Data Protection & Privacy 2025 Comparisons

The Personal Information Protection Act (PIPA) is the overarching privacy legislation in Korea. Other statutes governing particular types of personal information include the Credit Information Use and Protection Act (the “Credit Information Act”) and the Act on the Protection and Use of Location Information (the “Location Information Act”). The Act on Promotion of Information and Communications Network Utilisation and Information Protection, etc (the “Network Act”) also deals with some privacy issues, such as sending advertising information, appointing a Chief Information Security Officer and issuing certification for information security management systems.

While Korean constitutional law does not expressly guarantee rights related to personal information, the Constitutional Court’s position is that the right to self-determination of personal information derives from general personality rights and the right to privacy and freedom and is thus protected under the Constitution.

The National Assembly passed the proposed bill for the Framework Act on the Development of Artificial Intelligence and the Establishment of a Foundation for Reliability (the “AI Framework Act”), which is set to take effect in the first half of 2026. This statute is Korea’s first foundational law in the field of artificial intelligence, aiming to ensure transparency and safety by imposing various obligations on AI service providers.

The key regulators are as follows:

• Personal Information Protection Commission (PIPC) (in charge of enforcing the PIPA)
• Korea Communications Commission (KCC) (in charge of enforcing the Network Act and the Location Information Act);
• Korea Internet & Security Agency (KISA) (conducts tasks related to information security as delegated by the PIPC and the KCC);
• Financial Services Commission (FSC) (in charge of enforcing the Credit Information Act); and
• Ministry of Science and ICT (MSIT) (in charge of enforcing the AI Framework Act).

The PIPC, the KCC, the FSC and the MSIT have the authority to conduct investigations, for example through requests for information and on-site inspections. While the KISA does not have law enforcement authority, it often conducts investigations on behalf of the PIPC and the KCC.

Although investigations are often initiated when data controllers report a data breach or personal information infringement to the regulators, the regulators also conduct regular, as well as ad hoc, inspections based on the relevant laws and regulations. The regulators including PIPC, KCC and FSC, issue an annual work plan at the beginning of each year, and this helps businesses to anticipate industry sectors that may be a target each year. Investigations can also be triggered when there is media coverage of a specific incident or issue.

Regulators must provide a written notice before commencing an investigation, as well as prior to imposing an administrative disposition. In order for an administrative disposition to be lawful, not only should the procedures be lawful, but also the content of such disposition must satisfy the principle of proportionality.

Where a data controller intends to object to an administrative fine, it may do so in writing and go through a trial. For other administrative dispositions, it may file an administrative appeal or an administrative lawsuit.

The administrative fine and the administrative penalty are both monetary sanctions for administrative violations, but they differ in the nature and severity of the offences they address. Typically, administrative fines are imposed for minor violations and have a maximum amount specified by law. In contrast, administrative penalties are reserved for more serious violations, with the maximum amount determined as a percentage of the violator’s revenue.

In practice, administrative fines are calculated based on a predetermined amount according to the type and number of violations. These fines can be adjusted – either increased or decreased – by considering factors such as the severity, duration, motive and damage caused by the violation, as well as other legal criteria. Generally, administrative penalties cannot exceed 3% of the violator’s total revenue, although revenue unrelated to the violation is to be excluded from this calculation. Administrative penalties may also be adjusted based on factors like the number and duration of violations, the profits gained, voluntary corrective actions and efforts to mitigate damage.

Previously, the maximum base amount for administrative penalties was set at “no more than 3% of the revenue related to the violation”. However, with the implementation of the amended PIPA in 2023, this base amount was changed to “no more than 3% of the total revenue”, while allowing for the exclusion of unrelated revenues. Consequently, with the burden of proving the irrelevance to the violation shifted to the data controller, the amounts of imposed administrative penalties have been increasing.

Below are key regulatory actions taken by the PIPC and KCC from 2022 to 2024. As regulations have recently been strengthened, it is important to proactively assess potential legal violation risks and identify conduct that may be problematic for effective risk management.

• In 2022, the PIPC imposed an administrative penalty totalling approximately KRW100 billion on two online platforms for failing to obtain legitimate user consent when processing personal information for targeted advertising.
• In 2023, the KCC issued a corrective order and an administrative fine totalling KRW16.5 million to five child monitoring app providers. These services, which track children’s locations for parents, violated the Location Information Act by not obtaining consent from children under 14 themselves or notifying them of the provision details. The PIPA, which has similar consent requirements, was interpreted to not necessitate consent from children under 14, leading to no penalties being imposed under the PIPA to prevent misguiding businesses.
• In May 2024, the PIPC imposed an administrative penalty of approximately KRW7.5 billion and an administrative fine of KRW5.4 million in a case where personal information of over 2.21 million users was leaked. Additionally, an administrative penalty of approximately KRW15.1 billion and an administrative fine of KRW7.8 million were imposed in a case involving leaks of anonymous chat room users’ information. These cases involved the application of the amended PIPA, which raised penalty limits, with the latter case marking the largest fine ever imposed for a personal information leak by PIPC.
• In July 2024, the PIPC fined a Chinese e-commerce service provider an administrative penalty of approximately KRW2 billion and an administrative fine of KRW7.8 million for failing to secure user consent for overseas transfers of personal information and not including necessary data protection measures in seller agreements. This case highlighted that overseas providers are subject to the level of regulation required of domestic service providers to ensure robust protections for managing personal information.

The AI Framework Act was passed by the National Assembly on 26 December 2024. This legislation establishes obligations for providers of high-impact, production-type, and high-performance AI services to ensure safety and transparency. Key provisions include the following.

• Extraterritorial regulation and domestic agent system: The AI Framework Act can apply to actions taken outside Korea if they affect the Korean market or users. AI service providers without a business presence in Korea must designate a domestic agent and report to the Minister of Science and ICT if they meet certain criteria.
• Obligations for high-impact AI: AI business operators providing high-impact AI products or services using such technology are required to pre-assess their AI technology to determine whether it is high-impact, give advance notice to users, implement comprehensive safety and reliability measures to ensure no undue risk, and possibly conduct an impact assessment on individuals’ fundamental rights and provide explanations to individuals affected by high-impact AI of the logic and principles behind AI-generated outcomes.
• Obligations for generative AI: AI business operators which offer products or services using generative AI technology are required to give advance notice to users that the products or services are powered by generative AI, label products or services as being created by generative AI, and clearly label deep fake content.
• Obligations for high-performance AI: AI business operators offering AI with a significant cumulative amount of compute used for training that surpasses a certain threshold are required to identify, assess, and mitigate risks throughout the AI lifecycle, as well as establish a risk-management system to monitor and address AI-related safety issues and report the results to the MSIT.

The AI Framework Act relies on the existing PIPA regulations when it comes to personal information. The PIPC plays a key role in shaping these regulations.

• The PIPC is actively developing AI-related policies, having published six guidelines that define the application principles and standards of the PIPA. These guidelines cover topics including publicly disclosed information, unstructured data, biometric information, synthetic data, mobile image devices and transparency.
• In 2023, the PIPA was amended to introduce regulations on automated decisions made by fully automated systems, such as AI. Under these regulations, data subjects have the right to request explanations of automated decisions and, in some cases, the right to refuse them. Data controllers must disclose the standards and procedures for these decisions and how personal information is processed, ensuring that data subjects can easily understand this information.
• Between 2023 and 2024, the PIPC inspected how AI service providers handle personal information. As a result, it recommended improvements, such as enhancing protections for personal information used in AI training data and ensuring AI service providers clearly notify users that their input data is being reviewed.
• The PIPC also introduced the AI Privacy Risk Management Model, a guide to help AI service providers manage privacy risks effectively. This model outlines procedures for identifying, measuring and mitigating privacy risks associated with different AI models and applications.

The AI Framework Act will take effect in the first half of 2026 after one year from its promulgation. Details such as the scope of AI-related obligations, the method of performance, and the level of performance will be determined by the subordinate laws and regulations. As the subordinate laws and guidelines for the AI Framework Act are expected to be established in 2025, it is necessary to keep an eye on the legislative trend.

In terms of personal information, as explained in 1.5 AI Regulation, the AI Framework Act relies on the existing PIPA regulations, and the PIPC plays a key role in shaping these. The PIPC believes that applying the principle of personal information protection in a balanced manner is essential for maximising the benefits and opportunities of using AI, while minimising the risk of personal information infringement potentially caused by AI. In particular, the PIPC seeks to promote the use of data by resolving legal uncertainties through the following systems.

• Regulatory sandbox: Under certain conditions, products or services using new AI technologies can be first released and tested and verified without being subject to all or part of the existing personal information regulations, thereby promoting the use of data necessary for the development and provision of AI.
• Preliminary adequacy review system: If it is uncertain whether a service provider can comply with the PIPA in the course of planning new technologies or services such as AI, the service provider and the PIPC will work together to come up with a plan to apply the PIPA, which is appropriate for the processing environment, to resolve legal uncertainties.
• For other requests for legal interpretation of AI technology, PIPC will provide legal interpretation on a case-by-case basis.

The amount of administrative penalties imposed for violations of the PIPA has increased significantly, and the number of administrative lawsuits filed against PIPC has been increasing. The amount of administrative penalties imposed and the number of lawsuits filed by PIPC has been gradually increasing as follows. In 2020: KRW2.9 billion – five lawsuits; in 2021: KRW9.1 billion – four lawsuits; in 2022: KRW102.5 billion– one lawsuit; and in 2023: KRW23.3 billion – eight lawsuits. Moreover, as explained in 1.3 Enforcement Proceedings and Fines, the amendment to the PIPA has changed the threshold for administrative penalties, which is expected to further increase the number of administrative lawsuits filed against the PIPC.

Meanwhile, the courts, like the PIPC, acknowledge jurisdiction in cases where overseas service providers provide services to domestic users. The major lawsuits explained in 2.2 Recent Case Law also include a number of cases where foreign service providers that were subject to PIPC’s dispositions have objected and filed lawsuits against the PIPC.

Major lawsuits related to privacy in 2023–2024 were as follows.

• As explained in 1.4 Data Protection Fines in Practice, in 2022, the PIPC imposed an administrative penalty of around KRW100 billion in total to two online platforms on the ground that they did not obtain legitimate consent from users processing their personal information for personalised advertising purposes. The two online platforms have filed a lawsuit, which is pending, seeking revocation of the disposition imposed by PIPC. As regulations on the collection of behavioural data and the use of personalised advertising are being tightened in other jurisdictions such as the EU, this case is the first decision in Korea regarding the collection and use of behavioural data on personalised online advertising platforms, drawing keen attention to the outcome of the court’s decision.
• In 2019, PIPC imposed an administrative penalty of about KRW1.8 billion on an online shopping mall for a data breach. In 2023, the Supreme Court rendered a decision in this regard. This decision sets forth for the first time the scope of the “relevant revenue”, which forms the basis for calculating the administrative penalty, and the factors to be considered in determining the amount of administrative penalty, in imposing an administrative penalty for a data breach. More specifically, in the context of a data breach, the Supreme Court ruled that the calculation of the relevant revenue for imposing the administrative penalty should be based on the scope of services for which the affected personal information is retained and managed, taking into account that it is difficult to calculate the profits generated from the violation at issue.
• As explained in 1.4 Data Protection Fines in Practice, in 2023, KCC imposed a corrective order on business entities that did not obtain consent from children under the age of 14 themselves when processing their personal location information, in addition to obtaining consent from their legal guardian. Currently, a lawsuit has been filed to revoke KCC’s disposition and a lawsuit is underway to dispute the interpretation of the Location Information Act.
• As explained in 1.4 Data Protection Fines in Practice, in May 2024, PIPC imposed an administrative penalty on a business entity in a case where the personal information of anonymous chat room users was leaked. The business entity filed a lawsuit seeking revocation of PIPC’s disposition and the case is currently pending. The issue in this case is expected to be whether information that does not contain any personal information in itself, such as “member serial number and temporary ID used in anonymous chat rooms,” constitutes personal information.

The PIPA includes a mechanism for collective redress through a dispute mediation system. This allows national and local governments, personal information protection organisations, data subjects, and data controllers to request or apply for collective dispute mediation via the Dispute Mediation Committee. This process is applicable in situations where multiple data subjects experience similar damage or rights infringements, provided the following criteria are met.

• At least 50 data subjects must have suffered harm, excluding:
1. data subjects who have already reached an agreement with the data controller regarding dispute resolution or compensation;
2. individuals who are currently involved in a dispute mediation process under different laws or regulations for the same issue; and
3. individuals who have filed a lawsuit regarding the personal information infringement in question.
• The case’s key issues must share common factual or legal characteristics.

Despite this framework, collective dispute mediation has been rarely utilised.

Overview

Currently, there are no specific laws or regulations dedicated solely to the data regulation of the IoT (Internet of Things). Depending on the type of issue, the following individual laws and regulations may be applicable.

• Security and safety management: The Network Act may be relevant here. It mandates manufacturers and importers of IoT devices to implement protective measures to ensure the stability and reliability of information and communications networks. Additionally, the Network Act includes an information protection certification system for IoT products.
• Data sharing: There is no law similar to the EU Data Act that directly requires data holders to share data during the development, launch, or operation of IoT products. However, the Framework Act on Promotion of Data Industry and Promotion of Use allows the government to support the establishment of data distribution and transaction systems.
• General laws (eg, PIPA) will apply for other issues.
• Sensitive information processing: The PIPA identifies biometric information, a type of sensitive information, as requiring special handling. This includes information generated to identify specific individuals through technical means, such as fingerprints. The PIPA requires separate consent for processing such information and mandates enhanced protections like encryption. Companies using biometric data for IoT services must adhere to these requirements.

The PIPC is actively working on improving systems to balance protection and use of biometric information, so it is important to stay updated on regulatory changes.

• Issues such as wiretapping: Korean law restricts recording and listening to conversations among unspecified individuals. IoT services need to ensure compliance with these restrictions to avoid violations.
1. Protection of Communications Secrets Act: Prohibits unauthorised wiretapping and recording of undisclosed conversations.
2. Network Act: Forbids damaging, misappropriating, or divulging others’ information processed through a communications network.
3. Korean Criminal Code: Deems it illegal to obtain confidential documents or electronic records through technical means without authorisation.

Location Information Issues

In Korea, the use of location information is governed by the Location Information Act. The Location Information Act is particularly relevant when collecting and using location data in IoT services, such as connected cars.

• Location Information Business (LIB): This refers to businesses that directly collect location information and provide it to location-based service providers, such as mobile carriers and mobile OS providers. Businesses that collect personal location information and supply it to LBS operators must register as LIBs.
• Location-Based Services (LBS): These are services provided based on location information obtained from an LIB operator. Examples include app service providers that use location data already collected by an LIB. Service providers using personal location information must report their activities as LBS.

Both LIBs and LBSs are required to obtain consent for processing personal location information and implement protective measures to safeguard this information, as mandated by the Location Information Act.

With the rapid advancement of technologies and the emergence of new challenges, South Korean legal and regulatory bodies are actively working to maximise the opportunities these technologies offer while minimising the associated risks to personal information. These efforts are taking place on multiple levels.

• Guideline development: Regulatory bodies strive to maintain legal stability and predictability by developing issue-specific guidelines. For instance, guidelines on AI technology, as explained in 1.5 AI Regulation, have been established. Guidelines on personalised advertising are also expected to be released in early 2025, as addressed in 4.2 Personalised Advertising and Other Online Marketing Practices.
• Legal framework expansion: The PIPC has worked to broaden the legal bases for processing personal information. The 2023 amendment to the PIPA expanded the scenarios under which personal information can be lawfully processed without the data subject’s consent. For example, personal information may now be processed without consent “if necessary for the execution and performance of an agreement”, or “if it is clearly necessary for the urgent benefit of the life, body, or property of a data subject”.

As outlined in 3.1 Objectives and Scope of Data Regulation, the MSIT in Korea mandates manufacturers and importers of IoT equipment to implement protective measures that ensure the stability of information and communications networks and the reliability of information. The MSIT’s information protection guidelines, which generally serve as recommendations, detail these protective measures. However, the MSIT can sometimes request other regulatory bodies to integrate these guidelines into their standards for testing, inspection and certification of IoT products.

The key protective measures specified in the guidelines include the following.

• Managerial protective measures: These involve organising an information security team, appointing a chief information security officer, implementing information security policies, devising and executing a breach response plan, and conducting self-assessments of information security practices.
• Technical protective measures: These cover securing networks with intrusion prevention systems, securing IT infrastructure such as servers, implementing access controls, and maintaining log records for a specified period.
• Physical protective measures: These involve controlling access to telecommunication facilities and installing and operating backup facilities.

Additionally, service providers can opt to obtain Certification of IoT Cybersecurity for their IoT products and associated mobile apps. This certification spans seven areas: identification and authentication, data protection, encryption, software security, updates and technical support, operating system and network security, and hardware security. Products that achieve certification can display a certification mark.

Under the Network Act, the MSIT oversees measures to ensure network safety, while the PIPC is responsible for matters related to personal information. If a relevant authority identifies a violation of either law, whether due to an infringement or through a report or complaint, it can investigate the case and impose sanctions. These sanctions may include corrective orders, administrative fines, or other penalties. For more information, please refer to 1.2 Regulators.

The PIPA does not require data controllers to obtain users’ consent for the installation of cookies, nor does it restrict the use of cookies. However, if the information collected through cookies qualifies as personal information – defined by the PIPA as information that can be easily combined with other information to identify an individual – it falls under the PIPA’s regulations. For example, the PIPA obligates data controllers to state “matters concerning the installation, operation, and refusal of a device that automatically collects personal information, such as an internet access data file” in their privacy policies – ie, data controllers are obligated to state such matters when installing and operating a device that automatically collects personal information such as a cookie or similar technology on their own web or app.

Please refer to 4.2 Personalised Advertising and Other Online Marketing Practices for enforcement trends related to behavioural information collected through cookies.

Personalised Advertising

In the absence of specific statutory regulations regarding the processing of behavioural data for personalised advertising, the general legal principles of the PIPA apply if such information is considered personal information. That is, if online identifiers used for targeted advertising, along with the behavioural information collected, can be combined to personally identify individuals, then this information is classified as personal information. Consequently, to collect and use this behavioural data for personalised advertising, the legal requirements for processing personal information, such as securing legitimate legal grounds for processing, must be met.

Conversely, if the behavioural data does not enable the identification of specific users, it is not considered personal information under PIPA. In this scenario, PIPA regulations do not apply, but the PIPC recommends implementing safety measures. Additionally, the PIPC is developing comprehensive guidelines for collecting behavioural data for customised advertising, which are expected to be released in early 2025.

Online Marketing Practices

In order to send marketing communications via electronic medium such as email or SMS, data controllers must obtain from the data subject (i) consent to processing their personal information for marketing purposes pursuant to the PIPA, and (ii) consent to receiving marketing communications in accordance with the Network Act.

Data controllers are required to comply with certain formality requirements to clearly show that the information is an advertisement, and for night time transmission, separate consent from the data subject is required.

There are no specific regulations or considerations exclusively for processing employees’ personal information; instead, the general provisions of the PIPA apply. Apart from general provisions of the PIPA, below are examples of instances where other related laws may become relevant.

• Automated decision-making: During recruitment, if an applicant is disqualified based on AI analysis of their personal information, such as through AI interviews or application form assessments, it may involve automated decision-making as described in the regulations on AI. If this disqualification significantly impacts the applicant’s rights or obligations, they may have the right to refuse and request an explanation regarding the decision.
• Surveillance devices: Installing surveillance devices, like CCTV, in the workplace requires labour-management consultation according to the Act on the Promotion of Workers’ Participation and Cooperation.
• Data retention: Employers must retain employee data for a specific period as mandated by the Labour Standards Act.

Also, in terms of sharing employees’ personal information with affiliates outside of Korea, data controllers must pay close attention to the legal requirements explained in 5.1 Restrictions on International Data Transfers.

As detailed in 5.1 Restrictions on International Data Transfers, transferring personal information to a third party typically involves either (i) third-party provision or (ii) delegation of processing. Transferring personal information in the course of asset deals is likely to be considered as third-party provision.

While the PIPA generally requires consent from data subjects to provide personal information to a third party, it includes a specific provision regarding the transfer of personal data during asset deals. If a data controller transfers personal information as part of a business transfer or a merger involving all or part of its operations, the controller must notify the data subjects in advance about the following, and a consent requirement is exempted:

• the fact that their personal information will be transferred;
• the name, address, telephone number and other contact information of the recipient of the personal information; and
• the method and procedure for withdrawing consent if the data subject does not wish their personal information to be transferred.

In principle, the business transferor shall provide the above information in writing (eg, written document, email, fax, phone, text message or any other equivalent method). However, if the business transferor is unable to provide such information in writing without negligence, the business transferor shall publish this information on a website for at least 30 days. If there is a justifiable reason for not being able to publish the above information on a website, the business transferor shall (i) publish the above information in an easily visible location within the business transferor’s place of business for at least 30 days or (ii) publish it in a daily newspaper that is mainly distributed in the city, province, or region where the business transferor’s place of business is located.

The business transferee has the same notification obligation as the business transferor. However, if the notification has been provided by the business transferor, the business transferee is not required to provide one. Meanwhile, a business transferee which has received personal information as part of a business transfer or merger may use the personal information or provide it to a third party only for the original purpose for which it received the information.

Please note that for “overseas transfer” of personal information that may take place during asset deals, the PIPC has expressed its view that such consent exceptions may not be recognised in its draft guideline published on 31 December 2024. However, this is a “draft” guideline, and the PIPC is expected to release a final version in early 2025. 

Restrictions on International Data Transfer

Under the PIPA, a data controller may transfer personal information overseas (ie, provide, delegate the processing of, or store personal information with an overseas entity) only if there is one or more of the following grounds:

• the data controller obtains separate consent from the data subject;
• there is specific authorisation by treaty or other international agreement;
• where personal information is stored overseas and/or personal information processing is delegated to an overseas entity because it is necessary for the execution and performance of an agreement with the data subject, and certain information regarding the overseas transfer (storage/delegation) is disclosed to the data subject, either through the data controller’s privacy policy or other written means such as email;
• the recipient party located overseas has obtained certification from the PIPC and has taken measures (i) to ensure that personal information and rights of data subjects are protected and (ii) to implement the matters subject to certification in the destination country; or
• the PIPC has recognised the adequacy of the level of the privacy protection provided in the destination country.

In case of international data transfers, the data controller must consult with the recipient and reflect the following in the relevant agreement:

• measures to ensure safety for protecting personal information under the PIPA;
• measures to handle grievances and resolve disputes with respect to personal information breach; and
• other measures necessary to protect the personal information of data subjects.

Separate from such regulation regarding overseas transfer, transferring personal information to a third party outside Korea for the purpose of (i) providing personal information to a third party or (ii) delegating the processing of personal information also constitutes (a) third party provision or (b) delegation of processing of personal information under the PIPA, respectively, and these are subject to the relevant provisions of the PIPA in addition to the above-mentioned regulation on overseas transfer. Third-party provision occurs where a data controller provides personal information to a third-party recipient for the purpose and benefit of the third-party recipient. Delegation occurs where a third-party entity processes personal information it receives from the data controller for the purpose and benefit of the data controller.

Restrictions on Third-Party Provision and Delegation

If the transfer in question constitutes a third-party provision within the original purpose of collection, the PIPA requires the data controller to meet at least one of the following grounds:

• the data controller obtains consent from the data subject;
• there are special provisions in law allowing third-party provision, or third-party provision is inevitable to comply with statutory obligations;
• third-party provision is evidently deemed necessary for urgent protection of life, body or property of a data subject or a third party;
• where third-party provision is necessary to achieve the legitimate interests of a data controller, and such necessity clearly supersedes the rights of the data subject. In such cases, third-party provision is limited to where the legitimate interests of the data controller are substantially related and do not go beyond the reasonable scope; or
• third-party provision is urgently required for public safety and security.

If the transfer in question constitutes a delegation, consent from the data subject is not required. However, the data controller must disclose details of delegation and enter into a written agreement with the entity which is delegated with the processing of personal information. Such agreement should include matters that are statutorily required under the PIPA.

Apart from regulations mentioned in 5.1 Restrictions on International Data Transfers and 5.3 Data Localisation Requirements, the data controllers are not required to provide notification to government agencies or obtain approvals.

While there is no general data localisation rule under the PIPA, there are individual laws that prohibit overseas transfer of specific types of data, such as the following:

• the Medical Services Act prohibits storing Electronic Medical Records (EMR) outside of Korea;
• the Act on the Establishment and Management of Spatial Data requires a licence to transfer certain map data outside of Korea;
• the Industrial Technology Protection Act requires a company to obtain approval from or file a prior report with the Ministry of Trade, Industry and Energy in order to export national core technology;
• the Electronic Financial Transactions Act stipulates that financial companies or electronic financial business operators’ systems for processing (i) unique identification information or (ii) personal credit information cannot be located outside Korea in the course of using cloud computing services; and
• the Cloud Computing Act stipulates that data processed by Korean government organisations and public institutions must be located in Korea.

There are no “blocking” statutes that protect Korean companies from the effect of extraterritorial sanctions.

As outlined in 5.1 Restrictions on International Data Transfers, one of the legal bases for transferring personal information internationally is when the PIPC acknowledges that the destination country provides an adequate level of privacy protection. Currently, no country has been recognised by the PIPC as having equivalent personal information protection standards. However, PIPC is working towards recognising such equivalence with the EU. If achieved, this recognition would facilitate the transfer of personal information to the EU. Since much of the process for recognising EU equivalence has been completed, it is anticipated that the remaining steps will conclude shortly.

In addition, in the year plan published by the PIPC, it has expressed its willingness to start a adequacy process for US and Japan, and the adoption of standard contractual clauses as an additional legal ground for international data transfers.