The government will overhaul the personal information protection system for the artificial intelligence (AI) era to focus on prevention.
The Personal Information Protection Commission announced the Third Basic Plan for Personal Information Protection (2027–2029) to promote trust-based AI innovation at the Economic Ministers' Meeting on the 3rd, in cooperation with related ministries. Under the Personal Information Protection Act, the Personal Information Protection Commission establishes this plan every three years together with the heads of central administrative agencies.
The plan is built on the vision of a "trusted personal information environment and an AI society enjoyed with peace of mind," and consists of four strategies and 12 initiatives. The four strategies are "innovation of the personal information protection system for the AI great transition era," "establishment of a prevention-centered protection system," "advancement of strategic personal information policy," and "enhancement of public rights and establishment of a trust culture."
First, the government will shift the personal information regulatory framework to a principles-based system that applies protection proportional to risk, moving away from uniform regulations to fit the AI environment. To resolve uncertainties that corporations face in handling personal information during AI transformation (AX), it will also operate an "AX safety support center."
In addition, while premising safety measures, it will introduce AI special provisions that allow the unavoidable use of original personal data for AI training, and establish regional hubs nationwide that can link and use data. It will prepare measures to prevent data tampering, such as deepfakes, and push for institutionalization to ensure AI transparency. For illegal distribution of personal information, it will create grounds for criminal penalties and strengthen the government's role in detection and deletion, as well as in collecting and analyzing related information.
It will also establish a prevention-centered personal information protection system. It will strengthen continuous inspection systems for high-risk and vulnerable sectors and promote the institutionalization of security inspections, including AI security checks. The plan is to integrate AI technology into the Information Security and Personal Information Protection Management System (ISMS-P) certification and various evaluation systems to increase effectiveness.
Corporations' accountability will also be strengthened. For corporations that invest proactively in personal information protection, incentives such as penalty surcharge reductions for data leaks will be expanded, the responsibility of chief executive officers (CEOs) will be strengthened, and the status of chief privacy officers (CPOs) will be elevated. For corporations that neglect management obligations, the government will pursue the introduction of a noncompliance penalty.