South Korea’s Personal Information Protection Act (PIPA) has long been called “Asia’s GDPR.” But after the sweeping 2023 overhaul, the 2025 enforcement decree updates, and the March 2026 amendment, PIPA is no longer just catching up — it has moved ahead of the GDPR in several critical areas. Fines now reach up to 10% of total revenue. CEOs are personally designated in law as the ultimate responsible party. Google, Meta, KakaoPay, and DeepSeek have all faced enforcement action. If your organization has a GDPR compliance program and assumes that covers South Korea, it’s time to re-examine that assumption.
1. How PIPA Evolved — and Where It Stands Today
PIPA launched in 2011 as one of the world’s first comprehensive, sector-neutral privacy statutes — covering both public agencies and private entities under a single law. Four rounds of major amendments have brought it to its current form, with enforcement intensity growing sharply each cycle.
2. Five Areas Where PIPA Exceeds the GDPR
These are the points most often missed by organizations that enter South Korea with a GDPR compliance program already in place. Each gap has produced real enforcement action.
Reason ① — Consent: No “Legitimate Interests” Escape Hatch
The GDPR’s most useful flexibility is the legitimate interests basis for processing — it allows organizations to handle personal data for advertising, analytics, and a range of business purposes without obtaining consent. PIPA has no equivalent. Consent is the default rule, and exceptions are narrow. More critically, consent must be obtained separately for each processing category. A single bundled checkbox covering marketing, third-party sharing, and overseas transfer is illegal.
Google (Sept 2022, KRW 69.2B / ~$50M): Google used behavioral data collected from third-party websites via tracking pixels to power personalized advertising — without giving users sufficiently clear disclosure. The PIPC issued its largest-ever fine. Google appealed and lost.
Meta (Sept 2022, KRW 30.8B + Nov 2024, additional KRW 21.6B): In 2024, the PIPC found that Meta had inferred users’ religious beliefs and political views from on-platform activity to fuel its “ad topics” engine — without obtaining separate explicit consent for sensitive data.
Consent is the primary legal basis. Each processing category (marketing, third-party sharing, overseas transfer) requires separate, purpose-specific consent. Bundling is prohibited. No legitimate interests basis exists.
Six lawful bases available, including legitimate interests. Organizations regularly rely on LI for advertising and analytics without obtaining consent.
Reason ② — Security Requirements: Prescriptive Checklists, Not Risk Assessments
The GDPR takes a risk-based approach to security: implement “appropriate” technical and organizational measures, with the organization judging what’s appropriate. PIPA works differently. Specific requirements for technical, managerial, and physical safeguards are spelled out in a ministerial notice — including mandatory access controls, access log retention (minimum six months), and encryption standards. Compliance is verified against a checklist. From September 2026, organizations above a defined size threshold must also hold mandatory ISMS-P certification.
Golfzon (May 2024, KRW 7.5B / ~$5.47M): The largest penalty ever imposed on a domestic Korean company. The indoor golf simulator provider suffered a breach due to security vulnerabilities. The PIPC cited multiple violations of the prescribed technical safeguard standards and — for the first time post-2023 amendment — calculated the fine against total revenue rather than violation-related revenue.
Prescriptive standards set in ministerial notice. Mandatory access controls, log retention (min. 6 months), encryption, privilege management. ISMS-P certification required from Sept 2026.
Risk-based approach. “State of the art, implementation costs, and risk severity” considered. No specific technical controls mandated. Organizations design their own measures.
Reason ③ — Sanctions: 10% Revenue Fines and Criminal Liability
GDPR fines are significant and well-publicized, but PIPA’s enforcement toolkit is broader. It includes criminal sanctions — imprisonment and fines — that have no GDPR equivalent at the EU level. The March 2026 amendment added a punitive fine track reaching 10% of total revenue. Three triggers activate this higher ceiling: ① repeated intentional or grossly negligent violations within three years; ② a single incident affecting 10 million or more data subjects; ③ a breach following failure to comply with a PIPC corrective order.
Repeated violations / 10M+ data subjects
+ Criminal fines up to ~$72K
+ CEO personal liability (new)
Or €20M — whichever is higher
(deferred to member state national law)
Largest: Meta €1.2B (2023)
Reason ④ — Cross-Border Transfers: Separate Consent Is the Default
The GDPR provides a well-developed toolkit for international data transfers: adequacy decisions, Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs). Under PIPA, the default is separate explicit consent from each data subject, with mandatory disclosure of the recipient’s name, destination country, purpose, and retention period for each transfer. From October 2, 2025, foreign businesses processing Korean personal data must appoint a domestic representative in South Korea.
KakaoPay + Apple (Jan 2025, KRW 8.3B combined): KakaoPay transferred data from 40 million users to Alipay, which then used it to build credit-scoring algorithms for Apple Pay — without notifying users of the transfer. The PIPC levied fines and ordered Alipay to delete the algorithm itself. A global first for AI model deletion under a privacy enforcement action.
AliExpress (Jul 2024, KRW 1.97B): Routed Korean shoppers’ data to third-country sellers without disclosure. An English-only account-deletion page was cited as an additional violation, as it prevented Korean users from exercising their rights.
DeepSeek (Feb–Apr 2025): PIPC investigators detected silent API calls to ByteDance servers. DeepSeek voluntarily withdrew from Korean app stores within days of the initial PIPC inquiry — a notably cooperative posture, in contrast to its resistance to the Italian ban — and subsequently designated a domestic representative.
Separate consent required as default. Recipient, destination country, purpose, and retention period must each be disclosed. Domestic representative mandatory for foreign operators (effective Oct 2, 2025).
Diverse transfer mechanisms available (adequacy decisions, SCCs, BCRs, certifications). Transfers to adequate countries require no additional consent.
Reason ⑤ — Governance: CEO Personal Liability and Board-Level CPO Appointment
The GDPR mandates a DPO (Data Protection Officer) only in specific circumstances. PIPA has long required a CPO (Chief Privacy Officer) for organizations above defined thresholds. The 2026 amendment goes significantly further: CPO appointments and dismissals now require a formal board resolution, which must be reported to the PIPC. The CPO reports directly to the CEO and the board. Most consequentially, the CEO is designated in statute as the ultimate responsible party for governance failures. IAPP has described this as a “deliberate dual-key model.”
CPO requires board resolution to appoint or dismiss. PIPC notification required. CEO = statutory ultimate responsible party. CPO reports directly to CEO and board. IAPP: “dual-key model.”
DPO mandatory only for public authorities and large-scale/sensitive data processors. No board resolution required. No statutory personal CEO liability.
3. PIPA vs GDPR — Key Provisions at a Glance
Items marked PIPA Stricter represent areas where GDPR compliance alone is insufficient for South Korea.
| Area | 🇰🇷 PIPA | 🇪🇺 GDPR | Assessment |
|---|---|---|---|
| Lawful Basis | Consent as the rule; narrow exceptions | Six lawful bases incl. legitimate interests | PIPA Stricter |
| Consent Format | Per-category; bundling prohibited | Bundled consent permitted with withdrawal rights | PIPA Stricter |
| Security Standards | Prescriptive checklist in ministerial notice | Risk-based; organizational discretion | PIPA Stricter |
| Security Certification | ISMS-P mandatory (qualifying orgs, Sept 2026) | No mandatory certification | PIPA Only |
| Maximum Fine | Up to 10% total revenue (repeat/severe, 2026+) | Up to 4% global revenue / €20M | PIPA Stricter |
| Criminal Sanctions | Imprisonment up to 10 years; criminal fines | None at EU level | PIPA Only |
| Cross-Border Transfers | Separate consent as default; domestic rep required | SCCs, BCRs, adequacy decisions available | PIPA Stricter |
| CPO/DPO Obligation | Mandatory above threshold; board resolution (2026+) | Conditional; no board vote required | PIPA Stricter |
| CEO Liability | Statutory ultimate responsible party (2026+) | No statutory personal executive liability | PIPA Only |
| Data Portability | Effective March 2025 | In force since May 2018 | GDPR First |
| DPIA Requirement | Mandatory for public bodies; conditional for private | Mandatory for all high-risk processing | GDPR Broader |
| Processing Records | No general record-keeping obligation | RoPA required (Art.30) | GDPR Stricter |
| Research Exemptions | Very narrow exceptions | Public interest research exemptions available | GDPR More Flexible |
4. Regulatory Strength Comparison
5. PIPC Enforcement Record: 2022–2025
Nothing clarifies a law’s reach like its enforcement record. The PIPC has consistently demonstrated that foreign companies receive no carve-out — and that its interpretations of PIPA’s requirements are expansive.
| Date | Entity | Violation Type | Penalty / Order | Significance |
|---|---|---|---|---|
| Sept 2022 | Behavioral data without consent | KRW 69.2B (~$50M) | Record ① | |
| Sept 2022 | Meta | Behavioral data without consent | KRW 30.8B (~$22M) | Record ② |
| May 2024 | Golfzon | Inadequate technical safeguards | KRW 7.5B (~$5.47M) | Domestic record |
| Jul 2024 | AliExpress | Undisclosed cross-border transfer | KRW 1.97B + order | Transfer violation |
| Nov 2024 | Meta | Sensitive data (religion/politics) without consent | KRW 21.6B (~$14.8M) | Sensitive data |
| Jan 2025 | KakaoPay + Apple | Undisclosed transfer of 40M users to Alipay | KRW 8.3B + AI model deletion | First AI model deletion |
| Feb–Apr 2025 | DeepSeek | Unauthorized transfers to ByteDance servers | App store withdrawal + order | App store exit |
In the KakaoPay case, the PIPC ordered Alipay to delete the AI algorithm that had been built on unlawfully transferred data — not just the data itself. This was the first time a privacy regulator anywhere ordered the destruction of an AI model as an enforcement remedy. South Korea is operating at the frontier of AI-specific privacy enforcement.
6. Where the GDPR Still Has the Edge
A complete picture requires acknowledging where the GDPR is more developed or more flexible. Organizations handling both Korean and EU data cannot simply comply with the stricter of the two — the laws diverge in different directions.
| Area | GDPR Advantage | PIPA Comparison |
|---|---|---|
| Processing Records | RoPA required (Art.30) — structured audit trail | No general record-keeping obligation |
| DPIA Scope | High-risk processing DPIAs mandatory for private sector | Mandatory only for public bodies |
| Processing Flexibility | Legitimate interests enables broad data use without consent | No LI basis; B2B analytics face higher barriers |
| Research Exemptions | Consent requirements relaxed for public interest research | Exemptions very narrow |
| Data Subject Rights | Comprehensive rights framework since May 2018 | Data portability only effective March 2025 |
Organizations under both regimes must satisfy PIPA’s granular consent requirements and GDPR’s record-keeping obligations — simultaneously. There is no “comply with the stricter one and you’re covered” shortcut. The two laws are strict in different ways, and compliance programs need to account for both independently.
7. What to Check Before — or Immediately After — Entering the Korean Market
| Item | PIPA Requirement | Effective | What GDPR Compliance Misses |
|---|---|---|---|
| Consent Architecture | Per-category separate consent; no bundling | Immediate | GDPR bundled consent structures require full redesign |
| Domestic Representative | Korean representative for foreign operators | Oct 2, 2025 | EU representative is a separate appointment |
| CPO Governance | CPO mandatory; board resolution required | Sept 11, 2026 | DPO process does not satisfy PIPA’s board requirement |
| ISMS-P Certification | Mandatory for qualifying organizations | Sept 11, 2026 | ISO 27001 / SOC 2 do not substitute for ISMS-P |
| Transfer Consent Flow | Separate consent per recipient, country, purpose | Immediate | SCCs alone are insufficient for Korean data |
| Breach Response | 72h notification to PIPC + data subjects | Immediate | Dual-channel notification requires separate procedures |
| AI / Automated Decisions | Disclosure + opt-out mechanism mandatory | Immediate | Korean-language AI policy required separately |
| Security Checklist | Prescribed technical and physical safeguards | Immediate | GDPR risk-based self-assessment fails PIPA’s checklist |
📎 References
– PIPC — Official English Site — Enforcement decisions, guidelines, and notices
– IAPP — South Korea Overhauls PIPA, Ties Fines to CEO Accountability (March 2026)
– IAPP — PIPC: AI Model Deletion & Cross-Border Enforcement (June 2025)
– DLA Piper — Data Protection Laws of the World: South Korea
– Hunton Andrews Kurth — 10% Revenue Fine Authorization (Feb 2026)
– Law.asia — Doing Business in Korea: Data Privacy Compliance (Lee & Ko, Sept 2025)
September 2026 marks a meaningful inflection point for PIPA compliance. 10% revenue fines. CEO personal liability. Board-mandated CPO appointments. Mandatory ISMS-P certification. Google and Meta have already paid hundreds of millions of dollars in Korean enforcement actions. DeepSeek pulled its app entirely rather than continue operating in violation. The PIPC ordered an AI model destroyed. The regulator has made clear, across every one of these cases, that foreign companies are not exempt. If your organization operates in South Korea, a gap analysis against the current PIPA requirements is not a future priority — it’s an immediate one.