPR portability rights.

Right to Opt Out of Automated Decision-Making. The 2023 amendments introduced a right to be excluded from significant decisions made solely through automated processing, including AI-driven decisions. The enforcement decree effective March 15, 2024, established detailed rules for how companies must implement this right, including the obligation to offer human review on request.

Statutory Damages. Korean courts have clarified that statutory damages for PIPA violations require demonstrated harm. A 2025 judicial ruling established that mental distress must be established by evidence, rejecting the argument that breach victims are automatically entitled to compensation simply because a breach occurred.

Pseudonymization Framework

PIPA includes a structured framework for pseudonymized data that balances privacy protection with data utility. Pseudonymized data is personal information that has been processed so that the individual cannot be identified without additional information stored separately with technical and organizational safeguards.

Under the framework:

• Pseudonymized data may be used for statistical purposes, scientific research, or public archiving without the data subject's consent
• The organization must maintain strict separation between the pseudonymized dataset and the re-identification key
• Internal review committees must assess and approve pseudonymization processes
• Re-identification is prohibited and carries criminal penalties
• If pseudonymized data is inadvertently re-identified, the controller must immediately stop processing and notify the PIPC

A 2025 court decision confirmed that data subjects cannot request suspension of pseudonymization processes under Article 28-2 of PIPA. The right to suspend processing does not extend to lawful pseudonymization activities.

This framework enables Korean companies and research institutions to conduct data analytics and AI development using pseudonymized datasets without needing individual consent for each use -- a significant practical advantage for the data economy.

Cross-Border Data Transfers

Transferring personal data out of South Korea is governed by strict rules under PIPA. The 2023 amendments introduced a more structured framework modeled in part on the GDPR's transfer mechanisms.

Lawful Transfer Mechanisms

Personal data may be transferred abroad if one of these conditions is met:

• Separate consent is obtained from the data subject, who must be informed of the recipient, destination country, purpose, and types of data
• Statutory or treaty basis exists for the transfer
• PIPC certification of the recipient's data protection measures (analogous to binding corporate rules)
• Adequacy recognition from the PIPC that the recipient country provides sufficient data protection

Domestic Representative Requirement

As of October 2, 2025, foreign businesses that process personal information of individuals in South Korea must appoint a domestic representative. This representative handles privacy inquiries and regulatory communications on behalf of the foreign entity.

Sector-Specific Data Localization

While PIPA itself does not mandate blanket data localization, several sector-specific laws do:

Financial data. The Electronic Financial Transactions Act requires that personal credit information and unique identification information processed through cloud computing must remain on servers located in South Korea. The Financial Services Commission enforces this requirement strictly.

Healthcare data. The Medical Services Act prohibits storing electronic medical records outside Korea.

Public sector cloud. The Act on Promotion of Cloud Computing requires physical network separation for cloud services serving government agencies, with data remaining onshore.

These sector rules create a de facto data localization regime for financial institutions, healthcare providers, and government contractors operating in South Korea.

The EU-Korea Mutual Adequacy Arrangement

The EU-Korea data transfer relationship has become fully bilateral, which is unusual among global adequacy frameworks.

Inbound: EU Adequacy Decision for Korea (December 2021)

On December 17, 2021, the European Commission adopted an adequacy decision recognizing South Korea as providing an adequate level of data protection. This enables personal data to flow freely from the EU and EEA to South Korea without requiring additional transfer safeguards such as standard contractual clauses.

The adequacy decision covers both commercial and regulatory data transfers but excludes transfers of personal credit data to entities supervised by the Financial Services Commission, transfers to religious organizations, and transfers to political parties.

As part of the adequacy arrangement, South Korea agreed to enhanced safeguards for EU data subjects, including protections around government access to transferred data and binding redress mechanisms for EEA data subjects in the event of unlawful government requests.

Outbound: Korea Recognizes EU Adequacy (September 2025)

On September 16, 2025, the PIPC completed the reciprocal step by formally recognizing the EU's personal data protection framework as equivalent to PIPA. The joint announcement was issued by European Commissioner Michael McGrath and PIPC Chairperson Haksoo Ko.

The practical effect is that Korean personal information controllers may now transfer personal data to any of the 27 EU Member States and the 3 EEA countries without obtaining the separate consent that PIPA would otherwise require for cross-border transfers. The recognition excludes resident registration numbers and personal credit information.

The mutual adequacy arrangement is subject to review before it expires on December 15, 2028.

This makes the EU-Korea channel one of the most friction-free cross-border data transfer routes in the world, with regulatory recognition flowing in both directions.

Breach Notification Rules

The 2023 PIPA amendment standardized breach notification at 72 hours for all data controllers, replacing the previous divergent timelines (24 hours for online providers, 5 days for offline processors).

Current Requirements

Upon discovering a data breach, a personal information controller must:

1. Notify affected data subjects within 72 hours. The notification must include what happened, what types of information were affected, what the controller is doing about it, and what recourse options are available.

2. Report to the PIPC within 72 hours if the breach involves personal information of 1,000 or more data subjects, sensitive information, unique identification numbers, or results from unauthorized external access.

March 2026 Expansion

The March 2026 amendment expands what triggers notification. Forgery, alteration, and damage to personal information now trigger the same requirements as loss, theft, and leakage. Organizations must also notify when they become aware of a meaningful possibility of an incident, without waiting for complete confirmation.

The SK Telecom case illustrated the cost of notification failures: the PIPC cited the carrier's failure to report the breach within 72 hours as a specific violation, imposing a separate KRW 9.6 million administrative fine for that failure alone.

AI Governance

South Korea has been among the most proactive jurisdictions in addressing the intersection of data protection and artificial intelligence.

AI Framework Act

South Korea enacted its Framework Act on Artificial Intelligence Development and Trustworthiness on January 21, 2025. The Act, which took effect in January 2026, establishes a risk-tiered approach to AI regulation. High-impact AI systems in critical sectors such as healthcare, energy, and public services face specific obligations. Certain generative AI applications require mandatory labeling. The PIPC coordinates enforcement where AI systems intersect with personal data processing.

PIPC Generative AI Guidelines

On August 6, 2025, the PIPC released its Guidelines for Personal Data Processing for the Development and Utilization of Generative AI. These guidelines address a central compliance question: under what legal basis can companies process personal data to train AI models?

The guidelines confirm that PIPA Article 15(1)(vi), the legitimate interests provision, can serve as the legal basis for processing publicly available data for AI training. This clarification does not require individual consent for each data subject whose public information is included in a training dataset. However, it imposes conditions: organizations must verify data sources, prevent data contamination, implement output filters, and maintain documentation of the legitimate interest assessment.

The PIPC also confirmed that automated decision-making opt-out rights apply to AI-generated decisions that significantly affect individuals, and that organizations must explain their automated processes to data subjects who request human review.

Penalties and Enforcement

PIPA's penalty structure has been significantly strengthened through successive amendments, culminating in the March 2026 overhaul.

Administrative Fine Structure

The current framework (post-September 11, 2026) includes two tiers:

• Standard violations. Administrative fines of up to 3% of revenue related to the violation.
• High-severity violations. Fines of up to 10% of total revenue where a company intentionally or with gross negligence repeats a violation within three years, affects 10 million or more individuals under those conditions, or fails to comply with a PIPC corrective order and a breach results.

Fine reductions are available for organizations that demonstrate qualifying investments in privacy safeguards.

Criminal Penalties

PIPA maintains criminal sanctions alongside administrative fines:

• Up to 5 years imprisonment or KRW 50 million fine for ten categories of violations, including providing personal information to a third party without consent
• Up to 3 years imprisonment or KRW 30 million fine for three categories including unauthorized re-identification of pseudonymized data
• Up to 2 years imprisonment or KRW 20 million fine for five additional categories

PIPC Enforcement Record

The PIPC has demonstrated consistent willingness to impose substantial penalties on both domestic and foreign companies. Enforcement has accelerated markedly since 2022.

Google. The PIPC fined Google KRW 69.2 billion (approximately $50 million) for failing to obtain proper consent for behavioral data collection and for lacking transparency in its data processing policies.

Meta (2022). The PIPC imposed a KRW 30.8 billion fine (approximately $22 million) for unauthorized behavioral data collection used for targeted advertising.

Golfzon (May 2024). The PIPC imposed a KRW 7.5 billion penalty following a breach affecting 2.21 million users. At the time, this was the largest domestic Korean fine on record.

Chinese e-commerce platform (July 2024). A KRW 2 billion penalty was imposed for failing to obtain consent for overseas transfers and failing to include data protection terms in seller agreements.

Meta (November 2024). The PIPC imposed a KRW 21.6 billion penalty after finding that Meta had inferred users' religious beliefs and political views from on-platform activity to power its ad topics engine, without obtaining separate explicit consent for sensitive data processing.

Kakao Pay and Apple (January 2025). The PIPC levied KRW 5.9 billion on Kakao Pay and KRW 2.4 billion on Apple Distribution International Limited after finding that Kakao Pay had sent approximately 40 million users' data to Alipay, which used it to build credit scoring algorithms for Apple Pay without adequate notice or consent. The PIPC ordered Alipay to delete both the transferred data and the AI algorithm built from it.

DeepSeek (2025). In February 2025, DeepSeek voluntarily withdrew from South Korean app stores after PIPC investigators detected unauthorized API calls to ByteDance servers. In April 2025, the PIPC issued a corrective order requiring DeepSeek to halt unlawful cross-border transfers, delete previously exported data, publish a Korean-language privacy policy, and undergo follow-up compliance audits.

Louis Vuitton, Dior, and Tiffany (2025). The PIPC imposed combined fines of approximately KRW 36 billion ($25 million) against the Korean subsidiaries of three LVMH luxury brands. The breaches involved hackers exploiting weak SaaS access controls to expose the data of over 5.5 million customers. Louis Vuitton received approximately KRW 22.7 billion after a malware infection exposed 3.6 million customers' records. Christian Dior received approximately KRW 13 billion after a phishing attack exposed 1.95 million records. Tiffany received approximately KRW 2.5 billion after a voice-phishing attack exposed 4,600 records.

SK Telecom (August 2025). The PIPC imposed a KRW 134.7 billion penalty (approximately $97 million) against SK Telecom after a hacking incident exposed SIM authentication keys for approximately 23.2 million mobile subscribers. The investigation found that SK Telecom had linked its internet, management, and internal networks without restricting external access; failed to encrypt 26.1 million SIM authentication keys; ignored intrusion detection logs; did not apply available security patches; and had limited the CPO's role to IT services, leaving telecom infrastructure outside privacy oversight. This is the largest monetary penalty ever imposed for a data breach in South Korea. SK Telecom has challenged the fine in the Seoul Administrative Court.

Key Differences Between PIPA and GDPR

While PIPA and the GDPR share structural similarities, several important differences exist:

The most significant practical difference is consent. PIPA's requirement for separate, explicit consent for each processing category means that businesses cannot rely on the broader legitimate interest basis that the GDPR provides for most general commercial processing activities.

Compliance Checklist for Organizations

Organizations processing personal data in South Korea should address these requirements:

• Privacy policy. Publish a clear, Korean-language privacy policy that specifies all processing purposes, data categories, retention periods, and third-party recipients.
• Consent architecture. Implement separate consent mechanisms for collection, third-party sharing, sensitive data, cross-border transfers, and marketing.
• Chief Privacy Officer. Appoint a qualified CPO who meets the credential requirements from the 2024 enforcement decree. Under the 2026 amendment, qualifying organizations must obtain board approval for CPO appointments and report changes to the PIPC.
• Data breach response plan. Establish a 72-hour notification process for both the PIPC and affected individuals. Under the 2026 rules, extend this plan to cover ransomware, forgery, alteration, and potential incidents.
• Cross-border transfer safeguards. If transferring data abroad, ensure a lawful transfer mechanism is in place. Transfers to EU countries are consent-free under the September 2025 mutual adequacy arrangement.
• Domestic representative. Foreign companies must appoint a Korean domestic representative (required from October 2, 2025).
• Pseudonymization controls. If using pseudonymized data for research or statistics, establish separation controls and an internal review committee.
• Automated decision-making disclosure. If using AI or automated profiling for significant decisions, implement opt-out mechanisms and human review processes.
• Retention and deletion. Implement automated processes to delete personal information once the specified retention period expires.
• Security measures. Deploy access controls, encryption, and monitoring systems proportionate to the volume and sensitivity of data processed. The SK Telecom record fine illustrates that basic failures such as unencrypted authentication keys and ignored intrusion logs carry enormous liability.
• ISMS-P certification. Large-scale data controllers should begin the certification process in advance of the July 1, 2027 mandatory deadline.
• Privacy investment documentation. Under the 2026 amendment, organizations that can document qualifying privacy investments can reduce fines for non-intentional violations. Build that record now.