Spotlight on South Korea

South Korea’s data privacy framework: High level overview

South Korea has a comprehensive and restrictive data privacy regime, centred around the Personal Information Protection Act (PIPA). PIPA regulates the entire lifecycle of personal data, from collection and use to delegation or third-party transfer, and finally to destruction, which must be prompt and irreversible once the purpose is fulfilled. The PIPA is primarily consent based, although there are very detailed requirements for valid consent and, limited alternatives, in contrast to other data privacy laws such as the EU GDPR.

New AI Law

South Korea’s new AI law (The “Framework Act on the Development of Artificial Intelligence and Establishment of Foundation for Reliability”) came into effect in January 2026, with a focus on promoting AI development. The AI law is described by local counsel as ‘largely promotional’, with administrative fines capped at KRW 30 million (approx. $20,000) per violation. The new law includes requirements for advanced notifications, labelling, and implementation of safety measures for AI service providers, developers, and deployers. Overseas AI providers must appoint a domestic agent in South Korea if they lack a local presence, mirroring requirements under PIPA for overseas organisations processing personal data of South Koreans.

High profile data breaches and regulatory changes in 2025/26

In 2025 there were a series of high-profile data breaches and cyber-attacks in South Korea, notably the Coupang incident.  This has directly led to amendments of PIPA (generally to come into effect from September 2026), which will result in increased potential fines, CEO accountability, enhanced reporting requirements (e.g. to include suspicion of a breach) and greater powers of oversight and enforcement for the PIPC.

Cybersecurity framework and the Network Act

In addition, amendments to the Network Act (which applies to almost all companies operating online in South Korea). Will also come into effect in September 2026. The amendments will expand the investigative powers of the government, strengthen the role and responsibility of the CISO, establish new legal bases for imposing administrative fines and enforcement penalties, and emphasise the roles and responsibilities of companies regarding information security. In particular, the amendments will introduce the potential for higher fines and a requirement to notify the Korea Internet Security Agency (KISA) within 24 hours of knowledge (and affected individuals without delay) of an external hacking incident involving Korean data subjects.

Practical compliance recommendations, particularly for overseas companies

In conclusion, given the recent changes in the regulatory landscape, it is recommended that overseas companies operating in South Korea take a number of practical steps, including:

• review security arrangements and incident response plans

  • in the light of upcoming amendments and new regulatory powers, including proactive investigations and global server searches

• ensure the appointment of a domestic agent and comply with PIPA

  • regardless of local presence, due to PIPA’s broad jurisdiction

• review privacy notices

  • consider the need for a South Korea specific notice (or addendum) to meet local requirements and nuances

• ensure consent forms meet South Korean formatting and disclosure requirements

  • including explicit purposes, retention periods, and proper sectioning

• monitor regulatory developments

  • it is likely that further regulations, guidelines (which may function as de facto rules and be used as standards during audits), and enforcement decrees will be issued in the short term which may impact compliance standards