A proposed amendment to the Personal Information Protection Act (hereinafter “PIPA”; the proposed amendment to be referred to as the “Amendment”), which seeks to strike a balance between the need to utilize personal information in the development of artificial intelligence (“AI”) technologies and the protection of data subjects’ rights, passed the National Assembly’s National Policy Committee (the “Committee”) on May 14, 2026.

The Amendment is a committee substitute that consolidates and reconciles two proposed partial amendments to PIPA: one introduced by Rep. Min Byoungdug of the Democratic Party as the lead sponsor (Bill No. 2207858, introduced on January 31, 2025) and the other introduced by Rep. Koh Dongjin of the People Power Party as the lead sponsor (Bill No. 2208904, introduced on March 13, 2025). It is expected to be referred to the Legislation and Judiciary Committee and subsequently submitted to the plenary session.

The following provides an overview of the background, key provisions, and implications of the Amendment.

1. Legislative Background of the Amendment

As the development of AI technology has become a key priority for enhancing national competitiveness and improving the quality of life, demand for the utilization of data containing personal information has steadily increased across a wide range of sectors, including areas with strong public interest—such as strengthening social safety nets and preventing disasters and crime—as well as various emerging industries.

However, under the current law, the use of personal information beyond the original purpose of collection is, in principle, prohibited. Although such use may be permitted through anonymization or pseudonymization, industry stakeholders have continued to raise concerns that, in the case of information essential for AI training —such as video, audio, and images—these methods often make it difficult to ensure sufficient performance.

Accordingly, this Amendment seeks to permit the use of personal information for AI technology development beyond the original purpose of collection, provided that certain requirements are met and have undergone deliberation and resolution of the Personal Information Protection Commission (the “PIPC”). Concurrently, it establishes a framework for prior risk assessment as well as ex post management and oversight, thereby aiming to strike an appropriate balance between data utilization and the protection of data subjects’ rights.

2. Key Provisions of the Amendment

The Amendment introduces Section 5 (Special Provisions for the Processing of Personal Information for AI Technology Development) under Chapter III of PIPA. The key provisions are as follows:

A. Use of Personal Information for AI Technology Development (proposed Article 28-12) and Exclusion of Certain Provisions from Applying to the Scope of Use Under the Special Provisions (proposed Article 28-15)

• Where a personal information controller meets all of the following three requirements and has undergone the deliberation and resolution of the PIPC, the controller is permitted to use previously lawfully collected personal information for AI technology development (including performance enhancement) beyond the original purpose of collection (proposed Article 28-12(1)):
  1.  AI technology development is difficult by using anonymized or pseudonymized personal information;
  2.  Appropriate safeguards must be in place in accordance with the criteria prescribed by Presidential Decree; and
  3.  The purpose of AI technology development is: (i) to promote the public interest; or (ii) to protect the interests of data subjects or third parties, or to promote social interests, and, in either case, such use poses a significantly low risk of unfairly infringing upon the rights or interests of data subjects or third parties.
• The PIPC shall, where the case falls under the criteria prescribed by Presidential Decree—such as where the processing of sensitive information or personally identifiable information is involved—require the personal information controller to conduct a risk assessment and submit the results prior to deliberation and resolution (proposed Article 28-12(3)), and may streamline the deliberation and resolution procedures where the case is substantially identical or similar to one that has previously undergone deliberation and resolution (proposed Article 28-12(4)).
• The PIPC may impose conditions, within the scope necessary to ensure the protection of the rights of data subjects and the secure processing of personal information, at the time of its deliberation and resolution (proposed Article 28-12(2)), and, upon rendering such deliberation and resolution, shall disclose on its website the requesting party, the key details, and a summary of the risk assessment results (proposed Article 28-12(6)).
• A personal information controller seeking to use personal information subject to the deliberation and resolution of the PIPC shall include the purpose of use and categories of personal information in its privacy policy (proposed Article 28-12(5)). 
• Within the scope of the use of personal information under these special provisions, the application of the following provisions of the PIPA may be excluded (proposed Article 28-15):
  (i) Restrictions on use and provision beyond the original purpose (Articles 18-19);
  (ii) Notification of sources, etc. of personal information collected (Article 20) and notification of details of use or provision (Article 20-2);
  (iii) Restrictions on the processing of sensitive information, personally identifiable information, and resident registration numbers (Articles 23, 24 and 24-2);
  (iv) Restrictions on the operation of visual data processing devices (Articles 25 and 25-2); and
  (v) Provisions relating to outsourcing of processing overseas (Article 28-8).

B. Management and Supervision, and Restrictions on Personal Information Processing for AI Technology Development (proposed Articles 28-13 and 28-14)

• The PIPC shall periodically monitor and supervise compliance with the matters it deliberated and resolved, and may require a personal information controller to submit relevant materials to the extent necessary (proposed Article 28-13).
• Where a person who has obtained the PIPC’s deliberation and resolution falls under any of the following cases, the PIPC shall, through its deliberation and resolution, restrict all processing of personal information, and the personal information controller shall, without delay, take necessary measures and report the results to the PIPC (proposed Article 28-14): 
  (i) Where the deliberation and resolution was obtained through fraudulent and improper means;
  (ii) Where the statutory requirements or the conditions imposed by the PIPC are not satisfied;
  (iii) Where the processing of personal information is not commenced within six months from the date of the deliberation and resolution without justifiable grounds; or
  (iv) Where it becomes clearly impossible to achieve the intended purpose due to material changes in circumstances.

3. Implications of the Amendment

• (Monitoring Legislative Developments and Submission of Opinions) 
  As this Amendment is subject to deliberation and resolution by the Legislation and Judiciary Committee as well as the plenary session of the National Assembly, businesses seeking to use personal information in its original form for AI technology development should periodically monitor the progress of this Amendment.
  
  Furthermore, specific details—such as the concrete assessment criteria for each requirement to use personal information under this Amendment, the criteria for evaluating the adequacy of safeguards, the deliberation and resolution procedures, and the scope of eligibility for streamlined procedures—are expected to be delegated to Presidential Decree. Accordingly, it is necessary to closely monitor relevant developments starting from the legislative notice stage of the Enforcement Decree following the passage of this Amendment, and to actively submit opinions so that the practical perspectives of relevant industry stakeholders may be appropriately reflected.
   
• (Preparatory Steps for Obtaining Permission) If this Amendment comes into force, it is expected to significantly alleviate the challenges faced by businesses in areas of AI development where meaningful model training is not feasible through anonymization or pseudonymization. However, as the special provisions under the Amendment effectively adopts a ‘de facto permission regime’ predicated on the prior deliberation and resolution of the PIPC, businesses seeking to use personal information without anonymization or pseudonymization will need to prepare materials in advance to demonstrate that they meet the statutory requirements for such permission. 

About Shin & Kim’s ICT Group

Shin & Kim’s ICT Group provides comprehensive, one-stop legal services by leveraging the firm's distinctive expertise and extensive professional network in the ICT sector, having consistently earned the highest client recognition in recent years. Drawing upon our deep-seated capabilities in broadcasting, telecommunications, personal information protection, and internet IT, we deliver the highest level of legal advisory services encompassing regulatory trend analysis in broadcasting, telecommunications, and ICT; government affairs, legislative improvement and legislative consulting; regulatory impact assessment; and corporate strategic planning. Furthermore, we possess extensive experience and exceptional expertise in personal information/AI compliance and risk management, providing holistic analysis and strategic responses to legal issues and regulatory risks associated with AI adoption and deployment across diverse industry sectors. Please feel free to contact us with any questions or if you require our assistance on any ICT-related legal matters.

[Korean version] ｢개인정보 보호법」 개정안 국회 정무위원회 통과 - 인공지능기술 개발을 위한 개인정보 처리의 특례 신설