Bae, Kim & Lee LLC held an academic seminar on the 18th at Ferrum Tower in Jung-gu, Seoul, with the Korea Information Law Association to address issues in the amended Personal Information Protection Act.
The seminar was organized to review practical issues in the amended Personal Information Protection Act ahead of the enforcement of key provisions in September. The theme was "Strengthening governance for personal information and information security: focusing on key issues and practical tasks of the 2026 amended Personal Information Protection Act." About 250 people from academia, the legal community, industry, and government and public institutions attended.
The amended law centers on strengthening corporations' responsibility for personal information protection and their management systems. The main points include specifying that the chief executive officer (CEO) has ultimate responsibility, strengthening the independence of the chief privacy officer (CPO), making certification under the information security and personal information protection management system (ISMS-P) mandatory for major personal information processors, introducing a system to notify the possibility of a data breach, and toughening penalty surcharges for repeated or intentional violations.
Kim Jik-dong, Director General at the Personal Information Protection Commission, said in the first presentation that as large-scale personal information breaches continued in 2025, the need grew to strengthen prevention-focused responsibility and heighten sanctions for repeated violations. He also introduced additional legislative directions related to special provisions for artificial intelligence (AI) technology development and measures against secondary leaks.
Lee Geun-woo, a professor at Gachon University's College of Law, analyzed penalty surcharges under the Personal Information Protection Act from a Criminal Act perspective. Lee noted that a structure in which both a penalty surcharge and a criminal punishment are imposed could conflict with the constitutional principle prohibiting double jeopardy, and that if the calculation standards are unclear, it could undermine corporations' predictability.
Ko Hwan-gyeong, an attorney at Bae, Kim & Lee (31st Judicial Research and Training Institute class), presented corporations' compliance response strategies. Ko identified as key tasks responding to the strengthened ISMS-P certification regime, privacy by design (PbD), preemptive checks for security vulnerabilities, building CEO- and CPO-centered governance, and overhauling processes for responding to leaks and infringement incidents.
In the general discussion, Choi Kyung-jin, co-chair of the Korea Information Law Association, served as moderator. Panelists included Lee Hae-won, a professor at Kangwon National University Law School; Cha Ho-beom, an SKT executive vice president; Son Kyung-min, an attorney at Bae, Kim & Lee; Lee Jin-gyu, a senior vice president at Naver; Choi Ji-a, a presiding judge at the Daegu District Court; Hwang Bo-seong, Director General of Personal Information at the Korea Internet & Security Agency (KISA); and Baek Dae-hyun, head of the Cyber Incident Response Division at the Ministry of Science and ICT.
The panelists agreed that the amended law is oriented toward prevention and stronger governance, but said areas where penalty surcharges could overlap with criminal penalties and damages provisions need to be streamlined. They also said that in the AI era, personal information protection, information security, and AI safety should be managed in an integrated way.
Ko said, "Ahead of the law's enforcement, this was a venue to discuss the positions of academia, the legal community, industry, and the government," adding, "To reduce the 'paradox of reporting,' in which corporations that faithfully report leaks end up bearing a greater burden, it is worth considering a plan to apply reductions in penalty surcharges for voluntary reports."