I. BACKGROUND
On February 19, 2026, the amendment to the Enforcement Decree of the Personal Information Protection Act (hereinafter the “Amendment”) was officially promulgated. The Amendment strengthens the data subject’s right to self-determination over personal information and expands the scope of the right to request data portability under Article 35-2 of the Personal Information Protection Act, regardless of industry sector. This Amendment carries significant practical implications in that it expands and specifies the subject entities and the scope of data portability requests, while establishing data transmission methods that take into account the compliance burden on businesses.
II. KEY AMENDMENTS
1. Criteria for “Data Portability Obligors” Finalized (Article 42-2(1) of the Amendment)
The scope of obligors from whom data subjects may request the transmission of their personal information to themselves (hereinafter “Data Portability Obligors”) has been expanded to include data controllers meeting any of the following criteria:
1) Category 1: Entities with average annual revenues exceeding KRW 180 billion that fall under either of the following:
- Entities processing sensitive information or unique identification information of 50,000 or more data subjects
- Entities processing personal information of 1,000,000 or more data subjects
2) Category 2: Institutions operating public systems
3) Category 3: Data controllers under Article 35-2(2) of the Personal Information Protection Act
2. Expanded Scope of Information Subject to Transmission (Article 42-4(1) of the Amendment)
In principle, all personal information pertaining to the data subject that is processed based on the data subject’s consent or for the performance of a contract must be transmitted, regardless of the industry sector (excluding information separately generated through analysis or processing by the data controller). However, the following categories of information may be excluded, taking into account the protection of trade secrets and the prevention of infringement on the rights of third parties:
1) Information that infringes or is likely to infringe on the rights or legitimate interests of third parties due to the transmission request
2) Information requiring protection under other laws, such as trade secrets under the Unfair Competition Prevention and Trade Secret Protection Act or industrial technologies under the Act on Prevention of Divulgence and Protection of Industrial Technology
3) Information stored through one-way encryption to prevent decryption
3. Introduction of Direct Download Method (Article 42-6(4) of the Amendment)
Data Portability Obligors may allow data subjects to directly download information that can be immediately viewed or accessed through their website, provided such information is encrypted using a secure encryption algorithm.
4. Guaranteeing the Exercise of Data Portability Rights through an Agent (Articles 42-5(2) and 42-6(5) of the Amendment)
Data Portability Obligors must not refuse without justifiable cause when a data subject makes a data portability request through an agent under Article 38(1) of the Personal Information Protection Act. The agent must deliver the personal information to the data subject without storing it.
III. EFFECTIVE DATE
The Amendment will, in principle, take effect on August 20, 2026, six months after promulgation. However, Article 42-2(1)(i) of the Amendment, which expands the scope of Data Portability Obligors to include general data controllers across all industries meeting certain requirements, will take effect one year after promulgation.
IV. IMPLICATIONS
As a result of this Amendment, businesses processing large volumes of personal information must establish a new compliance framework suited to the era of “data sovereignty.” In particular, businesses should review and develop practical measures to respond to data portability requests from data subjects, including i) determining whether they qualify as a Data Portability Obligor and when the requirements take effect, ii) classifying information that may be excluded from transmission; and iii) enhancing the download functionality on their websites.
Bae, Kim & Lee LLC is committed to analyzing the technical and legal issues that businesses may face under this Amendment and providing optimal solutions. Please do not hesitate to contact us if you require detailed practical guidance.
* * *
For any inquiry or questions regarding the content of this newsletter, please contact us.
[Korean version]
