Inside South Korea’s Personal Information Protection Act

Legal & Privacy

Inside South Korea’s Personal Information Protection Act

4 Minute Read |

Shaika Ahmed

Shaika Ahmed
Legal Intern

South Korea’s Personal Information Protection Act (“PIPA”) was enacted on September 30, 2011 and is considered to be one of the strictest data protection regimes in the world.

South Korea’s prior Public Agency Data Protection Act was largely limited. In the private sector, it applied only to those businesses that used telecommunications services. And in the public sector, the legislation covered all public agencies but lacked enough limits on government collection of data. The old Act was replaced with the more comprehensive PIPA, which applies to both public and private sectors. As a result, “more than 3.5 million public entities and private businesses are now regulated by common criteria and principles, and common enforcement mechanisms.”

Scope of the Personal Information Protection Act

PIPA applies to personal information processing organizations, known as “data handlers,” that are defined as a person, government entity, company, individual, or any other person that, directly or through a third party, handles personal information for work or business purposes. Personal information refers to information pertaining to a living individual, which contains information identifying a specific person, such as name, national identification number, images, or other similar information.

Under the Act on the Promotion of Information and Communication Network Utilization and Information Protection (the “Network Act”), which supplements PIPA, personal information includes name, national identification number, letter, voice, sound image, and all other information that makes it possible to identify a specific person. The Network Act provides measures for protecting the personal information of users collected and used by the telecommunications business operators.

In addition to regulating personal information, the Acts impose compliance measures to ensure proper collection, use, and transfer, among other things, of users’ personal information. Technical and managerial protective measures must be taken in order to store personal information. Organizations must also inform data subjects of their rights and its obligations as a data handler.

Though the two Acts do not specify whether the laws apply to foreign organizations or acts occurring abroad, the Korea Communications Commission (the “KCC”), among other regulatory authorities, applies the Acts if foreign organizations target Korean users. In determining whether the Network Act applies, for example, the KCC will consider: (a) the location of the website’s server; (b) whether the website is written in the Korean language and the website uses a Korean domain name; and (c) whether the website conducts promotional activities in Korea. In January 2014, a multinational corporation was fined KRW 200 million by the KCC for collecting Korean users’ personal information without obtaining consent.

Comparisons to the General Data Protection Regulation

PIPA has been compared to the General Data Protection Regulation (the “GDPR”), as both regulations aim to protect privacy rights from the perspective of the data subject. In comparing the two laws, the International Association of Privacy Professionals provides some examples:

1. Purpose of the Law

PIPA aims to enhance the right and interest of citizens by protecting their privacy from the “unauthorized collection, leak, abuse or misuse of personal information.” Similarly, the GDPR strives “to enable the free movement of personal data within the Union while protecting fundamental rights and freedoms of natural persons and, in particular, their right to the protection of personal data.”

2. Notice

PIPA and the GDPR are also similar with respect to providing data subjects notice. PIPA requires the processor of such personal information to “make public its privacy policy and other personal information processing matters. The privacy policy must disclose, among other things: (a) the purpose of personal information processing and (b) the period for processing and retention of the personal information.” Likewise, Articles 12, 13, and 14 of the GDPR require a data controller to provide “notice to data subjects of processing that is concise, transparent, intelligible and easily accessible; written in clear and plain language,” including specific contents within such notice.

3. Choice and Consent

Both PIPA and the GDPR impose upon processors the obligation to use appropriate technical measures to ensure the security of personal data. PIPA mandates “technical, managerial and physical measures…necessary to ensure the safety so that personal information may not be lost, stolen, leaked, altered or damaged.” In comparison, the GDPR mandates appropriate technical and organizational responses and measures “to ensure a level of security appropriate to the risk.”

For the full, detailed comparison of the Personal Information Privacy Act and the General Data Protection Regulation, please refer to GDPR Matchup: South Korea’s Personal Information Protection Act.


This blog post is part of a series looking at privacy regulations around the world in light of Europe’s GDPR. For further information, please visit our GDPR webpage or contact us at .

Disclaimer: The information on this webpage is for general information only and does not constitute legal advice. Please consult your own legal professionals if you seek advice on specific interpretations and requirements of any law.

Recent Blog Posts

most important AVOD metrics for CTV campaigns AVOD

The era of AVOD: Which metrics matter most?

What are Splash Ads? Ad Formats

What are splash ads?

CTV moneteization and IAB's TCF v2.2 interview with Sourcepoint CTV

What CTV publishers need to know to comply with IAB’s consent framework v2.2

What are FAST channels? CTV

What are FAST channels?