Korea's PIPC Opens Raw Data to AI Training | TLY

AI Regulation Tracker  /  Policy plan

South Korea's PIPC Opens Raw Personal Data to AI Training, But Gates It Behind a Mandatory Review

Regulatory summary: South Korea's Third Basic Plan for Personal Information Protection (제3차 개인정보 보호 기본계획, 2027-2029), announced by the Personal Information Protection Commission (PIPC) at the Economic Ministers' Meeting on July 3, 2026, sets a risk-proportional direction for personal data policy over the next three years. Its most consequential AI provision would.

The Personal Information Protection Commission's Third Basic Plan (2027-2029) trades blanket rules for a risk-based regime. Lawfully collected video, voice, and image data could be used to train AI in raw form, but only after clearing a PIPC prior review and a risk-factor assessment. It is a three-year policy blueprint, not yet law.

Primary source

South Korea's PIPC Opens Raw Personal Data to AI Training, But Gates It Behind a Mandatory Review regulation briefing
The Leveraged Years AI Regulation Tracker

Key takeaways

  • The commission signaled a shift from uniform, blanket rules to a risk-proportional, principle-based system. Pseudonymization and anonymization have long been treated as prerequisites for reusing personal data. The plan would create a conditional exemption so that lawfully collected data can be used in raw form for AI development, provided it passes a PIPC prior adequacy review and a risk-factor assessment. The plan pairs that opening with a shift toward preventive protection, stronger CEO and CPO accountability, deepfake and data-tampering safeguards, and steps to institutionalize AI transparency.
  • AI developers and model trainers processing Korean personal data; DPOs and privacy-review functions who will own the review and risk-assessment submissions; compliance and legal counsel at multinationals with Korean operations; and vendors supplying AI systems or training data into the Korean market.
  • Status: Announced July 3, 2026 as a plan covering 2027-2029.
  • Inventory every model and dataset that touches Korean personal data, flag anything using raw video, voice, or image data, and start drafting the risk-assessment and lawful-collection documentation now so it is ready when the review pathway is enacted.
DateJurisdictionRuleAffected professionalsStatus or effective date
2026-07-09South KoreaThe commission signaled a shift from uniform, blanket rules to a risk-proportional, principle-based system. Pseudonymization and anonymization have long been treated as prerequisites for reusing personal data. The plan would create a conditional exemption so that lawfully collected data can be used in raw form for AI development, provided it passes a PIPC prior adequacy review and a risk-factor assessment. The plan pairs that opening with a shift toward preventive protection, stronger CEO and CPO accountability, deepfake and data-tampering safeguards, and steps to institutionalize AI transparency.AI developers and model trainers processing Korean personal data; DPOs and privacy-review functions who will own the review and risk-assessment submissions; compliance and legal counsel at multinationals with Korean operations; and vendors supplying AI systems or training data into the Korean market.Announced July 3, 2026 as a plan covering 2027-2029. Not yet implemented through law. The specific mechanisms will be developed and enacted across the three-year period.

Frequently Asked Questions

Can companies use raw Korean personal data to train AI right now?

No. The Third Basic Plan announced on July 3, 2026 sets the direction for 2027-2029, but it is a policy blueprint, not a rule in force. The raw-data pathway would take effect only when it is enacted through legislation or subordinate rules during the plan period.

What conditions attach to the raw-data exemption?

The data must have been collected lawfully, and its use in original form must clear a PIPC prior adequacy review and a risk-factor assessment. Reporting from Seoul Economic Daily and The Asia Business Daily describes it as a special exemption from the usual pseudonymization requirement, gated by that review.

Does this cover all personal data or specific types?

The provision is aimed at data that is hard to pseudonymize without losing its training value, notably video, voice, and image data. The plan separately signals stronger, specialized regulation for sensitive categories such as video and biometric information.

What is the deepfake commitment?

The plan states the government will prepare measures to prevent data manipulation such as deepfakes as part of securing AI accountability, and will pursue steps to institutionalize AI transparency. The specific mechanisms are to be developed during the plan period.

How is this different from the EU stance on AI training data?

The EDPB's 2026 generative-AI anonymization guidance keeps anonymization and data minimization central. Korea's plan instead permits raw, identifiable data under a mandatory review and risk assessment. Global teams will need to apply each jurisdiction's standard rather than one shared approach.

Browse the full AI Regulation News tracker

Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.