BKL Legal Update

2026.02.13

STRENGTHENING OF THE PERSONAL INFORMATION PROTECTION ACT: KEY ISSUES

I. BACKGROUND

Public concern over data security has been deepening due to recent large-scale personal information breaches across various industries. Accordingly, calls have grown louder for strengthening corporate accountability and enhancing the effectiveness of sanctions.

Reflecting these demands, the amendment to the Personal Information Protection Act (the "PIPA") was passed at the National Assembly plenary session on February 12, 2026.  The amendment centers on strengthening the independence of the CPO (Chief Privacy Officer), mandating personal information protection certification, reforming the penalty surcharge system, and expanding remedies for data subjects' rights.


II. KEY AMENDMENTS

1. Establishing a Personal Information Management System Centered on the Business Owner or Representative and the CPO

The amendment imposes effective management obligations on the business owner or representative as the party bearing ultimate responsibility for the processing and protection of personal information, while simultaneously strengthening the role of the CPO.

  • Codification of the business owner's or representative's management obligations: The business owner or representative of a data controller shall, as the party bearing ultimate responsibility for the safe processing of personal information and the protection of data subjects' rights, take comprehensive management measures including securing the necessary human resources and budget for personal information protection (newly added Article 30-3).
  • Strengthening the CPO's role and authority: Data controllers meeting certain criteria must obtain a resolution from the board of directors when designating, changing, or removing a CPO, and must report such actions to the Personal Information Protection Commission (PIPC).  The CPO will have the authority to manage professional personnel and secure budgets necessary for personal information protection, and shall be obligated to report key matters to the business owner/representative and the board of directors (amended Article 31).

2. Mandatory Personal Information Protection Certification

Under the current PIPA, the PIPC may certify that a series of measures related to the processing and protection of personal information by data controllers complies with the law.  This amendment goes a step further by requiring data controllers, whose revenue and scale of personal information processing reach certain thresholds, to obtain the personal information protection certification mandatorily.  The purpose of mandatory certification is to enhance the reliability and safety of personal information management systems (amended Article 32-2).

3. Expansion of Breach Notification Scope and Introduction of Breach Possibility Notification

Previously, PIPA used the abbreviated term "breach, etc." to refer only to "loss, theft, and leakage," limiting notification obligations to cases where personal information was lost, stolen, or leaked.  Under this amendment, the scope of "breach, etc." has been expanded to include forgery, alteration, and destruction, thereby expanding the scope of incidents that trigger notification requirements to the affected data subjects (amended Article 34, Paragraph 1).

Additionally, with the introduction of the breach possibility notification system, data controllers must, upon becoming aware that there is a possibility of a breach as prescribed by the Presidential Decree — considering the type of personal information, the impact on data subjects, and the degree of breach risk — promptly notify all data subjects of the potential breach and provide information to minimize harm (amended Article 34, Paragraph 2).

4. Enhanced Penalty Surcharges for Repeated or Serious Personal Information Infringements

This amendment strengthens the effectiveness of sanctions by introducing a stronger penalty surcharge system for violations that involve significant harm or are repeated among those already subject to penalty surcharges.  In connection with violations subject to penalty surcharges, if any of the following conditions are met, the PIPC may impose a penalty surcharge up to 10% of total revenue (previously up to 3%) on the relevant data controller:

  • (i) Repeated violations committed intentionally or through gross negligence within a three-year period;
  • (ii) Large-scale harm affecting 10 million or more individuals caused intentionally or through gross negligence; or
  • (iii) A breach that occurred due to failure to comply with a corrective order.

However, in cases where there is no revenue or where calculating revenue is difficult as prescribed by the Presidential Decree, a penalty surcharge up to 5 billion KRW may be imposed (newly added Article 64-2, Paragraph 2).

Furthermore, the PIPC shall reduce the penalty surcharge, except for cases or intentional malfeasance or gross negligence, if there are grounds prescribed by the Presidential Decree, such as investment and operation of budget, personnel, facilities, and equipment, thereby incentivizing proactive preventive investment by businesses (newly added Article 64-2, Paragraph 6).


III. EFFECTIVE DATE

This amendment will take effect six months after its promulgation in principle (Addendum Article 1). However, the mandatory personal information protection certification (amended Article 32-2) and its administrative fine provisions (amended Article 75, Paragraph 2, Item 15) will take effect on July 1, 2027.

The amended penalty surcharge provisions will apply as follows:

  • (i) Repeated violations committed intentionally or through gross negligence within a three-year period: will apply to the repeated violation after receiving a penalty surcharge disposition for the initial conduct that occurred after the effective date of this amendment.
  • (ii) Large-scale harm affecting 10 million or more individuals caused intentionally or through gross negligence: will also apply to violations that have not concluded or ceased as of the effective date of this amendment.
  • (iii) Breach occurring due to failure to comply with a corrective order: will apply to corrective orders that are received following the effective date of this amendment.


IV. IMPLICATIONS AND CONSIDERATIONS FOR DATA CONTROLLERS

This amendment aims at shifting from a predominantly post-hoc sanctions-oriented approach toward promotion of proactive prevention and investment in protection, in response to criticism that some businesses have not made sufficient efforts to protect personal information despite the occurrence of large-scale data breaches.

As the regulatory authority demonstrates its commitment to thorough investigations and strict sanctions for violations of the law, data controllers need to actively overhaul their data protection systems by securing budgets and personnel for PIPA compliance and implementing additional, preemptive safety measures.

Bae, Kim & Lee LLC will promptly monitor the amendments to the Enforcement Decree and the detailed standards in connection with this PIPA amendment, and will provide optimal response strategies through customized advisory services that take into account the specific circumstances of each client.

 

*    *    *

 

For any inquiry or questions regarding the content of this newsletter, please contact us. 

 

[Korean version]

  • This update is intended as a summary news report only, and not as advice. For legal advice, please inquire with your contact at Bae, Kim & Lee LLC, or the authors of this legal update.