[DigitalToday reporter Hwang Chi-gyu] "Locking up personal data is not a cure-all. If an individual does not consent, it cannot be used, and this is spreading formal consent procedures. That reduces the effectiveness of consent. Rather than seeking consent case by case, there can be broader consent."

Song Kyung-hee (송경희), chair of the Personal Information Protection Commission, held her first news conference since taking office on Tuesday and stressed that personal data protection methods also need to change in the AI era.

The commission will also introduce an AI special-case system so that safe use of personal data can become a reality in the AX era. The core of the AI special case is to allow high-quality original personal data to be used as AI training data to improve model performance. It will be allowed, following review and a resolution, on the condition that strengthened safeguards are in place when it aligns with public and social interests, such as improving autonomous driving performance or AI to prevent voice phishing, and when achieving the purpose is difficult with anonymisation or pseudonymisation.

Song said, "In the era of AI agents, we cannot only block. Beyond blocking, it is important to ensure it is used safely. Grey areas can grow beyond collecting, storing and using personal information, and we need to design with that in mind."

The commission set support for public and private sector AI transformation, or AX, to promote an AI-converged society as a key task this year. Song said it will actively push projects including one-stop support for pseudonymised information to provide close support so high-quality data accumulated at public institutions is safely pseudonymised and used, a pilot operation of non-action opinion letters, and personal information innovation zones. She added it is also pushing steps to support advance consulting through a public AX innovation support help desk if there are concerns or uncertainty about privacy infringement threats when pursuing AI projects.

She again stressed a privacy system focused on prevention in advance rather than after-the-fact responses, which she has emphasised since taking office. On large-scale personal data leak incidents at telecom companies and retail platforms, she said these companies hold large amounts of personal data and therefore require correspondingly high protection measures, but in many cases incidents stemmed from a lack of basic management, checks and controls. She pointed to this as showing not only individual company problems but also structural limits of the existing protection system that has focused on after-the-fact responses.

She added, "In an environment where AI and automation technologies have spread, it is difficult to practically protect the public with only an approach of investigating and punishing after a privacy infringement occurs. There is no choice but to move to managing risks from the design stage so incidents do not occur."

She also made clear that a shift to a prevention-focused system does not weaken sanctions.

The commission is pushing to introduce a special case for punitive fines for serious or repeated violations, with fines of up to 10 percent of total revenue. Song said, "This is not intended to strengthen punishment, but a structural device to ensure personal information protection is recognised as a management prerequisite rather than a corporate choice." She added it will strengthen policy incentives so prevention-focused management becomes a rational choice by securing a legal basis for incentives such as reduced fines when companies proactively invest in personal information protection and faithfully implement preventive measures.

The commission is also accelerating efforts to change the responsibility structure for personal information protection itself. It is also pushing legal revisions that clarify the CEO's final responsibility for personal information protection so company-wide management systems can operate, and that include strengthening the authority of the chief privacy officer and introducing a reporting system for CPO designation.

Song said, "We are also preparing improvement measures across the victim relief system so that data subjects can receive practical protection and remedies when a leak incident occurs. For matters requiring legal revisions, we will swiftly push legislative procedures so a prevention-focused protection system can be stably established in the field."

Song also shared her views on companies that are being investigated by the commission or have received sanctions over recent personal data leak incidents.

On the Coupang personal information leak incident, she said, "The investigation has progressed substantially. Personal information of more than 30 million people was leaked, so there are elements of legal violations, and there is also non-member information, so damage could increase further. We are also checking this." She did not make specific comments on the timing of announcing the findings.

On some observations that Coupang could become a trade issue because it is a business operator headquartered in the United States, she said, "Whether it violates the Personal Information Protection Act is important regardless of whether it is a domestic or overseas operator. We will examine it strictly in accordance with the law and issue a disposition. We are not considering variables related to telecommunications."

Earlier, SK Telecom filed an administrative lawsuit challenging a 134.8 billion won fine imposed by the Personal Information Protection Commission over a USIM hacking incident. Song said, "It is hard to accept the view that the fine is excessive because there was no unfair gain, as some say. The key is holding them responsible for causing harm to data subjects."