Korea to Criminalize Buying Illegally Traded Personal Data
Korea to Criminalize Buying Illegally Traded Personal Data
On February 25, Korea's Personal Information Protection Commission (PIPC) announced a significant policy shift during an inter-agency voice phishing task force meeting: it will establish legal grounds to punish the purchase and distribution of illegally traded personal data.
This may sound like a technical footnote in a fraud-prevention meeting. For anyone working in privacy compliance in Korea, it's anything but.
The Gap That Existed
Korea's Personal Information Protection Act (PIPA) has long focused its criminal penalties on the supply side — those who illegally collect or provide personal data. Collecting personal data without consent, or providing it to third parties without a legal basis, can result in up to five years in prison or a fine of up to KRW 50 million.
But what about the buyers?
In 2024, Korea's Supreme Court acquitted a telemarketer who had purchased 4 million personal data records from a data broker. The court's reasoning: simply buying data without knowing its source or how it was obtained does not constitute "acquiring personal data through deceptive or otherwise illegal means" under PIPA.
If you didn't know the data was illegally collected, you couldn't be punished for buying it. This effectively meant that intermediaries and end-buyers in the personal data brokering ecosystem operated in a legal gray zone — a gap that criminals exploited for voice phishing and other fraud schemes.
What's Changing
PIPC announced two key initiatives.
First, it will create a legal basis to punish the purchase and distribution of illegally traded personal data. This closes the loophole where buyers could claim ignorance about data origins.
Second, it will establish legal authority for PIPC to collect and analyze information about illegal data distribution channels — enabling proactive enforcement rather than reactive investigation.
Specific legislative language hasn't been released yet. But the direction is clear: regulation is expanding from supply-side enforcement (collection and provision) to demand-side enforcement (purchase and distribution).
What This Means for Companies
This announcement came in the context of voice phishing countermeasures, so it's tempting to dismiss it as irrelevant to ordinary businesses. But in practice, many companies source external data in ways that could be affected.
Purchasing marketing databases, acquiring sales lead lists, integrating customer data from partners — if your organization does any of this, it's time to review your data sourcing procedures.
Once this legislation passes, "we bought it from a legitimate vendor" may no longer be a sufficient defense. Buyers will likely need to verify how the data was originally collected and whether proper consent was obtained.
The meeting's headline achievement was four consecutive months of declining voice phishing losses. But for compliance practitioners, the new legal basis for punishing data purchases will have a far longer-lasting impact.
Sources