Skip to content
Last reviewed: 2026-05-05 Reviewer: M.K., CIPP/E Methodology Report inaccuracy
Editorial reference emblem — KRStylized regulator-jurisdiction emblem for editorial reference. Not affiliated with or endorsed by any government, regulator, or institution.KR
PIPA Personal Information Protection Commission

REGULATION · NATIONAL · IN FORCE SINCE 2011

Personal Information Protection Act

The EU's baseline privacy law since May 2018. Defines six lawful bases, eight data-subject rights, and fines up to 4% of global annual turnover.

EUR-Lex official text Reviewed 2026-05-05 Free reference · sources cited

Scope and territorial reach

Scope

South Korea’s Personal Information Protection Act (개인정보 보호법, PIPA) is the federal privacy law enforced by the Personal Information Protection Commission (PIPC). It applies to any “personal information processor” handling data of Korean residents — and is one of the strictest opt-in regimes globally.

The 2023 amendments removed the historic split between PIPA, the Information & Communications Network Act (ICNA), and the Credit Information Use Act — consolidating into a single PIPA framework with sector-specific carve-outs.

PIPA Art 15 requires explicit, granular, written-or-electronic consent for each distinct processing purpose. Bundled consent is invalid. The data subject must be informed of:

  • Each processing purpose (separately listed)
  • Categories of data collected
  • Retention period per category
  • Right to refuse and the consequence (if any) of refusal

For cookies and analytics, PIPC guidelines require explicit cookie-banner consent with equal-weight reject options. PIPC has aligned closely with EDPB on dark-pattern analysis.

Cross-border transfers (Art 17, 2023 amendment)

PIPA’s 2023 amendments tightened cross-border rules:

  • Notice + consent — separate explicit consent for the transfer
  • Disclosure of recipient country, retention period, and contact channel
  • Adequacy or contract — recipient must offer protection equivalent to PIPA, evidenced via PIPC-acceptable contracts

PIPC has not issued adequacy decisions for major destinations as of 2026 — meaning standard contractual safeguards plus consent are the practical path for almost every cross-border flow.

Data subject rights

  • Access (Art 35) — 10-day response window — among the shortest globally
  • Correction, deletion (Art 36) — 10-day window
  • Suspension of processing (Art 37)
  • Right of refusal (Art 22, 2023 amendment) — applicable to automated decisions affecting the data subject’s rights or interests

Breach notification

Art 34 — notify the PIPC and affected individuals within 72 hours of awareness for breaches affecting ≥1,000 individuals or involving sensitive data. Initial notification + final report within reasonable timeframe.

Mandatory roles

Art 31 requires designation of a Chief Privacy Officer (CPO). Under 2023 amendments, the CPO must be empowered to make autonomous decisions and must report directly to the CEO/board. This is unusually strong by global standards.

Enforcement

PIPA introduces a maximum administrative fine of 3% of related sales — calculated against the revenue connected to the violating processing activity, not total turnover. Notable enforcement:

  • Meta — KRW 6.7B fine (2022) for AI-training data use without consent
  • Google — KRW 69.2B fine (2022) for cross-border transfer rule violations
  • OpenAI — administrative actions 2023-2024 for ChatGPT data flows

PIPC is among the most active privacy regulators in APAC, with frequent multi-billion-won enforcement against US tech companies.

Key references

  • PIPC: pipc.go.kr
  • 2023 PIPA amendments — PIPC bulletin (translated summaries available via IAPP and Lexology)

Where it applies — 1 jurisdictions

🇰🇷South Korea
KR

Seven principles (Article 5)

The constitutional backbone — every processing activity must satisfy all seven simultaneously.

  1. 01
    Explicit consent baseline Art 15–22

    Opt-in is the default lawful basis — silence, pre-ticked boxes, and bundled consent are invalid.

  2. 02
    Granular per-purpose consent Art 22

    Each processing purpose needs its own consent checkbox — bundling marketing with service consent is prohibited.

  3. 03
    Purpose limitation Art 3(1)

    Collect data only for specified purposes; secondary use needs fresh consent or statutory basis.

  4. 04
    Data minimisation Art 3(2), Art 16

    Collect only the minimum personal information necessary for the purpose — over-collection is itself a violation.

  5. 05
    Accuracy Art 3(3)

    Keep personal information accurate, complete, and up to date for the purpose of use.

  6. 06
    Safety & security Art 29

    Implement technical, managerial, and physical safeguards (encryption, access logs, retention controls) — detailed in PIPC Notification 2023-6.

  7. 07
    Sensitive-data special protection Art 23

    Ideology, health, biometric, race, sexual life — separate explicit consent + heightened safeguards required.

  8. 08
    Children opt-in (under-14) Art 22-2

    Verifiable parental consent required for processing personal information of children under 14.

  9. 09
    Cross-border transparency Art 28-8 (2023)

    Cross-border transfers require separate disclosure (recipient, country, purpose, retention) and, in most cases, separate consent.

Six lawful bases (Article 6)

You must identify and document one before processing — and consent isn't always the right one.

Art 15(1)1

Consent (default)

User explicitly opts in — granular, separable per purpose, freely revocable.

Common for: Analytics, marketing, newsletters, cross-border transfer
Art 15(1)2

Legal obligation

Required or permitted by Korean statute (tax, labor, AML, e-commerce records).

Common for: Tax retention, KYC, transaction logs
Art 15(1)4

Contract performance

Necessary to perform a contract with the user — narrowed by 2023 amendments to exclude marketing or analytics.

Common for: Account creation, order fulfillment, service delivery
Art 15(1)3

Public benefit / authority task

Necessary for a public institution to perform statutory duties.

Common for: Government services, public health
Art 28-2 (2023)

Scientific research / statistics / archiving

Pseudonymized data for statistical, scientific, or archival purposes — added in 2023 amendments.

Common for: Anonymized analytics, public-interest research
Art 15(1)5

Vital interests

Necessary to protect life, body, or property when consent cannot be obtained.

Common for: Medical emergencies (rare for web)
Cookie banner under GDPR Consent Mode v2

Eight data-subject rights (Articles 12–22)

What individuals can demand from you, with the response window and scope.

RightArticleResponseScope
Right to be informed Art 20, Art 30 At collection At collection — privacy policy must disclose purpose, items, retention, recipients, cross-border, CPO contact.
Right of access Art 35 10 days Among the shortest globally — controller must respond within 10 days (extendable once with notice).
Right to correction Art 36 10 days Correct inaccurate or incomplete personal information; processing must pause during correction.
Right to deletion Art 36 10 days Delete personal information unless statute mandates retention; controller must notify third parties.
Right to suspension of processing Art 37 10 days Pause processing on request; controller must show statutory ground to refuse.
Right to refuse automated decisions Art 22-2 (2023) 30 days Refuse or request human review of solely-automated decisions with significant effect — added by 2023 amendments.
Topic: DSARs in practice Template: DSR reply (Art 15)

Fines & enforcement

Maximum administrative penalty: €20.0M or 3% of global annual turnover (Art 83(5)). Tiered structure: Art 83(4) = 2% / €10M for procedural failures.

  1. 2022-09 €48.0M
    Google LLC PIPC · KR · Art 15, Art 22, Art 39-15

    KRW 69.2B (~€48M) — largest PIPA fine. Collected behavioral data for personalized ads without separate, granular consent; opaque cross-border disclosure. Issued jointly with Meta KRW 30.8B in same decision (PIPC Resolution 2022-014).

  2. 2022-09 €21.0M
    Meta Platforms PIPC · KR · Art 15, Art 22

    KRW 30.8B (~€21M) — same joint decision as Google. Cross-context behavioral advertising without granular opt-in.

  3. 2024-07 €13.0M
    AliExpress (Alibaba) PIPC · KR · Art 17, Art 28-8

    KRW 19.78B — transferred KR consumer data to ~180,000 Chinese sellers without valid third-party-provision consent and inadequate cross-border disclosure.

  4. 2024-12 €10.0M
    Kakao PIPC · KR · Art 29

    KRW 15.1B — security failures led to 2023 leak via OpenChat hash flaw exposing user identifiers. Largest domestic PIPA fine to date.

  5. 2022-09 €4.7M
    Meta Platforms PIPC · KR · Art 15, Art 22, Art 39-15

    KRW 6.7B (~€4.7M) separate fine — collected user data including for AI-training purposes without obtaining valid consent. Distinct from the joint Google/Meta behavioral-ads decision.

  6. 2023-07 €4.5M
    LG U+ PIPC · KR · Art 29

    KRW 6.8B — security failures led to leak of ~300,000 customer records including authentication credentials.

  7. 2024-03 €800k
    Worldcoin / Tools for Humanity PIPC · KR · Art 15, Art 23, Art 28-8

    KRW 1.14B — biometric (iris) collection without valid consent under Art 23 + cross-border transfer to Germany without proper Art 28-8 disclosure.

  8. 2023-12 €3k
    OpenAI (ChatGPT) PIPC · KR · Art 34

    KRW 3.6M token fine — March 2023 ChatGPT bug exposed conversation titles + payment data of 687 KR users. Investigation continued into 2024 on training-data lawful basis. (PIPC press release 2023-12-21).

Sources: national supervisory-authority press releases. Full enforcement database available via CMS Law tracker.

National addons

GDPR is a Regulation — directly applicable, no transposition required. But Member States layer additional rules on top via national acts.

CountryNational actStricter than GDPR baseline?Note
🇰🇷 South Korea KR PIPA (개인정보 보호법) + Enforcement Decree Stricter Primary jurisdiction. 2023 amendments (eff. 15 Sep 2023) consolidated PIPA + Information & Communications Network Act + Credit Information Act provisions and added explicit cross-border + automated-decisions rules.

Compared to other laws

Side-by-side rule comparison with the same field on each side.

COMPARE · 2 ENTITIES
GDPR vs CCPA / CPRA
Opt-in EU baseline against opt-out California — same rows on each side.
COMPARE · 2 ENTITIES
GDPR vs UK GDPR
Post-Brexit divergence — DPA 2018, ICO, UK Extension to DPF.
COMPARE · 2 ENTITIES
GDPR vs LGPD
EU baseline vs Brazilian privacy law modeled on it.

Common questions

Does PIPA apply to my non-Korean website?
Yes, if you target Korean residents — PIPA has extraterritorial reach under Art 14 (2023 amendments). Offering services in Korean, accepting KRW payment, marketing to KR users, or processing KR resident data brings you in scope regardless of where you're incorporated. PIPC has actively fined US tech (Google, Meta, OpenAI) on this basis.
What's the maximum fine under PIPA?
Up to 3% of related sales (관련 매출액) — the revenue from the products or services connected to the violation, not global turnover. The 2023 amendments shifted from a fixed cap to this turnover-based formula. Largest fine to date: KRW 69.2B (~€48M) on Google in 2022. Criminal penalties (up to 10 years imprisonment) also apply for severe violations.
Why is consent under PIPA stricter than GDPR?
Three reasons. (1) Consent is the default lawful basis — the legitimate-interest equivalent does not exist; you cannot fall back to a balancing test. (2) Consent must be granular per purpose with separable checkboxes — bundling marketing with service consent is automatically invalid. (3) Cross-border transfers in most cases require their own dedicated consent on top of processing consent.
What are the cross-border transfer rules under Art 28-8?
The 2023 amendments codified explicit cross-border rules. You must disclose recipient, country, items transferred, retention period, purpose, and refusal rights. Separate consent is required unless one of the narrow exceptions applies (adequacy decision, certified scheme, contract-necessity, or treaty). Korea has issued limited adequacy recognitions — most US transfers still need consent or a PIPC-certified mechanism.
Do I need a CPO (Chief Privacy Officer)?
Yes — Art 31 makes CPO designation mandatory for nearly all controllers. The CPO must be at executive level (or the executive directly responsible for personal information), reportable to the CEO, and contactable via the privacy policy. Limited exemptions exist for very small businesses, but most online services must designate one. Unlike GDPR's DPO (advisory), Korea's CPO has direct operational responsibility.
What's the breach notification timeline?
72 hours under Art 34 (post-2023 amendments) — notify both PIPC and affected data subjects without delay if ≥1,000 records are affected or if any sensitive personal information (Art 23 categories) is involved. Smaller breaches still require internal records and may require notification on PIPC request.
How fast must I respond to an access request?
10 days under Art 35 — among the shortest globally (compare GDPR's 30 days). Extendable once with documented reasons, but the default response window is tight. Same 10-day rule applies to correction (Art 36) and suspension (Art 37) requests.
What changed in the 2023 PIPA amendments?
The most significant rewrite since 2011 (effective 15 Sep 2023). Key changes: (1) consolidated PIPA with the Information & Communications Network Act and parts of the Credit Information Act — one statute covers what was three; (2) explicit cross-border transfer regime (Art 28-8); (3) right to refuse/contest automated decisions (Art 22-2); (4) raised fines to 3% of related sales; (5) extended extraterritorial reach (Art 14); (6) added pseudonymized-data lawful basis for research/statistics (Art 28-2).
Are there sectoral overlays on top of PIPA?
Yes. The Credit Information Use & Protection Act covers financial data; the Act on the Protection of Communications Secrets covers call/message metadata; the Use & Protection of Location Information Act covers geolocation services (separate license + consent). Health data has additional overlays under the Bioethics & Safety Act. Sector-specific notifications from PIPC and the Korea Communications Commission also apply.
Is GDPR or PIPA stricter?
PIPA is stricter on consent (no legitimate-interest fallback, granular per-purpose required, cross-border re-consent), shorter response windows (10 days vs 30), and mandatory CPO designation. GDPR is broader in territorial reach (30 EEA states vs 1) and has higher absolute fine ceilings (€20M / 4% global vs 3% related sales). For analytics specifically, PIPA's granular opt-in + cross-border consent makes most US-cloud tools high-risk by default.