PIPA 2026: Korea's 10% Turnover Fine
SEO

PIPA 2026: Korea's 10% Turnover Fine

Act No. 21445 takes effect 11 September 2026. The 10% tier is on total turnover, the CEO is named in statute, and it reaches you wherever your office is.

Korea's amended Personal Information Protection Act was promulgated as Act No. 21445 on 10 March 2026 and takes effect on 11 September 2026. It keeps the existing 3% of related revenue as the baseline administrative fine and adds a new tier reaching 10% of a company's total turnover for high-severity cases, names the CEO in statute as the person ultimately responsible for personal data processing, and makes ISMS-P certification mandatory for designated large controllers from 1 July 2027. If you market to Korean people, this applies to you regardless of where your office is.

Marketing teams tend to read privacy amendments as a legal department problem. This one is not, for a specific reason: the 10% ceiling is calculated on total turnover, not on revenue related to the violation. That arithmetic moves the risk out of the compliance budget and into the enterprise risk register, and it is why Korean procurement will now ask your agency questions it never asked before.

What follows is what changed, what it means for a GEO or content programme specifically, and where the honest limits of this article sit. We are not Korean lawyers. Anything touching Korean personal data needs Korean counsel, and this is orientation rather than advice.

What actually changed on 10 March 2026

The National Assembly passed the amendments on 12 February 2026. Promulgation followed on 10 March 2026 as Act No. 21445. Most provisions commence 11 September 2026. The ISMS-P mandate is deferred to 1 July 2027, reportedly because organisations need budget cycles to prepare.

Three pillars, and they reinforce each other rather than sitting side by side.

Higher penalties, on a different base. The standard fine remains up to 3% of revenue related to the violation. The new punitive tier reaches 10% of total revenue, and it applies in three circumstances: where a company intentionally or with gross negligence commits a violation and repeats it within three years; where a single incident involves intentional or grossly negligent conduct affecting 10 million or more data subjects; or where a company fails to comply with a formal PIPC corrective order and a breach then occurs. Read those conditions carefully. None of them describes an accident. All of them describe an organisation that was told and did not act.

CEO accountability, written into statute. The amendment explicitly designates the business owner or representative as the ultimate person responsible for the processing and protection of personal information. For controllers meeting criteria to be set by Presidential Decree, appointing or dismissing the Chief Privacy Officer now requires board approval and formal report to the PIPC. The regulator's diagnosis is not subtle: senior executives had been distancing themselves from operational failures, so the law removed the distance.

An incentive, not just a stick. Where a violation does not stem from intent or gross negligence, the PIPC is required to reduce the fine for organisations that can demonstrate verified investment in privacy, covering dedicated budget, personnel, equipment and systems. Documented spending now has a direct, statutory effect on penalty exposure. That is unusual, and it changes what "we take privacy seriously" means: it has to be evidenced, in writing, before anything goes wrong.

The breach-notification trigger also moved earlier, toward notifying when a breach is likely rather than waiting for forensic confirmation. Combined with ISMS-P from July 2027, an integrated Korean audit standard covering both information security and personal data, the direction is unmistakable.

Effective 11 September 2026

Four Changes That Move Privacy Into the Boardroom

Act No. 21445, promulgated 10 March 2026. The dates are fixed and the diary is shorter than it looks.

10% of total turnover, not related revenue

The 3% baseline on violation-related revenue stays. The new punitive tier is calculated on total revenue and triggers on repeat intentional violations within three years, incidents affecting 10 million or more people, or ignoring a PIPC corrective order before a breach.

The CEO is named in the statute

Explicitly designated the ultimate person responsible for personal data processing. For larger controllers, CPO appointment and dismissal now require board approval and formal report to the PIPC.

Documented privacy spend cuts the fine

Where intent or gross negligence is absent, the PIPC is required to reduce penalties for verified investment in budget, personnel, equipment and systems. Undocumented good intentions do not qualify.

ISMS-P becomes mandatory, 1 July 2027

Previously voluntary, now required for designated large controllers. An integrated Korean standard covering information security and personal data together, with locally defined controls.

And it reaches you wherever you are

PIPA applies extraterritorially to foreign operators providing goods or services to Korean data subjects, or whose processing substantially affects them, per the PIPC's own guidelines on applying PIPA to foreign business operators. Foreign operators must also designate a domestic representative, an obligation strengthened effective 2 October 2025. Your office address is not a defence.

Sources: Act No. 21445, promulgated 10 March 2026, effective 11 September 2026 • PIPC announcement, 9 March 2026 • Independent legal analysis from IAPP, Yulchon, DLA Piper, Hunton and Acclime, verified July 2026
Created by Arfadia • arfadia.com/blog

Why this lands on marketing rather than legal

Marketing generates more personal data touchpoints than almost any other function, and it does it through tools nobody in legal approved.

Consider what a normal week looks like. Someone pastes a customer list into an LLM to segment it. Someone builds a digital PR contact database from public sources. Someone uploads campaign logs to a third-party analytics tool with servers outside Korea. Someone runs sentiment monitoring on named individuals. Each of those is a defensible business activity. Each of them is also a PIPA question, and under the amended framework the answer arrives with the CEO's name attached.

The PIPC published a generative-AI personal information processing guide in August 2025, covering legal considerations and safety standards across AI development and use. Legal commentary on it converges on a practical recommendation: enterprise AI terms should disable provider training by default, with contractual control over retention, deletion, subprocessors, audit rights and overseas transfers. For a marketing team, that translates into a question worth asking before the next campaign, not after: which of our tools trains on what we put into it, and who signed off?

Risk, by activity

Not all marketing work carries the same exposure, and the differences are large enough to plan around. Content and answer-engine work sits mostly at the low end, which is genuinely useful to know.

Activity PIPA exposure Control that actually helps
Auditing public webpages and AI answersLowDo not append personal identifiers that the task does not need
Analysing aggregate visibility metricsLowReport aggregated or anonymised by default, not on request
Digital PR contact databasesMediumDocument source, purpose, access and retention before building it
Monitoring named employees or customersMedium to highApply necessity and data-minimisation tests, and write down the reasoning
Competitive scraping for brand and sentiment trackingMediumPermitted where processing meets the PIPC's legitimate-interest guidance. Filter or pseudonymise personal details at the point of ingestion, and never touch Resident Registration Numbers or private communications
Uploading customer records into an LLMHighProhibit without documented approval and a lawful basis on file
Processing Korean leads outside KoreaHighMap the cross-border transfer under Article 28-8 and get Korean legal review. Separate consent or another lawful basis is required, and the PIPC can order transfers suspended
Using prompts or logs to train internal systemsHighEstablish purpose, retention, opt-out and deletion controls first. Pseudonymisation under Article 28-2 where applicable

The pattern is worth stating plainly. GEO work is mostly content, entity and public-answer auditing, which sits at the low-exposure end. That is not a loophole, it is a design property, and it means a well-scoped Korean GEO programme can run with very little personal data in scope at all. The exposure appears when someone decides it would be convenient to move Korean customer records offshore for analysis. Convenience is the risk factor, not the discipline.

The foreign agency questions Korean procurement will ask

Four obligations sit on any foreign operator serving Korean data subjects, and Korean buyers know all four.

A domestic representative. Required, with the obligation strengthened effective 2 October 2025, to handle privacy matters and regulatory communication. This is the question that most often ends a foreign vendor conversation, because the honest answer is frequently "we had not thought about it".

A Korean-language privacy policy with a separate, clearly labelled section on overseas provision of personal information (개인정보의 국외 이전). A translated global policy does not satisfy this. Neither does a Korean page that buries the transfer disclosure inside a general paragraph.

Separate consent, or another lawful basis, for cross-border transfer under Article 28-8. The PIPC can order transfers suspended, which is a more immediate commercial problem than a fine.

Breach notification to the PIPC and affected data subjects, on a timeline that the 2026 amendment has pulled earlier, toward likelihood rather than confirmation.

Enforcement history says these are not theoretical. The PIPC has fined AliExpress (July 2024), KakaoPay at KRW 5.9 billion and Apple Distribution International at KRW 2.4 billion (January 2025), and Golfzon at KRW 7.5 billion (May 2024). It also sanctioned ScatterLab, developer of the Iruda chatbot, KRW 103.3 million for harvesting roughly 9.4 billion KakaoTalk messages from 600,000 users through secondary apps without explicit consent, and for uploading raw chat fragments to GitHub. And it investigated OpenAI after a leak exposed details of 687 Korean ChatGPT Plus subscribers, penalising the failure to notify authorities within the required window rather than the underlying cache bug.

That last case is the one worth remembering. The bug was an accident. The penalty was for the response.

Before September

What to Put in the Contract, Not the Policy Document

Documented investment now reduces penalties by statute. Which means the paperwork is no longer paperwork.

Training disabled by default

Legal commentary on the PIPC's August 2025 generative-AI guide converges here: enterprise AI terms should switch provider training off by default, with private APIs that disable retention. Get it in writing from every vendor in the stack.

Data minimisation as the default scope

Aggregated and anonymised reporting unless there is a documented reason otherwise. Korean personal data should not travel because analysis is easier abroad. That is a preference, not a lawful basis.

Eight clauses worth naming

Controller and processor roles, approved AI tools and providers, data locations and subprocessors, retention and deletion, whether prompts or outputs may train models, incident notification, audit and termination rights, and who owns the Korean-language notices and consent.

Document the spend, because it now counts

Budgets, hiring, tooling and projects tied to privacy and security should be formally recorded. Where intent and gross negligence are absent, the PIPC is required to reduce the fine for verified investment. Evidence is the discount.

Where this article stops

This is a strategic compliance framing, not Korean legal advice, and we are not Korean lawyers. Any engagement touching Korean personal data should be reviewed by qualified Korean counsel, and any agency that tells you their standard contract handles PIPA without local review is describing their confidence rather than your exposure.

Sources: PIPC generative-AI personal information processing guide, August 2025 • Legal commentary on enterprise AI contracting under PIPA • Act No. 21445 fine-reduction provisions
Created by Arfadia • arfadia.com/blog

Does PIPA prohibit working with a foreign agency?

No. No general prohibition follows from an agency's location.

Risk arises from what gets processed and where it goes, particularly through third-party AI services. A content and citation programme that never touches Korean personal information carries very different exposure from a lead-scoring programme that ships Korean customer records to another jurisdiction for analysis. Same agency, same country, entirely different risk profile.

Which reframes the procurement question usefully. Not "are you Korean" but "what data do you touch, where does it go, who else can see it, and can you show me the contract". A foreign agency with a data-minimised delivery model and a mapped transfer basis is a smaller risk than a local one improvising with an enterprise LLM. Location is a proxy. Data flow is the thing.

That is the posture we run in our GEO practice for South Korea: keep Korean personal data out of scope wherever the work allows, surface the domestic-representative and transfer questions in the first conversation rather than the contract review, and route anything genuinely legal to Korean counsel instead of guessing.

The diary, honestly read

Most provisions bite on 11 September 2026. ISMS-P follows on 1 July 2027. Both look further away than they are once you account for board approvals, vendor renegotiations and gap analyses.

Four things worth doing before September, none of which require a lawyer to start: work out what a 3% and a 10% fine would be against your actual revenue, because that number is the only thing that reliably gets a board's attention. Check whether your privacy insurance covers administrative fines and whether the limits still make sense against a 10% ceiling. Test your incident response against a notification trigger that now fires on likelihood rather than confirmation. And go through your marketing stack asking which tools train on your inputs.

Tessar Napitupulu covers how regulation and compliance shape AI visibility programmes across jurisdictions in Cited or Silent, available as a free gated edition, with retailer editions on Amazon, Google Play and Apple Books.


Frequently Asked Questions


When does Korea's amended PIPA take effect?

The amendment was passed by the National Assembly on 12 February 2026 and promulgated as Act No. 21445 on 10 March 2026. Most provisions take effect on 11 September 2026. The mandatory ISMS-P certification requirement for designated large controllers is deferred to 1 July 2027.


Is the fine really 10% of revenue?

Up to 10% of total turnover, but only for high-severity cases. The baseline remains up to 3% of revenue related to the violation. The 10% tier applies where a company intentionally or with gross negligence commits and repeats a violation within three years, where a single incident involves intentional or grossly negligent conduct affecting 10 million or more data subjects, or where a company ignores a PIPC corrective order and a breach then occurs. The base matters: total turnover, not violation-related revenue.


Does PIPA apply to an agency based outside Korea?

Yes. PIPA applies extraterritorially to foreign operators providing goods or services to Korean data subjects or whose processing substantially affects them, per the PIPC's guidelines on applying PIPA to foreign business operators. Foreign operators must also designate a domestic representative, an obligation strengthened effective 2 October 2025, publish a Korean-language privacy policy with a separate overseas-provision section, and obtain separate consent or another lawful basis for cross-border transfer under Article 28-8.


Does PIPA prohibit hiring an Indonesian or other foreign agency?

No, no general prohibition follows from location. Risk comes from what data is processed and where it flows, particularly through third-party AI services. Content, entity and public-answer auditing carries low exposure. Uploading customer records into an LLM or processing Korean leads offshore carries high exposure. The right procurement question is about data flow and contracts, not passports.


What does the CEO accountability change mean in practice?

The amended PIPA explicitly designates the business owner or representative as the ultimate person responsible for personal data processing. For controllers meeting criteria to be specified by Presidential Decree, appointing or dismissing the Chief Privacy Officer requires board approval and formal report to the PIPC. Privacy failures can no longer be treated as an operational matter that stops below the executive floor.


Can we still scrape public web data for competitive and brand monitoring?

Generally yes, where the processing complies with the PIPC's legitimate-interest guidance. The constraint is what you ingest: scraping platforms should not store or process identifying personal details such as Resident Registration Numbers or private communications. Filter or pseudonymise personal information at the point of ingestion rather than cleaning it up afterwards. For AI training on public data, the PIPC expects a documented legitimate-interest assessment showing the processing is necessary, proportionate and technically safeguarded.


Does documenting privacy spending actually reduce a fine?

Yes, and this is one of the more unusual features of the amendment. Where a violation does not result from intent or gross negligence, the PIPC is required to reduce the penalty for organisations demonstrating verified investment in privacy, covering dedicated budget, personnel, equipment and systems. Formal documentation of budgets, hiring and privacy projects becomes evidence with a direct financial effect, which is why it should be recorded before an incident rather than assembled after one.

Sources & References:

  • Personal Information Protection Act amendment, passed by the National Assembly 12 February 2026, promulgated as Act No. 21445 on 10 March 2026, most provisions effective 11 September 2026; mandatory ISMS-P certification for designated large controllers effective 1 July 2027. PIPC press release, 9 March 2026. Verified against independent legal analysis from the IAPP, Yulchon LLC, DLA Piper, Hunton Andrews Kurth and Acclime Korea, July 2026.
  • Penalty structure: baseline administrative fines up to 3% of revenue related to the violation; new high-severity tier up to 10% of total turnover, applying where a controller intentionally or with gross negligence repeats a violation within three years, where a single incident involves intentional or grossly negligent conduct affecting 10 million or more data subjects, or where a controller fails to comply with a PIPC corrective order and a breach results. Criminal sanctions of up to five years imprisonment or KRW 50 million remain for the most serious categories.
  • CEO accountability: the amended PIPA explicitly designates the business owner or representative as the ultimate person responsible for the processing and protection of personal information. For controllers meeting Presidential Decree criteria, CPO appointment and dismissal require board approval and formal report to the PIPC.
  • Fine reduction: where a violation does not result from intent or gross negligence, the PIPC is required to reduce the penalty for controllers demonstrating verified investment in privacy safeguards, covering budget, personnel, equipment and systems. Draft Enforcement Decree amendment announced 16 March 2026 covering revenue calculation and fine reduction.
  • Extraterritorial scope: PIPC "Guidelines on Applying the PIPA to Foreign Business Operators", 4 April 2024. Domestic representative obligation for foreign operators, strengthened effective 2 October 2025. Cross-border transfer under Article 28-8 requires separate consent or another lawful basis, with PIPC power to order suspension. Korean-language privacy policy with a separate overseas-provision section (개인정보의 국외 이전) required; a translated global policy is insufficient.
  • PIPC generative-AI personal information processing guide, August 2025, addressing legal considerations and safety standards across AI development and use. Legal commentary recommends enterprise AI terms disabling provider training by default, with contractual control over retention, deletion, subprocessors, audit rights and overseas transfers. Pseudonymisation under Article 28-2; secondary use under Article 15(3); legitimate-interest assessment for processing publicly available data.
  • Enforcement precedent: AliExpress (July 2024); KakaoPay, KRW 5.9 billion, and Apple Distribution International, KRW 2.4 billion (January 2025); Golfzon, KRW 7.5 billion (May 2024); ScatterLab (Iruda chatbot), KRW 103.3 million for processing approximately 9.4 billion KakaoTalk messages from 600,000 users without explicit consent and uploading raw chat fragments to GitHub; OpenAI investigated following a cache-bug leak exposing details of 687 Korean ChatGPT Plus subscribers, penalised for failure to notify authorities within the required window.
  • Right to opt out of automated decision-making, effective 15 September 2024. PIPC oversight of AI, profiling and cross-border transfers increasing.
  • This article is a strategic compliance framing, not Korean legal advice. Engagements involving Korean personal data should be reviewed by qualified Korean counsel.
0 Comments 0 Comments
0 Comments 0 Comments