What is South Korea PIPA and when were the AI provisions added?

PIPA (개인정보 보호법) was originally enacted in 2011. The most significant AI amendments — including Article 37-2 on automated decision rights — came into effect September 15, 2023. PIPA applies to any organization processing personal information of Korean residents regardless of where the organization is located. South Korea holds EU GDPR adequacy since December 2021.

What does PIPA Article 37-2 require for AI automated decisions?

Article 37-2 grants Korean data subjects three rights: (1) right to refuse an automated AI decision with significant effects; (2) right to explanation of the criteria, process, and main contributing factors of the decision — requiring factor-level attribution, not just model descriptions; (3) right to request human review and objection. Organizations must establish mechanisms for all three rights and respond within 30 days.

Who is the PIPC and what are PIPA's penalty levels?

The PIPC (Personal Information Protection Commission, 개인정보보호위원회) is Korea's independent data protection authority. Administrative fines: up to 3% of annual revenue for serious violations. Recent major fines: Google KRW 69.2B (~$52M), Meta KRW 30.8B (~$23M) for consent violations. Criminal penalties: up to KRW 50M or 5 years imprisonment. The PIPC actively enforces against Korean and international tech companies.

How do cross-border AI API calls comply with PIPA Article 28-8?

Article 28-8 (amended 2023) requires transfers of Korean personal data to overseas recipients to use: PIPC adequacy designation (no countries designated as of May 2026), PIPC-approved standard contractual clauses (SCCs) with the overseas AI provider, or individual consent covering the specific transfer. API calls to OpenAI, Anthropic, Google, and AWS that include Korean personal data require PIPC-approved SCCs in the provider's DPA.

What is PIPA's 'pseudonymous information' category for AI training?

PIPA Article 28-2 (2023) introduced pseudonymous information (가명정보) — allowing internal analytics, research, and AI training without consent when direct identifiers are removed and quasi-identifiers replaced. Pseudonymous data cannot be provided to third parties or transferred overseas without the same protections as personal information. Internal AI training on pseudonymized Korean user data is permitted; sending that dataset to an external AI vendor is not.

Does PIPA require a Chief Privacy Officer?

Yes. Organizations meeting thresholds must appoint a CPO (Chief Privacy Officer, 개인정보 보호책임자): public institutions; organizations processing personal information of 10,000+ data subjects; companies with annual revenue of KRW 500B+. AI platforms serving Korean users at scale almost certainly meet the 10,000 data subject threshold and require a CPO responsible for PIPA compliance including AI systems.

What is PIPA's breach notification requirement?

PIPA Article 34 requires notification to the PIPC and affected data subjects within 72 hours of discovering a personal information breach. AI-specific events include: unauthorized access to training datasets, model outputs exposing personal data, API key compromises, and third-party AI provider breaches. Notification must describe items compromised, breach time, recommended steps for data subjects, and remediation measures.

How does South Korea PIPA compare to GDPR for AI compliance?

PIPA and GDPR have mutual adequacy. Key AI differences: PIPA Art.37-2 explicitly includes a right to refuse automated decisions (broader framing than GDPR Art.22 prohibition); PIPA requires factor-level explanation (main contributing factors), while GDPR requires 'meaningful information about the logic'; PIPA fines cap at 3% revenue (vs GDPR 4%); PIPA has separate criminal liability track. For EU+Korea operations: implement GDPR Art.22 and PIPA Art.37-2 simultaneously — overlapping but not identical requirements.

South Korea PIPA AI Compliance: Article 37-2 Automated Decision Rights, PIPC Enforcement, and Cross-Border Transfer Rules

South Korea's PIPA (Personal Information Protection Act, 개인정보 보호법) was significantly amended in 2023 (effective September 15, 2023), making it one of the most comprehensive AI governance frameworks in Asia. PIPA Article 37-2 (new in 2023) grants Korean residents three rights regarding AI automated decisions: the right to refuse, the right to explanation (including main contributing factors), and the right to human review and objection. These rights apply to any AI-driven decision that significantly affects a Korean resident's rights or interests. PIPC (Personal Information Protection Commission, 개인정보보호위원회) enforces PIPA with administrative fines up to 3% of annual revenue — it fined Google KRW 69.2 billion (~$52M) and Meta KRW 30.8 billion (~$23M) for consent violations. Cross-border transfers of Korean personal data (including to overseas AI API providers) require PIPC-approved standard contractual clauses (SCCs) or individual consent. South Korea holds EU GDPR adequacy (December 2021) — the mutual adequacy means PIPA compliance and GDPR compliance substantially overlap, but PIPA's Article 37-2 right to refuse automated decisions, 72-hour breach notification, and CPO requirements have PIPA-specific implementation requirements.

PIPA 2023 Amendments: What Changed for AI Systems

The 2023 PIPA amendment package (effective September 15, 2023) introduced or strengthened several AI-relevant provisions. (1) Article 37-2 (new): automated decision rights — data subjects may refuse automated decisions, request factor-level explanations, and demand human review for decisions significantly affecting their rights or interests. (2) Article 28-8 (amended): cross-border transfer framework overhauled — adequacy list, PIPC-approved SCCs, and individual consent as the three pathways; the previous notification-based approach was replaced with substantive protection requirements. (3) Article 28-2 (amended): pseudonymous information — introduced a distinct category allowing internal processing without consent for statistics, research, and public benefit purposes, with prohibition on re-identification and third-party provision. (4) Article 15(3) (amended): behavioral advertising consent — explicit opt-in required for all behavioral advertising, including AI-driven targeting. (5) Article 34 enhanced: 72-hour breach notification standard now clearly applies to all personal information breaches, including AI system events.

Article 37-2: The Three AI Rights — Implementation Requirements

Article 37-2 applies when an organization uses personal information for automated decision-making where the decision has a significant effect on a data subject's rights or interests. Implementation requirements: Right to Refuse (§1): establish a mechanism for data subjects to formally refuse an automated decision; define an internal process to receive, acknowledge, and respond to refusal requests; document the scope of automated decisions covered; respond within a reasonable period (PIPC guidance: 30 days). Right to Explanation (§2): on request, provide information about: the criteria used in the automated decision (what factors are evaluated); the process by which the decision was made (model type, evaluation method); and the main factors that contributed to the specific decision outcome. This is the most technically demanding requirement — AI teams need per-decision feature importance or contribution metrics, not just generic model descriptions. Right to Human Review and Objection (§3): establish a human review workflow for data subjects who object to an automated decision; human reviewers must have access to the complete decision record and the authority to override the AI output; nominal review without override authority does not satisfy the requirement. Organizations must notify data subjects of these rights before or at the time an automated decision significantly affecting them is made.

PIPA Cross-Border AI Transfer: Article 28-8 Framework

PIPA Article 28-8 (amended 2023) establishes the framework for transferring Korean personal information outside South Korea. For AI teams using overseas API providers (OpenAI, Anthropic, Google, AWS, Azure), this provision creates direct operational requirements. Three compliance pathways: (1) PIPC adequacy designation — the PIPC may designate countries or international organizations that provide equivalent protection; as of May 2026, no country has been designated (PIPC is developing the criteria and process); (2) PIPC-approved SCCs — the recommended pathway for AI API relationships; PIPC published its SCC template in 2023; organizations must execute PIPC-standard SCCs with each overseas AI provider, verify the SCCs are incorporated in the provider's DPA, and document the transfer relationship; (3) Individual consent — data subjects must be informed of: the name of the overseas recipient, the country, the purpose of transfer, the items of personal information transferred, the retention period in the overseas country, and the data subject's right to refuse the transfer. Consent-based transfers are operationally challenging for mass-market AI applications. Practical action: review each AI API provider's data processing documentation for PIPC SCC coverage; negotiate amendments if not already included; log each overseas transfer relationship with its legal basis.

PIPC Enforcement: Penalties and Recent AI Actions

The PIPC is one of the most active data protection authorities in Asia. Recent major enforcement actions: Google — KRW 69.2 billion (~$52M USD) fine in 2022 for tracking users without valid consent using behavioral data for advertising; Meta — KRW 30.8 billion (~$23M USD) in 2022 for similar behavioral advertising consent violations; Kakao — KRW 15.1 billion (~$11M USD) in 2024 for unauthorized disclosure of personal information to third parties. PIPC penalty structure: fines up to 3% of annual revenue for major violations; fines up to KRW 100 million (~$75K) for specific article violations; criminal penalties up to KRW 50 million (~$37K) or imprisonment up to 5 years. PIPC AI enforcement priorities: the PIPC published AI Privacy Guidelines in 2024 covering automated decision-making, AI training data use, and behavioral profiling. The PIPC has indicated that failure to implement Article 37-2 rights for significant AI decisions will be treated as a major compliance failure.

PIPA Pseudonymous Information: AI Analytics Without Consent

PIPA Article 28-2 (2023 amendment) introduced pseudonymous information (가명정보) as a category between identifiable personal information and anonymized data — directly parallel to Japan's APPI pseudonymously processed information. Pseudonymous information allows: internal analytics and statistics; public interest research; commercial research (with ethical review); and record-keeping for archival purposes — all without the consent requirements that apply to personal information. Pseudonymization requirements: remove direct identifiers; replace quasi-identifiers with codes; document the pseudonymization method; maintain pseudonymization keys with strict access controls. What pseudonymous information prohibits: third-party provision to external organizations including AI vendors, data brokers, and research partners; re-identification attempts or combination with other data that would restore identifiability; transfer to overseas recipients without the same protections as personal information; processing for purposes beyond the legitimate purposes listed above. AI training use: AI teams may use Korean user data pseudonymized under PIPA Article 28-2 for internal model training without consent, but cannot share the pseudonymized dataset with a third-party AI training vendor. Internal compute only for pseudonymous data training pipelines.