Korea's Automated-Decision Rights: Refuse and Explain | TLY

AI Regulation Tracker  /  Regulation in force

South Korea gives people the right to refuse, question and re-run AI decisions under PIPA

A revised Personal Information Protection Act now lets individuals demand human review, a plain explanation, and pre-disclosed criteria whenever an automated system makes a decision that significantly affects them. Any firm running AI on Korean users needs a refusal-and-review workflow.

South Korea gives people the right to refuse, question and re-run AI decisions under PIPA regulation briefing
The Leveraged Years AI Regulation Tracker

South Korea has made the "computer said no" defense untenable. Under Article 37-2 of the Personal Information Protection Act, which took effect on March 15, 2024, a person subjected to a decision made "solely by an automated system with no meaningful human intervention" can push back when that decision significantly affects their rights or obligations. The Personal Information Protection Commission finalized the operating detail around September 2024 and rolled it into the privacy-policy drafting guidance it updated on April 21, 2025.

Three duties, not one

The article does more than create a single right. It stacks three obligations on the controller. First, on request, the controller must either not apply the automated decision or provide human intervention and re-process the matter. Second, it must explain the decision in clear terms, including the standards it used and how the person's data was handled. Third, it must disclose the criteria and procedures for automated decisions in advance, before anyone asks.

That pre-disclosure duty is the piece US privacy teams most often miss. It is not a right the individual has to invoke. It is a standing publication requirement. The criteria and procedures behind a consequential automated decision have to be laid out ahead of time, which pushes firms toward the kind of documented, reviewable logic that regulators and courts can inspect. The PIPC guidance references Explainable AI (XAI) in this context, signaling that a bare "the model decided" will not satisfy the explanation duty.

What counts as "significant"

The right does not attach to every automated output. It triggers when a decision has a significant effect on a person's rights or duties. The PIPC's factors for that threshold include threats to life or body, forfeiture of rights, imposition of unreasonable obligations, and ongoing restrictions on the person. A recommendation engine suggesting a product is not the target. An automated denial of a loan, an insurance claim, a job, or a benefit is squarely the kind of decision the article is built for. The distinction matters operationally, because it tells a compliance team where to spend its effort. The scoping exercise is not "audit every model" but "find the automated decisions that can materially change a person's rights or obligations," then wrap those in the request, review, and explanation machinery the statute requires.

What it does not do

The refusal right has real limits, and controllers should not overstate the exposure. It does not apply where the decision rests on the data subject's own consent, where an automated decision is required by law, or where the decision is necessary to perform a contract with the person. In those situations the controller can still make and apply the automated decision. The explanation and disclosure expectations, however, remain the safer operating assumption, because they support the transparency the regime is designed around rather than the veto.

The instrument here is the statute itself. Article 37-2 is verified and in force. The precise serial number of the PIPC public notice that implements it could not be independently confirmed, so this analysis does not cite one; the underlying statutory right does not depend on it.

The cross-border angle

For a US reader, the closest reference point is Article 22 of the EU's General Data Protection Regulation, which governs decisions "based solely on automated processing" that produce legal or similarly significant effects. Korea's version is broader in reach and heavier on affirmative duty. It covers any significant automated decision rather than a narrower "legal effect" category, and it layers on the advance pre-disclosure obligation that GDPR does not spell out in the same way. It also runs ahead of most US law. Even newer state frameworks, such as the automated-decision provisions emerging under California and Colorado privacy rules, do not yet require this exact combination of refusal, human re-processing, plain-language explanation, and pre-published criteria.

The practical consequence is concrete. A US privacy officer whose firm runs AI-driven credit, hiring, insurance, or pricing decisions on Korean users cannot treat a US-only compliance program as sufficient. The Korean subsidiary or the Korean customer book needs a working refusal-and-human-review workflow, a request channel people can actually use, an explanation mechanism that describes the standards and data involved, and a public statement of the criteria and procedures. Building that is an engineering and process task, not just a policy edit, and the right has been live since 2024.

Frequently Asked Questions

What changed under Korea's Personal Information Protection Act?

Article 37-2, effective March 15, 2024, gives individuals the right to challenge decisions made solely by an automated system with no meaningful human intervention when the decision significantly affects them. Controllers must, on request, suspend the decision or provide human review, explain it clearly, and disclose the criteria in advance.

Who has to comply?

Any personal-data controller making consequential automated decisions about people in Korea, including lenders, insurers, HR and hiring platforms, ad-tech, and pricing systems. Korean subsidiaries of US companies are in scope when they run these decisions on Korean users.

When can a firm refuse the request for human review?

The refusal right is limited where the automated decision rests on the data subject's consent, is required by law, or is necessary to perform a contract with the person. In those cases the controller may still apply the automated decision, though the explanation and disclosure expectations remain the safer assumption.

How is this different from GDPR Article 22?

Korea's right is broader. It covers any significant automated decision rather than only decisions with a legal or similarly significant effect, and it adds an affirmative duty to pre-disclose the criteria and procedures. That pre-disclosure requirement goes beyond what GDPR spells out and beyond most current US state rules.

Browse the full AI Regulation News tracker

Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.