South Korea Promulgates Sweeping PIPA Amendments: 10% Revenue Fines, CEO Liability, and Fine Calculation Overhaul (September 2026)
South Korea has finalized a dramatic escalation of its data protection and cybersecurity enforcement. On March 10, 2026, the country officially promulgated its most consequential rewrite of the Personal Information Protection Act (Amended PIPA) as Act No. 21445, with most provisions scheduled to take effect on September 11, 2026 (except for mandatory ISMS-P certification which takes effect on July 1, 2027).
Alongside the statutory amendments, South Korea's Personal Information Protection Commission (PIPC) has implemented a series of highly impactful administrative changes in mid-2026, including an amended Enforcement Decree and a major strategic "Transition Plan" that shifts the country from an ex post sanctions model to a prevention-focused, risk-based inspection regime.
1. The Amended Enforcement Decree (Effective May 19, 2026)
To strengthen the financial impact of PIPA violations, the PIPC implemented amendments to the Enforcement Decree of the PIPA and the Standards for Imposing Fines, effective May 19, 2026:
- Aggressive Revenue Calculation: Previously, administrative fines were calculated based on the average annual revenue of the three business years prior to a violation. Under the new rules, the PIPC will use the higher amount between the revenue of the immediately preceding business year and the three-year average. This prevents companies from using older, lower-revenue years to dilute fine calculations.
- Restricted Fine Reductions: The new rules restrict administrative fine reductions for severe misconduct or gross negligence, ensuring that penalty surcharges remain highly punitive and act as a strong deterrent.
2. PIPC "Prevention-Focused" Transition Plan & Risk-Based Inspections (June 2026)
On May 22, 2026, the PIPC announced its "Transition Plan toward a Prevention-Focused Personal Information Management Framework." Under this framework, which commenced operations in June 2026, the PIPC has abandoned uniform enforcement in favor of a tiered, risk-proportionate inspection model:
- High-Risk Sectors: Telecommunications, finance, and healthcare industries that process sensitive or personally identifiable information on a large scale (1 million data subjects or more). These entities are subject to regular and ad hoc inspections of internal control operations, mandatory ISMS-P certification, and public disclosure of protection activities. These inspections are led by the PIPC's newly established Preliminary Inspection Division.
- Medium-Risk Sectors: Industries that do not meet high-risk thresholds but require systematic oversight. They are subject to ad hoc/joint inspections, self-conducted privacy impact assessments, and must comply with Privacy by Design (PbD) principles.
- Low-Risk Sectors: Small-scale processors handling data of fewer than 10,000 data subjects. They receive self-inspection tools and subscription-based consulting support, with a lenient approach to minor violations (sanctions mitigated if corrective actions are taken).
3. Institutionalizing Privacy by Design (PbD)
The PIPC is actively institutionalizing PbD principles across the service lifecycle, ensuring that data protection is embedded from the planning and design phases of services. While previously limited to devices like IP cameras, PbD certification will expand across software and platforms, and will be integrated directly into the ISMS-P evaluation framework.
4. The Amended Network Act (Effective October 1, 2026)
In tandem with PIPA, the National Assembly promulgated amendments to the Act on Promotion of Information and Communications Network Utilization and Information Protection (Amended Network Act) on March 31, 2026, which will take effect on October 1, 2026:
- Expanded CISO Responsibilities: The role of the Chief Information Security Officer (CISO) is legally expanded to enforce stricter executive accountability.
- Administrative Fines for Breaches: The act establishes a new system of administrative fines specifically for network-related data breaches and significantly tightens controls on commercial spam.
- Security Level Assessment System: A new information security level assessment system is scheduled to take effect on April 1, 2027.
Compliance Action Items for APAC Teams
- Reassess Fine Exposure: Compliance teams must recalculate potential fine exposure under the new "higher of" revenue formula (up to 10% of total revenue).
- Review Risk Tiering: Determine if Korean operations fall into the "High-Risk" bracket (1M+ data subjects in telecom, finance, health) to prepare for the PIPC’s Preliminary Inspection Division audits.
- Embed Privacy by Design: Align product development lifecycles with Korean PbD principles to secure forthcoming certifications and leverage regulatory incentives (such as penalty surcharge reductions).
- Appoint and Authorize CPOs: Ensure the designated Chief Privacy Officer (CPO) has clear internal control authority and documented decision-making processes, as executive accountability remains a core PIPC enforcement target.