South Korea's Personal Information Protection Commission said on Monday that a revised enforcement decree under the Personal Information Protection Act related to the MyData system, which allows data subjects to move and use their personal information where they want, was approved at a cabinet meeting.

The revision aims to expand the personal information transfer request right system, in force since March 13 last year, so that the public can experience and use it more broadly.

It expands to all sectors the scope of information transferers for data subjects (personal information handlers) and the scope of transferable information, which had been limited to healthcare and telecommunications. It also includes procedures and methods so the expanded right can be exercised more safely across all sectors.

The revision will take effect from August after a grace period.

Under the revision, criteria for information transferers for data subjects are defined as large-scale personal information handlers with personal information protection capabilities. Specific criteria include organisations operating large-scale systems with average sales exceeding 180 billion won and either at least 1,000,000 data subjects or at least 50,000 people whose sensitive or unique identification information is handled, public system operators, information transferers for third parties, and others.

In principle, the information that can be requested for transfer includes all information processed based on a data subject's consent, information processed in performing and concluding contracts, and information processed under laws and regulations.

The revision sets out transfer methods to ensure safe transfer when a data subject exercises the right through an agent. If an agent uses automated tools such as scraping, the agent will receive the transfer only in a manner agreed in advance with the information transferer to ensure personal information security.

In principle, it recommends an API (application programming interface) linkage method, but in the short term it allows scraping on a limited basis only for agents whose safety and reliability are guaranteed after prior consultation between the information transferer for data subjects and the agent.

Under the revision, the scope of the data subject's right to request transfers expands from healthcare and telecommunications to all sectors, but, considering the time needed to prepare for transfers by information transferers for data subjects, public system operators and information transferers for third parties will have their implementation delayed for 6 months from the date of promulgation. For information transferers for data subjects in the private sector whose average sales exceed 180 billion won, the delay will be 1 year.

The commission plans to form and operate a working-level consultative body to expand the third-party transfer area in 2026 to energy, education, employment, culture and leisure so that MyData spreads into areas the public can feel. It also plans to hold briefing sessions from March on key points of the revised decree and on plans for designating personal information management specialised institutions and related support projects.

Commission Chair Kyung-hee Song (송경희) said, "With this revision of the enforcement decree, the public, as data subjects, is expected to actively exercise sovereignty over its personal information and to move and use information according to its own intentions." She added, "We will work to ensure that information is transferred through safe and trustworthy companies and institutions, thereby creating public trust in the MyData system and producing tangible results."