The Amended Enforcement Decree introduces specific rules that were delegated by the March 2023 amendments to the Personal Information Protection Act, which also came into effect on March 15, 2024. These include rules concerning automated decisions facilitated by artificial intelligence (AI) and similar technologies, qualification requirements for Chief Privacy Officers (CPOs), and insurance requirements.
Under the Amended PIPA, data subjects have the right to demand explanations or reviews of decisions made through a ‘fully automated process’. Moreover, when these automated decisions significantly affect the subjects’ rights and obligations, they have the right to refuse such decisions. In this context, an ‘automated decision’ refers to a final decision that affects one’s rights or obligations and is made through the processing of personal information by systems such as AI, which operate without any substantive human intervention.
Specifically, the Amended Enforcement Decree provides that:
Under the Amended PIPA, data controllers are obligated to appoint a Chief Privacy Officer responsible for overseeing and managing the processing of personal information. The Amended Enforcement Decree provides further details on the qualifications expected of the CPO and outlines specific entities that are required to appoint a CPO meeting these qualifications.
These entities include:
Data controllers meeting the above criteria must appoint a CPO with a total of at least four years of combined experience in personal information protection, information security, and information technology, with at least two years dedicated specifically to personal information protection.
However, in response to industry feedback during the legislative process, a grace period of up to two years has been implemented (until 14 March 2026) for individuals who were already designated as CPOs at the time of the Enforcement Decree’s effective date to meet the qualification requirements.
Aside from the qualification requirements, the Amended PIPA also has provisions aimed at ensuring the independence of CPOs. The Amended Enforcement Decree requires the data controller to establish a regular reporting system to the representative or board of directors, ensure the CPO’s access to information on personal information processing, and provide the CPO with necessary human and material resources.
Under the Amended PIPA, data controllers meeting specific criteria are required to have insurance or self-insurance coverage for any damages suffered by data subjects resulting from data controllers’ violation of the PIPA. The criteria for this requirement are delineated in the Amended Enforcement Decree, which has expanded the scope of entities subject to the insurance requirement.
Previously, only online service providers with 1,000 users or more and annual sales of at least KRW 50 million were obligated to comply with the insurance requirement. However, under the Amended Enforcement Decree the requirement applies to data controllers for both online and offline service providers with 10,000 users or more and annual sales of at least KRW 1 billion.
Nevertheless, the Amended Enforcement Decree includes provisions exempting certain entities from the insurance requirement:
The Amended Enforcement Decree reduces the frequency of regular evaluations of the management status of unique identification information from every two years to every three years. However, entities acquiring ISMS-P certifications or undergoing evaluations mandated by other relevant laws may be exempted from these evaluation requirements.
Further, in relation to overseas transfer of personal information, the Amended Enforcement Decree requires data controllers to disclose the following information in their privacy policy:
Discover more about Employee Data Privacy on our Global HR Law Guide