AI Regulation Tracker / Policy blueprint
Korea's privacy watchdog signals a conditional path for raw data in AI training
On July 3, 2026, Korea's Personal Information Protection Commission announced its Third Basic Plan for Personal Information Protection (2027-2029). It is a three-year policy blueprint, not operative law, and it outlines a conditional pathway to use lawfully collected raw personal data in AI development.
For a decade Korea built one of Asia's stricter consent regimes for personal data. This announcement points in a different direction for AI work, though it is worth being precise about what it is. On July 3, 2026, the PIPC presented the Third Basic Plan for Personal Information Protection as a joint agenda item at the Economic Ministers' Meeting (경제관계장관회의). A basic plan is the document the commission prepares every three years to set policy direction. It is a blueprint, not a bill and not a regulation. Nobody's obligations change the day it is announced.
The PIPC's own framing is a move from uniform rules to protection scaled to risk. In the release the commission says it will move to a principle-based protection system that regulates protection in proportion to risk: 위험에 비례한 보호를 규율하는 원칙 중심 보호체계로 전환한다. That is the through-line for everything else in the plan.
What the plan actually signals
The part drawing the most attention is a conditional pathway for raw data. Today, training AI on personal data in Korea generally runs through pseudonymization or consent. The plan signals a route in which lawfully collected raw, unmasked personal data, including images, voice, and video, could be used in AI development without first being masked, provided the organization goes through the PIPC's prior deliberation and a risk assessment. According to PIPC's announcement and Korean press, where the data is sensitive, an additional risk-factor assessment would apply. Read that as a proposed gate with conditions, not an open door. It is the direction the commission wants to build toward, and the specifics would be defined later in rules.
The plan pairs that opening with tighter safeguards on the other side. It describes pre-emptive leak prevention, a response to the repeated large-scale breaches Korea has seen, so that faster data use is matched by earlier controls. It announces a new support center, the 인공지능 전환(AX) 안심지원센터 (AI Transition Safe-Support Center), meant to give companies a single window to resolve uncertainty about how they process personal data during AI adoption. It adds regional hubs for linking and using pseudonymized and anonymized data, so that data innovation is not concentrated in the capital. And it continues the expansion of MyData, Korea's personal data portability regime.
A blueprint is not a law
This is the distinction that matters for planning. A basic plan sets policy intent. It does not amend the Personal Information Protection Act (개인정보 보호법), and it does not by itself authorize anyone to use raw personal data in a new way. Each signal in the document would need its own legislation or subordinate rulemaking before it binds a company, and the conditions, the deliberation process, the risk-assessment standard, the treatment of sensitive data, are exactly the parts that get settled at that later stage. Anyone telling you that Korea now lets firms train AI on unmasked personal data is describing a plan as if it were a rule.
Why a US professional should track this
The direct audience is any organization that processes personal data inside Korea for AI development, which includes US technology and AI companies with Korean operations, subsidiaries, or data partnerships. If that is you, this is the moment to read the intended direction and position for it, not to change practice. The work is identifying which of your Korean data flows would benefit from the conditional raw-data pathway, and tracking the PIPC deliberation and risk-assessment mechanism as it takes concrete shape over the 2027 to 2029 window.
There is a second reason to watch it. A major economy is publicly proposing to let raw personal data feed AI development under a supervised gate rather than under blanket masking or consent. Other regulators weighing the same tradeoff will study how Korea structures that gate. This is an early read on where the global consent-versus-innovation debate is heading, not only a domestic Korean plan.
Questions professionals are asking
Can companies in Korea now train AI on raw personal data without masking it?
No. The Third Basic Plan is a policy blueprint announced on July 3, 2026, not a law. It outlines a conditional pathway that would allow lawfully collected raw data in AI development subject to PIPC prior deliberation and a risk assessment, but that pathway would need separate legislation or rulemaking before it applies.
What does risk-proportionate, principle-based protection mean here?
The PIPC says it will move from uniform rules to a system that scales protection to the level of risk. In practice the plan signals lighter friction for lower-risk data use and stronger, earlier safeguards, including pre-emptive leak prevention, around higher-risk processing. It is a stated direction, and the details would be defined in later rules.
Does this affect a US company?
It is relevant to US organizations that process personal data inside Korea for AI development, through Korean operations, subsidiaries, or data partnerships. The step now is to map which Korean data flows would use the proposed raw-data pathway and to watch the PIPC deliberation and risk-assessment mechanism as it is built out over 2027 to 2029.
RELATED BRIEFINGS
Browse the full AI Regulation News tracker
Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel in the relevant jurisdiction.