South Korea Personal Information Protection Act (PIPA) + AI Basic Act 2024: AI Compliance Requirements

PIPA Article 15 requires a lawful basis for all personal information processing: consent, contract, legal obligation, vital interests, public interest, or legitimate interest (added in 2023 amendments). AI systems must document their lawful basis and apply data minimization — collecting only what is strictly necessary for the AI purpose stated in the privacy notice.

PIPA Article 37-2 (2023 amendment) grants data subjects the right to request human review of automated decisions that significantly affect them (credit, hiring, insurance, etc.). Organizations must notify individuals when a decision is fully automated and provide a mechanism to request explanation and human review within 30 days. AI systems must log all automated decisions affecting Korean residents.

PIPA Articles 30-31 require organizations to publish a comprehensive Personal Information Processing Policy (privacy notice) and designate a Chief Privacy Officer (CPO). Foreign organizations processing Korean data must designate a domestic representative. AI processing activities must be explicitly described in the privacy policy.

The South Korea AI Basic Act (effective 2024) requires organizations developing or deploying high-risk AI (in healthcare, transport, education, public safety, financial services, employment) to conduct pre-deployment AI Impact Assessments and register with the Ministry of Science and ICT (MSIT). High-risk AI must implement human oversight mechanisms and publish transparency documentation.