Korea's PIPA Amendment: What Compliance Teams Need to Know
Korea's PIPA Amendment: What Compliance Teams Need to Know
Korea's amended Personal Information Protection Act (PIPA), passed by the National Assembly on February 12, 2026, was officially promulgated on March 10. Most provisions take effect on September 11, 2026, with mandatory ISMS-P certification starting July 1, 2027.
There's a lot changing. Rather than covering everything, here are the five changes that matter most for compliance practitioners, with old-vs-new comparison tables drawn from the enacted statute.
Timeline
- 2026.3.10 — Promulgation
- 2026.9.11 — Most provisions effective (10% surcharge, CPO governance, expanded breach notification, CEO accountability)
- 2027.7.1 — Mandatory ISMS-P certification effective (Art. 32-2(1) proviso)
1. Surcharges: 3% → Up to 10% of Revenue
The baseline cap remains at 3% of total revenue. The amendment introduces an aggravated surcharge of up to 10% under specific conditions.
Old vs. New — Art. 64-2 (Surcharges)
| Item | Current | Amended (eff. 2026.9.11) |
|---|---|---|
| Base surcharge | Up to 3% of total revenue (up to KRW 2B if no revenue) | Same |
| Aggravated surcharge | None | Up to 10% of total revenue (up to KRW 5B if no revenue) — new para. 2 |
| Aggravation trigger ① | — | Repeat violation of same provision within 3 years of prior surcharge (intentional/gross negligence) |
| Aggravation trigger ② | — | Intentional/gross negligence + 10 million+ affected data subjects |
| Aggravation trigger ③ | — | Breach occurs due to failure to comply with corrective order |
| Mitigation | None | Surcharge reduced if controller invested in budget, personnel, equipment, etc. — new para. 6 |
| Mitigation exclusion | — | Not available for intentional or grossly negligent violations |
| "Breach etc." definition | Loss, theft, leakage, forgery, alteration, damage (enumerated) | Consolidated as "breach etc." (defined in Art. 23(2)) |
Practitioner note: The new mitigation clause (para. 6) means documented investment in privacy protection — budget allocation, headcount, infrastructure — can reduce surcharges. But this doesn't apply to intentional or grossly negligent conduct, so proactive investment is not a blanket shield.
2. CPO Governance Overhaul
Previously, appointing a CPO (Chief Privacy Officer) was a one-step process. The amendment now requires board approval and PIPC notification for appointment, change, or removal.
Old vs. New — Art. 31 (CPO Designation)
| Item | Current | Amended (eff. 2026.9.11) |
|---|---|---|
| Role definition (para. 1) | "Overall responsibility for processing" | "Overall management of processing and protection" |
| Board approval | None | Board resolution required for CPO appointment, change, or removal — new para. 3(1) |
| PIPC notification | None | Must report CPO appointment/change/removal to PIPC — new para. 3(2) |
| CPO duties | 7 items (para. 3) | 9 items (para. 4) |
| New duty ① | — | Managing expert personnel and securing budget for protection |
| New duty ② | — | Reporting protection status to CEO/board |
| Independence guarantee | Para. 6 (no disadvantage, independent performance) | Moved to para. 7, content unchanged |
| Fine (no CPO designated) | Up to KRW 10M (Art. 75(4)(9)) | Up to KRW 30M (Art. 75(2)(14-2)) |
| Fine (no board resolution) | — | Up to KRW 30M — new (Art. 75(2)(14-3)) |
| Fine (no PIPC notification) | — | Up to KRW 30M — new (Art. 75(2)(14-4)) |
Practitioner note: The threshold for which companies are subject to the board resolution requirement is delegated to presidential decree. The decree hasn't been issued yet. But the procedural requirement itself is final — start designing your internal process now.
3. Breach Notification Expanded — Including "Possibility" of Breach
Previously, notification was required only after a breach was confirmed. The amendment adds a duty to notify when there is a possibility of a breach.
Old vs. New — Art. 34 (Breach Notification and Reporting)
| Item | Current | Amended (eff. 2026.9.11) |
|---|---|---|
| Scope of "breach etc." | Loss, theft, leakage | Loss, theft, leakage + forgery, alteration, damage |
| Possibility notification | None | Must notify without delay when possibility of breach is identified — new para. 2 |
| Notification content (item 3) | Information on minimizing harm | Specific information on minimizing harm |
| New notification item | — | Legal rights including damages claims, statutory damages, and dispute mediation — new para. 1(6) |
| Harm minimization measures | Prepare countermeasures + take necessary action | Must include retrieval/deletion of affected data to prevent further spread — para. 3 strengthened |
Practitioner note: The "possibility of breach" threshold is delegated to presidential decree — what level of possibility triggers the duty is still undefined. However, the requirement to inform data subjects of their legal remedies is final. Update your breach notification templates now.
4. Mandatory ISMS-P Certification (eff. 2027.7.1)
ISMS-P (Information Security Management System — Personal Information) was previously voluntary. The amendment makes it mandatory for controllers meeting certain criteria.
Old vs. New — Art. 32-2(1) (Privacy Certification)
| Item | Current | Amended (eff. 2027.7.1) |
|---|---|---|
| Certification nature | Voluntary ("may certify") | Voluntary + mandatory ("must obtain certification" — new proviso) |
| Mandatory target | None | Controllers meeting criteria based on revenue, data processing scale, etc. (per presidential decree) |
Practitioner note: The specific thresholds are delegated to presidential decree. How this aligns with existing ISMS-P mandatory targets (under the Network Act) is the key question. Watch for the decree's legislative notice.
5. CEO/Business Owner Accountability — New Provision
This is an entirely new article.
Old vs. New — Art. 30-3 (CEO/Business Owner Accountability)
| Item | Current | Amended (eff. 2026.9.11) |
|---|---|---|
| Provision | None | New article |
| Content | — | The business owner or CEO bears ultimate accountability for safe processing and data subject rights protection, and must take effective comprehensive management measures including expert personnel and sufficient budget |
Practitioner note: The word "effective" (실효성 있게) is significant. Nominal measures won't suffice — regulators will assess whether budget was actually allocated, staff actually hired, and systems actually implemented. This connects directly to the surcharge mitigation clause in Art. 64-2(6).
Pending Presidential Decree Items
Many specifics are delegated to presidential decree. The statutory text is final, but the detailed criteria are not.
- 10% aggravated surcharge: Art. 64-2(2) — threshold for the KRW 5B cap when there is no revenue
- CPO board resolution scope: Art. 31(3) — which companies by size are subject to this requirement
- Possibility of breach notification: Art. 34(2) — what level of possibility triggers the duty
- Mandatory ISMS-P targets: Art. 32-2(1) proviso — revenue and data processing scale thresholds
- Surcharge mitigation criteria: Art. 64-2(6) — what types of investment qualify for reduction
Will cover the presidential decree separately when the legislative notice is published.
Sources
- PIPA Act No. 20897 (Partially amended 2025.4.1, effective 2025.10.2)
- PIPA Amendment — Promulgated 2026.3.10 (effective 2026.9.11 / mandatory ISMS-P 2027.7.1)
- Lawtimes — PIPA Amendment Analysis