Personal Information Protection Act (PIPA) of South Korea

Introduction

The Personal Information Protection Act (PIPA, 개인정보 보호법) , enacted in 2011 and substantially amended in 2023, is South Korea’s comprehensive data protection statute. PIPA applies to both public and private sector entities processing personal information, establishing a unified framework for collection, use, disclosure, and security of personal data. The Personal Information Protection Commission (PIPC) (개인정보보호위원회) is the independent regulatory authority.

Scope and Definitions

Personal Information

PIPA defines personal information broadly as “information relating to a living individual that can identify that individual through his/her name, resident registration number, image, etc.” (Article 2). The definition includes:

  • Direct identifiers (name, resident registration number)
  • Indirect identifiers (when combined, capable of identification)
  • Sensitive information (health data, biometric data, political opinions, criminal records)

Territorial Scope

PIPA applies to:

  • All data controllers established in Korea
  • Foreign controllers targeting Korean residents (Article 5 of the Enforcement Decree)

Key Principles

PIPA is consent-based: data controllers must obtain the data subject’s informed consent for collection and use, specifying:

  • Purpose of collection and use
  • Categories of information collected
  • Retention and use period
  • Right to refuse and consequences of refusal

Purpose Limitation

Personal information may only be collected for specified, explicit, and legitimate purposes (Article 3). Processing beyond the original purpose requires additional consent.

Data Minimization

Controllers must collect the minimum personal information necessary for the stated purpose.

Security Measures

Controllers must implement technical, administrative, and physical security measures (Article 29), including:

  • Encryption of personal information
  • Access control systems
  • Log management

2023 Amendments

The most significant amendments to PIPA took effect in September 2023:

Enhanced Rights

  • Right to explanation: Data subjects may request explanation of automated decision-making (Article 37-2)
  • Data portability: Right to receive personal information in a structured, machine-readable format (Article 35-5)
  • Right to object: To automated decisions (Article 37-2)

Penalties

  • Administrative fines: Up to 3% of revenue (increased from 2%)
  • Criminal penalties: Up to 5 years imprisonment or KRW 50 million fine
  • Class action: Expanded standing for data breach class actions

Pseudonymized Data

Permitted pseudonymized data processing for:

  • Scientific research (statistical purposes)
  • Archiving in the public interest
  • Historical research

Regulatory Framework

Personal Information Protection Commission (PIPC)

The PIPC is the independent regulatory authority with powers to:

  • Investigate data breaches and violations
  • Order corrective measures
  • Impose administrative fines
  • Issue guidelines and interpretations

International Data Transfers

PIPA restricts cross-border transfer of personal information:

  • Explicit consent: Required for transfers
  • Adequacy recognition: The PIPC may recognize countries with equivalent data protection
  • Standard contractual clauses: Approved by the PIPC
  • Other safeguards: Certification, contractual protections

Enforcement

Private Enforcement

  • Damages: Data subjects may claim damages for PIPA violations
  • Class actions: Available for data breach claims under the Framework Act on Consumers
  • Burden of proof: Shifted to the controller for certain violations

Public Enforcement

  • PIPC investigations: May be initiated by complaint or ex officio
  • Corrective orders: Including suspension of processing
  • Administrative fines: Tiered based on violation severity

Conclusion

PIPA provides a robust data protection framework aligned with global standards, particularly the GDPR. The 2023 amendments enhanced individual rights, strengthened enforcement, and provided flexibility for data-driven innovation through pseudonymized data processing. As Korea’s digital economy continues to evolve, PIPA remains the central pillar of privacy regulation.