Data & Privacy · South Korea
Data protection & privacy laws in South Korea (2026)
South Korea shaded by its data & privacy status
South Korea has a comprehensive, GDPR-style data protection regime centered on the Personal Information Protection Act (PIPA), which applies across public and private sectors. It is supervised and enforced by the Personal Information Protection Commission (PIPC), a ministerial-level independent authority re-established in 2020. Major amendments effective September 2023 modernized the law, and the EU granted South Korea an adequacy decision in December 2021, recognizing its protections as essentially equivalent to the GDPR.
Key points
PIPA is a cross-sectoral law governing the collection, use, processing and transfer of personal information by both public bodies and private organizations; a January 2020 overhaul (effective August 2020) consolidated the framework, and a further major amendment took effect on 15 September 2023.
The Personal Information Protection Commission (PIPC) is an independent, ministerial-level central administrative agency reporting to the Prime Minister, comprising nine commissioners; it sets policy, investigates violations, issues dispositions, handles complaints and dispute mediation, and enforces PIPA nationwide.
PIPA grants rights to access, correct, delete and suspend processing of personal data, plus consent withdrawal; the 2023 amendment added a right to data portability (phased in from 2025) and the right to object to or seek explanation of fully automated decisions, including AI-driven processing.
Processing generally requires explicit, informed consent, with limited statutory exceptions. The amended PIPA broadened legal bases for overseas transfers (treaties, PIPC certification, or transfer to jurisdictions PIPC deems to have adequate protection) and empowers the PIPC to halt non-compliant cross-border transfers.
On 17 December 2021 the European Commission adopted an adequacy decision for South Korea, allowing personal data to flow from the EU/EEA without additional safeguards; it excludes credit data supervised by the Financial Services Commission and data transferred to religious organizations or political parties.
The PIPC can impose administrative fines and corrective orders. A 2025 reform requires foreign businesses targeting Korean users to appoint a local representative (effective October 2025), and a February 2026 amendment introduces fines of up to 10% of total revenue for severe breaches and assigns CEO-level accountability, with key provisions slated to take effect in September.
Timeline - major decisions & events
South Korea promulgated the most consequential rewrite of PIPA since 2023, raising the maximum administrative fine ceiling to 10% of total turnover and introducing statutory personal liability for CEOs who fail to supervise data-protection compliance; board-level approval is now required for Chief Privacy Officer appointments. The law takes effect 11 September 2026.
Hunton Andrews Kurth Privacy Blog ↗After a three-month joint investigation with KISA, the PIPC imposed South Korea's largest-ever privacy penalty on SK Telecom; investigators found the carrier failed to encrypt sensitive subscriber data, stored admin credentials in plain text, and ignored available security patches, violating core PIPA safeguard obligations.
Personal Information Protection Commission (PIPC) ↗The revised Enforcement Decree fleshed out the 2023 PIPA amendment by specifying security standards for data portability requests, procedures for challenging fully automated (including AI) decisions, and updated cross-border transfer rules—completing the GDPR-alignment reforms begun in 2023.
Personal Information Protection Portal (PIPC official portal) ↗The European Commission formally recognized South Korea as providing 'essentially equivalent' data protection to the EU under GDPR, enabling free EU–Korea personal-data transfers without additional safeguards; the decision excluded transfers of financial personal-credit data and is subject to review every three to four years.
European Data Protection Board (EDPB) ↗Landmark amendments to PIPA, the Network Act, and the Credit Information Act (passed 9 January 2020) took effect: the PIPC became an independent cabinet-level authority consolidating all privacy enforcement, a legal framework for pseudonymized data in R&D and statistics was introduced, and OSP privacy rules were folded into PIPA—creating South Korea's modern unified data-governance architecture.
Kim & Chang (analysis of official National Assembly legislation) ↗An IT contractor at Korea Credit Bureau copied names, resident registration numbers, and credit card details of 104 million accounts—covering roughly 40% of South Korea's population—onto a USB drive and sold them to marketing firms; the scandal exposed critical gaps in the pre-PIPC regulatory framework and accelerated demands for stronger enforcement powers.
Financial Supervisory Service (FSS) ↗South Korea enacted PIPA as its first comprehensive, sector-neutral data-protection statute, replacing a patchwork of conflicting sectoral rules; the law established consent requirements, data-minimization duties, mandatory breach notification, and created the Personal Information Protection Commission—laying the constitutional foundation for all subsequent privacy regulation.
Korea Legislation Research Institute (KLRI) — official English translation ↗South Korea - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →