The Personal Information Protection Commission is revamping its data protection framework to align with the era of artificial intelligence (AI). Moving away from a uniform regulatory approach, the commission will implement a principle-based system that regulates data usage according to risk levels. The response to data breaches will shift from post-incident penalties to a focus on preventive measures. Additionally, the system for protecting citizens' rights will be expanded to provide comprehensive support from reporting to compensation.
On July 3, the commission held a briefing at the Government Seoul Building to announce the 'Third Basic Plan for Personal Information Protection (2027-2029).' This plan, established every three years under the Personal Information Protection Act, outlines the direction of data protection policy for the next three years in response to the increasing use of data due to AI proliferation and recurring large-scale data breaches.
The most significant change involves restructuring the data regulation system to suit the AI environment. The commission decided to transition to a principle-based protection system that varies the level of protection based on the risk associated with data processing, reflecting feedback from the field that uniform regulations designed before the advent of AI hinder data utilization and compliance.
To facilitate this, the commission will operate an 'AI Transition (AX) Support Center' to alleviate legal uncertainties faced by companies developing AI services. It will also expand regional hubs that can link and utilize pseudonymous and anonymous information nationwide. The commission plans to enhance the OnMyData platform to strengthen citizens' rights to control their personal information and broaden the use of my data in welfare, caregiving, and healthcare sectors.
New standards for data protection will be established in response to advancements in AI technology. A protection framework will be developed to address the accountability structures of agentic AI and the continuous information collection environments of physical AI. The commission will also promote systems for AI risk assessment, prevention of data manipulation such as deepfakes, and ensuring AI transparency.
Data protection policy will shift from reactive measures to a focus on prevention. The commission will increase inspections in high-risk sectors and expand joint inspections with relevant ministries. It will introduce security checks and certification systems utilizing AI. Companies that proactively invest in data protection will receive incentives such as reduced penalties for data breaches, while those neglecting their management responsibilities will face stricter penalties and enhanced investigative capabilities. Tailored consulting and recovery technology support will be provided to small and medium-sized enterprises to improve their data protection capabilities.
The commission will also strengthen intergovernmental cooperation. Sectors with high data risks, such as telecommunications, education, and employment, will be jointly managed with relevant ministries, and an early warning system will be established. In response to the spread of generative AI and cloud technologies, the commission will expand data transfer networks with countries like the UK, the US, and Japan, and introduce assessments of the impacts of overseas data transfers to ensure safe data transfer systems.
The protection of citizens' rights will be enhanced. A one-stop rights remedy system will be established to connect reporting, investigation, dispute resolution, and compensation in cases of data breaches or violations. An AI-based personal information management platform will be developed to help users easily check the status of their personal data processing and exercise their rights. The commission will strengthen protections for sensitive information, including video and biometric data, and expand the data protection framework for children and adolescents.
Commission Chair Song Kyung-hee stated, "This basic plan is significant in redesigning the data regulation system to fit the AI environment and establishing a preventive protection framework. We will focus our policy efforts on creating an environment where citizens can use AI with confidence and companies can innovate based on trust."
* This article has been translated by AI.
Copyright ⓒ Aju Press All rights reserved.