The Personal Information Protection Commission on Thursday announced the third Basic Master Plan for Personal Data Protection (2027-2029) to promote trust-based artificial intelligence (AI) innovation as a joint agenda item with relevant ministries at a meeting of economic ministers.
Under the law, the commission draws up the plan every 3 years together with the heads of central administrative agencies. It lays out a blueprint for personal data policy for the next 3 years. The plan sets a vision of a trusted personal data environment and an AI society people can use with confidence. It is built around 4 strategies and 12 tasks: innovating the personal data protection system in an era of major AI transformation, establishing a prevention-focused protection system, upgrading strategic personal data policy, and enhancing public rights and embedding a culture of trust.
The commission will first push to shift to a regulatory system that flexibly reflects the AI environment. Reflecting feedback from the field that uniform regulations designed before the AI era make legal compliance difficult and limit data use, it will move to a principles-based protection system that regulates protection in proportion to risk.
To quickly resolve uncertainty over personal data processing that accompanies artificial intelligence transformation (AX), it plans to operate an "AX Safety Support Center" as a comprehensive one-stop window for tailored innovation support. It will also strengthen public sovereignty over data use, which has so far been centered on companies and institutions. It will reinforce the mydata support (OnMyData) platform so people have decision-making authority over their information, and it will establish and expand a system to return to data subjects the value derived from data.
It will also strengthen responses to privacy risks to secure trust in AI data. It will review accountability structures for decision-making, including processing by autonomous AI (agentic AI). It will set rights guarantees to respond to expanded always-on information collection by physical AI. It will also establish regulatory systems and protection standards for latest technologies such as risk assessments. Taking into account that full recovery is difficult after a data leak occurs, it will establish a prevention-focused protection system and support its rollout and embedding in the field.
It will upgrade an always-on inspection system, including intensive checks of high-risk groups and joint inspections with ministries, focusing on checking for weaknesses or protective measures before an incident occurs and improving them. It plans to improve standards and procedures and boost effectiveness by applying AI technology to information security and personal data protection management system (ISMS-P) certification and various evaluation systems.
It will strengthen strong incentive systems for pre-emptive protective measures before incidents and also strengthen corporate accountability. It will expand incentive cases such as reducing leak-related penalties for proactive protection investment that exceeds mandatory standards, encouraging companies to actively take voluntary protective measures. It also said it will embed CEO accountability so personal data protection is actively considered in organisational decision-making, and strengthen the standing of chief privacy officers (CPO).
It will also greatly strengthen deterrence through strict investigations and sanctions for legal violations such as neglect of management obligations. To support this, it will push for system improvements including introducing enforcement fines to secure effective investigations, and it will continue to strengthen capabilities for scientific investigations including building and expanding technical analysis environments. It also said it would overhaul response infrastructure to focus on "resilience support" in light of an always-on leak threat environment, after previously responding mainly through investigations and sanctions after leaks. For small and medium-sized enterprises, it will respond with a focus on technical support for recovery when leaks occur. It will also provide tailored consulting and protection and security support programmes to small and very small companies even before incidents.
The commission will establish an inter-ministerial cooperation system so personal data protection is carried out as a government-wide task, considering expanded use of personal data across all industries. In relatively high-risk areas such as telecommunications, education and employment, it will set up a system under which the commission and relevant ministries jointly inspect and manage. It will also build an early warning system for personal data threat factors to strengthen crisis response capabilities. As demand increases for overseas transfers in generative AI and cloud environments, it will also expand a data transfer network. Following the already established Korea-EU mutual adequacy recognition framework, it plans to expand a mutual data transfer network through tailored responses that consider similarities in legal systems and trade scale with the United Kingdom, Japan and the United States.
As more people have recently experienced damage from leaks, demand has increased for simple ways to obtain relief. The commission will therefore establish a one-stop rights relief system linking all procedures from reporting of leaks and infringements to investigations, dispute mediation and damages. It will also build an institutional foundation to strengthen guarantees of data subject rights.
Song Kyung-hee (송경희), chair of the commission, said, "With this 3-year basic plan, we will focus our policy capabilities on redesigning the personal data regulatory system to fit the AI environment and establishing a prevention-focused protection system, so people can enjoy AI benefits with confidence and companies can innovate based on trust."