PIPA
Personal Information Protection Act
PIPA is South Korea's comprehensive data protection statute, enacted in 2011 and significantly strengthened by a 2020 amendment that consolidated enforcement under the Personal Information Protection Commission (PIPC). Further amendments modernized cross-border transfer rules and individual rights. It is regarded as one of the strictest privacy regimes globally.
Who it applies to
Personal information controllers, both public and private, that process the personal information of individuals in Korea, with the PIPC asserting application to overseas businesses whose processing affects Korean data subjects.
Identity requirements
- Obtain the data subject's informed consent, generally collected separately for distinct processing purposes, before collecting and using personal information
- Apply strict limits on processing unique identifiers such as resident registration numbers, which generally may not be processed without explicit statutory basis
- Satisfy a lawful basis for cross-border transfers, such as consent, an adequacy or certification finding by the PIPC, or appropriate safeguards
- Adopt technical, administrative, and physical safeguards, including encryption of unique identifiers and sensitive information
- Designate a chief privacy officer and, under recent reforms, assign ultimate accountability to the business representative
- Honor data subject rights including access, correction, deletion, suspension of processing, and rights related to automated decisions
How it impacts identity systems
| Identity area | Impact |
|---|---|
| Customer identity & consent (CIAM) | Consent is the central legal basis and must often be obtained separately per purpose, directly governing how identity and preference data is captured. |
| Identity verification (KYC/proofing) | Resident registration numbers and other unique identifiers are tightly restricted, limiting how organizations use national IDs for verification. |
| Data residency & cross-border transfer | Sending personal data overseas requires consent or another approved basis such as a PIPC adequacy or certification finding or appropriate safeguards. |
| Audit, logging & accountability | Controllers must appoint a privacy officer and, under recent reforms, place ultimate responsibility on the business representative, with reporting duties to the PIPC. |
| Breach notification | Controllers must notify affected data subjects and report qualifying breaches to the PIPC within statutory timeframes. |
Penalties
For the most serious violations the PIPC can impose administrative fines of a percentage of total revenue, in addition to corrective orders, surcharges, and criminal penalties.
PIPA: frequently asked questions
- Who enforces PIPA in South Korea?
- The Personal Information Protection Commission (PIPC), an independent central administrative agency, is the primary regulator and enforcement authority for PIPA.
- Can companies use Korean resident registration numbers freely?
- No. PIPA strictly limits processing of resident registration numbers and other unique identifiers, generally permitting it only where a law specifically requires or allows it, and mandates encryption when stored.
- Does PIPA apply to foreign companies?
- The PIPC has asserted that PIPA can apply to overseas businesses whose processing affects data subjects in Korea.