Last review date: 1 January 2025

• Personal Information Protection Commission (PIPC): As the main data privacy regulator, the PIPC oversees compliance with PIPA in both the public and private sectors, including certain aspects of cybersecurity under PIPA.
• Ministry of Science and ICT (MSIT): As the main cybersecurity regulator, the MSIT supervises general cybersecurity and other information security matters under the Network Act and specific cybersecurity issues under the Infrastructure Act. It also exercises certain regulatory powers over the protection of non-personal data under the Data Industry Act.
• Ministry of the Interior and Safety (MOISor managed by public sector bodies in accordance with the Public Data Act.
• Financial Services Commission (FSC): It supervises the protection of credit information under the Credit Information Act and specific cybersecurity issues in the financial sector under the Electronic Financial Transactions Act.
• Korea Communications Commission (KCC): It oversees the protection of location information under the Location Information Act and specific cybersecurity issues in the telecommunications sector under the Telecommunications Business Act.
• Ministry of Health and Welfare (MOHW): It supervises the protection of medical information and specific cybersecurity issues in the medical sector under the Medical Service Act and the Bioethics and Safety Act.

Last review date: 1 January 2025

The Personal Information Protection Commission is:

☒ Very active

The cybersecurity and non-personal data regulators are:

☒ Moderately active

Last review date: 1 January 2025

In the area of data privacy, the PIPC typically announces its key policy implementation plans in February each year. For 2024, the PIPC has outlined six key initiatives:

• Creating conditions for the trustworthy growth of AI, including the development of guidelines for AI phases (planning, data collection and data learning)
• Expanding the MyData system to allow data subjects to transfer their personal data to desired services, to further ensure the right to data portability
• Establishing a personal data protection system for day-to-day security, including proactive inspections in key areas
• Strengthening the rights of data subjects in the digital age, including evaluating privacy policies and updating guidance on targeted online advertising
• Fostering a personal data ecosystem that supports the data economy, including proposing legislation on the fair use of video information
• Leading the way on global personal data standards, including developing mutual recognition systems for international data transfers

In the area of cybersecurity, the MSIT and the Korea Internet & Security Agency (KISA) announce key initiatives every January. For 2024, they have outlined three main plans:

• Enhancing attack-specific responses using AI technology and expanding collaboration with private sector experts for joint investigations
• Strengthening private sector incident response capabilities through legal and institutional improvements
• Reinforcing vulnerability remediation measures, including mandatory patching of high-risk vulnerabilities and expanding sector-specific vulnerability discovery competitions

In 2025, Korean data privacy and cybersecurity regulators are expected to continue their efforts from 2024, focusing on AI governance, data subject rights, proactive inspections, data ecosystem development, international cooperation, AI-driven cybersecurity, public-private collaboration, incident response capabilities, and vulnerability remediation.

Last review date: 1 January 2025

Regulatory investigations or direct enforcement activity by data or cyber regulators are:

☒  Increasing

Class actions/group actions under data or cyber regulation are:

☒   Not available in the jurisdiction

Last review date: 1 January 2025

There are:

☒  administrative remedies /civil penalties applied by regulators and law enforcement

Regarding key data privacy laws and regulations:

• The PIPC may order those who violate PIPA to stop personal information breach acts, temporarily suspend personal information processing, and take other necessary measures to protect personal information and prevent breach (PIPA, Article 64). Additionally, the PIPC may impose a penalty surcharge of up to 3% of the average annual sales for the past three business years ("3% Penalty Surcharge") on personal information controllers who violate major prohibitions of PIPA (PIPA, Article 64-2).
• The FSC may take corrective measures for violations and order other necessary measures if credit information companies, etc. violate the Credit Information Act in a way that may harm the rights and interests of credit information subjects (Credit Information Act, Articles 45(7) and 45-2). The FSC may also impose a 3% Penalty Surcharge on credit information companies, etc. that violate major prohibitions of the Credit Information Act (Credit Information Act, Article 42-2).
• The KCC may order those who violate the Location Information Act to take necessary measures to correct the violation, including stopping the violating acts (Location Information Act, Article 36-2). The KCC may also impose a 3% Penalty Surcharge on location information providers, etc. that violate major prohibitions of the Location Information Act (Location Information Act, Article 14).

Regarding key cybersecurity laws and regulations:

• The MSIT, etc. may order network service providers who violate the Network Act to take corrective measures necessary to stop or correct the violating acts (Network Act, Article 64(4)). However, there are no explicit provisions for imposing penalty surcharges for violations of the Network Act.
• The FSC may take corrective measures for violations when it deems that a financial company or electronic financial business has violated the Electronic Financial Transactions Act in a way that may harm its sound operation (Electronic Financial Transactions Act, Article 39(6)). The FSC may also impose penalty surcharges on financial companies or electronic financial businesses that violate major prohibitions of the Electronic Financial Transactions Act (Electronic Financial Transactions Act, Article 46).
• Lastly, the Infrastructure Act does not provide for any corrective orders or penalty surcharges.

☒  criminal penalties from regulators and law enforcement

• PIPA: Ten types of violations, including providing personal information to a third party without the consent of the data subject and knowingly receiving such personal information, are punishable by imprisonment for up to five years or a fine of up to KRW 50 million (Article 71). Three types of violations, including arbitrarily manipulating fixed-type video information processing equipment for purposes other than their installation purpose or using audio recording functions, are punishable by imprisonment for up to three years or a fine of up to KRW 30 million (Article 72). Five types of violations, including continuing to use personal information or providing it to a third party without taking necessary measures such as correction or deletion, are punishable by imprisonment for up to two years or a fine of up to KRW 20 million (Article 73).
• All other key data privacy and cybersecurity laws and regulations: Specifically, Article 50 of the Credit Information Act, Chapter VI of the Location Information Act, Chapter X of the Network Act, Article 49 of the Electronic Financial Transactions Act, and Chapter VII of the Infrastructure Act contain criminal penalty provisions similar to those in PIPA, imposing imprisonment or fines proportional to the severity of various major violations.

☒  private remedies

• PIPA Article 39: Data subjects may claim damages from personal information controllers if they suffer damage due to the controller's violation of PIPA. In this case, the personal information controller cannot be exempted from liability unless it proves that there was no intention or negligence. Furthermore, if personal information is lost, stolen, leaked, forged, altered, or damaged due to the intention or gross negligence of the personal information controller and the data subject suffers damage, the court may determine the amount of damages up to five times the actual damage amount. However, this does not apply if the personal information controller proves that there was no intention or gross negligence.
• Article 43 of the Credit Information Act: Contains provisions for civil damages almost identical to PIPA Article 39 regarding cases where credit information companies, etc. and those who received credit information from them cause damage to credit information subjects by violating the Credit Information Act.
• Article 27 of the Location Information Act: Personal location information subjects may claim damages from location information providers, etc. if they suffer damage due to acts violating Articles 15 to 26 of this Act. In this case, the location information provider, etc. cannot be exempted from liability unless it proves that there was no intention or negligence. However, unlike PIPA Article 39 and Article 43 of the Credit Information Act, there is no provision for such punitive damages of up to five times the actual damage.
• Regarding key cybersecurity laws and regulations: The Network Act, Electronic Financial Transactions Act, and Infrastructure Act do not specifically provide for civil damages. Therefore, in such cases, general tort provisions apply: A person who causes damage to another person by an unlawful act, intentionally or negligently, shall be liable to compensate for that damage (Korean Civil Act, Article 750).

Last review date: 1 January 2025

☒  individual personal actions

☒  representative actions (e.g., brought by a consumer/data privacy body or the supervisory authority)