
The government will overhaul its personal data protection framework to align with the era of artificial intelligence (AI). In particular, it will open the way for the use of original personal data needed for AI development.
The Personal Information Protection Commission (PIPC), jointly with related ministries, announced the "Third Basic Plan for Personal Data Protection (2027-2029)" at a meeting of economy-related ministers held Wednesday. This basic plan serves as the blueprint for personal data policy applied over the next three years. The government will operate a whole-of-government system, with the PIPC as its control tower, to inspect and manage high-risk areas such as telecommunications, education, and employment together with the relevant ministries.
In line with the spread of AI, the government also decided to shift its personal data regulatory system from uniform regulation to a framework that applies protection proportionate to risk. In particular, it will create a special exemption allowing personal data legally collected under existing rules to be used in its original form for AI technology development. However, such use must undergo PIPC review and a risk factor assessment.
To resolve the legal uncertainty faced by companies, the government will operate an "AX Safety Support Center" and expand regional hubs for the use of pseudonymized and anonymized data.
To strengthen citizens' data sovereignty, the government also plans to upgrade the MyData support platform. It will expand MyData to 10 sectors to complete the first phase of the project, and in the second phase, will expand the use of data-based services centered on the welfare, care, and medical fields.
New personal data protection standards will also be established to respond to the spread of agentic AI and physical AI. The government plans to review the accountability structure for agentic AI's decision-making. It will also prepare measures to prevent data manipulation such as deepfakes and pursue institutionalization to secure AI transparency.
The center of gravity of personal data protection policy will also shift from after-the-fact sanctions to advance prevention. The government will strengthen a standing inspection system targeting high-risk and vulnerable areas, and pursue the institutionalization of security inspections, including AI security checks. It will incorporate AI technology into the Information Security and Personal Information Protection Management System (ISMS-P) certification and various assessment systems.
Corporate accountability will also be strengthened. For companies that invest proactively in personal data protection, the government will expand incentives such as reductions in fines for data breaches, while strengthening the responsibility of chief executive officers (CEOs) and elevating the status of chief privacy officers (CPOs). Conversely, for businesses that neglect their management obligations, the government will pursue the introduction of enforcement fines.
Cooperation on safe cross-border data transfers will also be expanded. Following the mutual equivalence recognition system already established between Korea and the EU, the government plans to cooperate with the United Kingdom, Japan, the United States, and others, taking into account the similarity of their legal systems and the scale of trade.







