Lee & Ko
What law(s) specifically govern personal data / information?
Personal Information Protection Act (PIPA): is the comprehensive data protection law in Korea, the PIPA generally applies to the processing of personal data by data handlers unless a provision of a sector-specific law governs a particular case.
Other sector-specific laws governing the processing of personal data include the Act on the Utilisation and Protection of Credit Information Act (Credit Information Act) and the Act on the Protection and Use of Location Information (Location Information Act). The following responses will address the relevant requirements under the PIPA.
What are the key data protection principles in this jurisdiction?:
The PIPA provides that data handlers must adhere to the following principles when processing personal data and all specific obligations prescribed by the PIPA are built around one or more of these principles:
- Clearly notify the purposes of processing the personal data, and lawfully and justly collect only the minimum amount of personal data necessary to carry out such purposes;
- Process personal data within the scope of the purpose for processing the personal data and refrain from using personal data for any other purpose, unless separate consent for such other purpose has been obtained;
- Ensure that the personal data is accurate, complete, and up-to-date within the purpose necessary for processing the personal data;
- Safely manage personal data by taking into consideration the likelihood and risk of the data subject’s rights being infringed upon based on the method and type of processing;
- Disclose matters related to the processing of personal data such as a privacy policy, and guarantee the data subject’s right to access his/her personal data;
- Process personal data in a manner that minimises infringement of the data subject’s privacy;
- (If it is still possible to fulfil the purposes of collecting personal data by processing anonymised or pseudonymised personal data) Process personal data through anonymisation, where anonymisation is possible, or through pseudonymisation, if it is impossible to fulfil the purposes of collecting personal data through anonymisation; and
- Endeavour to gain the trust of the data subject by complying with and upholding responsibilities and obligations under relevant laws and regulations.
What is the supervisory authority / regulator in charge of data protection?
Personal Information Protection Commission (PIPC): is the main supervisory authority with responsibility for enforcing the PIPA and establishing/implementing policies, programs, and initiatives related to the protection of personal data.
Korea Internet and Security Agency (KISA) is responsible for carrying out various tasks delegated to it by the PIPC, such as periodically investigating data handlers to check for the implementation of mandatory security measures for personal data, receiving/handling data breach reports from data handlers, and operating a privacy infringement response center to handle reports on the infringement of rights/interests of data subjects regarding their personal data.
Is there a requirement to register with a supervisory authority / regulator?
No.
Is there a requirement to notify the supervisory authority / regulator?
No.
Is it possible to register with / notify the supervisory authority / regulator online?
Not Applicable.
What are the key data subject rights under the data protection laws of this jurisdiction?
Right to access
Information that is subject to the right to access
Under the PIPA, a data subject may request access to their personal data processed by the data handler. The PIPA Enforcement Decree specifies that the data subject may request access to any of the following information from the data handler:
- Items of personal data concerned;
- Purpose for collecting/using the personal data;
- Retention and use period of the personal data;
- Status of any provision of personal data to third parties; and
- The fact that the data subject consented to the data handler's processing of personal data.
Request procedure
The PIPA provides that a request must be made in accordance with the procedures determined by the data handler. Such procedure should meet the following requirements:
- The methods available to the data subject in making the request need to be data subject-friendly, such as in writing, by telephone or electronic mail, or via the internet;
- Data subjects must be able to request access at least through the same window or in the same manner that the data handler uses to collect such personal data, unless a justifiable reason exists (e.g. difficulty in continuously operating such window); and
- Details regarding the manner and procedure for exercising the right to request access is to be posted on the website operated by the data handler (if such website exists).
Response by data handlers
Data handlers must confirm that the request is made by the data subject whose personal data is to be accessed, or their appropriate legal representative. In addition, data handlers must respond to the data subject who requests access within ten (10) days of receiving the request. The response should either be the granting of access (if the request was accepted), or the fact that access has been put on hold, in which case the grounds for the delay must be explained. Once the reason for delay no longer exists or is cured, access must be granted without delay.
Exceptions
The PIPA establishes that the right of access may only be limited or denied in circumstances where:
- Such access is prohibited or restricted by law; or
- It may possibly cause damage to the life or body of a third party, or improperly violate the property, and other interests of a third party
Right to rectification and right to erasure
The PIPA provides data subjects that have accessed their personal data with a right to request the rectification or erasure of such information from the relevant data handler. Since only data subjects who have accessed their personal data may request rectification and erasure of such information, data subjects who were denied access to their personal data may not exercise their right to request rectification and right to erasure. Provided, however, that data subjects may not request erasure of personal data that is explicitly required to be collected under another law or regulation.
The request procedure for exercising the right to rectification/erasure is the same as for the exercise of the right to access.
The data handler must respond to the data subject who requests rectification or erasure within ten (10) days of receiving the request. The response should either be confirmation that the data subject's personal data has been rectified or deleted (if the request was granted) or, in the case of a erasure request, the fact that the request has been denied, the reasons for such denial (e.g., the personal data in question is explicitly required to be collected under another law or regulation), and the method of objecting to such denial.
The PIPA also provides that data handlers, where necessary, have the ability to request relevant evidence necessary to confirm the rectification or erasure of personal data. In addition, the PIPA Enforcement Decree provides that the data handler must confirm that the request is actually made by the data subject whose personal data is to be rectified or erased, or their appropriate legal representative.
Right to object/opt-out
- Right to withdraw consent
Data handlers must allow data subjects to withdraw their consent to the processing (e.g. collection, use, and provision) of their personal data at any time.
- Right to request suspension of the processing of personal data
Data handlers must respond to a data subject's request to suspend the processing of his/her personal data.
- Request procedure and response requirements
The request must be made in accordance with the procedure determined by the data handler. Such procedure should meet the following requirements:
- The methods available to the data subject in making the request need to be data subject-friendly, such as in writing, by telephone or electronic mail, or via the Internet;
- Data subjects must be able to request suspension of their own personal data or withdrawal of consent at least through the same window or in the same manner that the data handler uses to collect such personal data, unless a justifiable reason exists (e.g. difficulty in continuously operating such window); and
- Details regarding the manner and procedure for exercising the right to request suspension/withdrawal or consent is to be posted on the website operated by the data handler (if such website exists).
The data handler must respond to the data subject who requests suspension within ten days of receiving the request. The response should either be confirmation that the processing of data subject's personal data has been suspended (if the request was granted), or the fact that the request has been denied and the reasons for such denial and method of objecting to such denial.
- Exceptions
Data handlers must comply with a data subject's request to suspend processing of their personal data (or to withdraw consent) unless one of the following exceptions applies:
- Where special provisions exist in law or it is inevitable to observe the data handler's legal obligations;
- Where suspension may possibly cause damage to the life or body of a third party, or unfairly infringe upon a third party's property or other interest;
- Where such suspension causes grave difficulties for the public institution in its performance of any one of the certain duties described in applicable laws; or
- Where the data handler would not be able to perform the terms of a contract entered into with the data subject if it does not process the personal data and the data subject did not clearly indicate their intention to terminate the contract.
Right to contest automated decision-making
(Refusal of Automated Decision-making)) If a data subject refuses automated decision-making on the grounds that it significantly affects their rights or obligations, such as regarding life, body, or property, the data handler must, unless there are legitimate grounds, either (i) take measures not to apply the decision so that the data subject’s rights or obligations are not significantly affected or (ii) if the data subject requests a re-processing involving human intervention, take measures accordingly and notify the data subject of the result. “Legitimate grounds” here refer to cases where there is a risk of unduly infringing on the life, body, property, or other interests of others.
(Request for Explanation) Upon a data subject’s request for an explanation, the data handler must provide a concise and meaningful explanation. Such explanation must be easy to understand and include: (i) the outcome of the decision; (ii) the types of personal data used; (iii) the criteria applied to the decision; and (iv) the decision-making process, including how the personal data used for the decision was processed and its impact. However, if the decision does not significantly affect the data subject’s rights or obligations, it may suffice to disclose only the criteria used for the automated decision-making.
(Request for Review) A data subject may request a review of an automated decision by submitting an opinion regarding additional personal data that should be considered in making the decision. The data handler must review whether the submitted opinion can be reflected and notify the data subject of whether it has been reflected and, if so, the outcome, unless there is a compelling reason not to do so.
(Objection) If a data handler refuses a data subject’s request for refusal or explanation as described above, it must, unless there is a compelling reason not to do so, establish and provide necessary procedures for the data subject to object, within 10 days from the date of receiving the request. Upon an objection, the data handler must take necessary actions considering the content of the objection and inform the data subject of the result.
(Timeline for Taking Measures) In principle, the above measures must be taken within 30 days of receiving the data subject’s request. This period may be extended by up to 60 days if any of the following grounds exist:
- Where additional action is required in response to a request for refusal or explanation;
- The requested matters are so complex that it is difficult to take measures within the prescribed period;
- Where it is difficult to take measures within the prescribed period due to natural disasters; or
- There is a temporary surge in workload, or other similar reasons.
In addition to the above, further details, including the specific scope, content, and criteria for implementation are set forth in the
Standards for Measures to Be Taken by Data Handlers Regarding Automated Decisions issued by the PIPC under the PIPA.
Right to request for transmission
This refers to the right of a data subject to request a data handler to transmit their personal data to either the data subject themselves or a third party.
Information subject to request for transmission
Under the PIPA, a data subject may require the data handler (information transmitter) to transmit his or her personal data that meets the following conditions either to the data subject themselves (data subject access request) or to a third party (third-party transmission request):
- the personal data requested for transmission must relate to the data subject and be:
- personal data processed on the basis of the data subject’s consent; or
- personal data processed for the purpose of performing a contract concluded with the data subject or taking steps at the request of the data subject prior to entering into a contract.
- the personal data must not include information newly generated by the data handler through analysis or processing based on the collected personal data.
- the personal data must be processed through information processing devices such as computers.
Methods of requesting transmission
- (data subject access request) the purpose of the request and the personal data requested for transmission.
- (third-party transmission request) (i) purpose of the request; (ii) the party to whom the request for transmission is made; (iii) the party to whom personal data will be transmitted; (iv) the personal data requested to be transmitted; (v) whether regular transmission is required and, if so, the frequency thereof; (vi) the expiration date of the request; (vii) the period for retaining and using the transmitted personal data.
A data subject may change or withdraw a request for transmission. In such cases, the data handler must ensure that the methods and procedures for changing or withdrawing the request are not more onerous than those for making the initial request.
A data handler must post on its website (or equivalent platform) the method of requesting transmission, the current status of transmissions, and the method for verifying transmission details, to allow data subjects to request and verify the transmission of their personal data.
Methods of transmission of personal data
To ensure the safety and reliability of transmissions a data handler must use the following methods (in the case of a data subject access requests, limited to subparagraph (a)):
- transmitting data using a secure encryption algorithm;
- using a method agreed upon in advance between the data handler and the general recipient or a specialised personal data management institution;
- implementing mutual identification and authentication between the data handler and the recipient; and
- conducting mutual verification between the data handler and the recipient.
Response by data handlers
Upon receiving a request for transmission, a data handler must transmit the requested personal data without delay, unless there is a legitimate reason for delay or inability to transmit (e.g., system failure). If immediate transmission is not possible for legitimate reasons, the data handler may postpone transmission after notifying the data subject of the reason. Once the reason ceases to exist, the personal data must be transmitted without delay.
Exceptions
Under the PIPA, a request for transmission may be refused or discontinued in the following cases:
- where the consent of a legal representative cannot be verified;
- where grounds for restricting or refusing access exist;
- where transmission would infringe on the rights or legitimate interests of a third party;
- where the identity of the applicant as a representative cannot be verified;
- where the matters subject to the request are not specified;
- where the identity of the data subject cannot be verified;
- where the request is made by improper means, such as through stolen authentication information;
- where the transmission is requested to a person other than the data subject, a general specialised agency, a special specialised agency, or a general recipient;
- where personal data would be used for improper purposes (e.g., criminal activity) thereby clearly infringing on the interests of the data subject;
- where the data subject makes excessive and repeated requests for the same personal data without good cause, disrupting business operations; or
- where there are reasonable grounds to reject or suspend the transmission request, such as where the request was made under deception or duress from a third party.
Further details, including the scope of data handlers obligated to transmit data, general recipients, and the scope of data subject to transmission requests by each transmitter, are set forth in the Enforcement Decree of the PIPA. .Currently, the scope of data and operators subject to the right to request transmission is limited to the health and medical services, communications, and energy sectors. However, an amendment to the Enforcement Decree of the PIPA is underway to significantly expand this scope to all sectors. This amendment will also specify detailed procedures and methods to ensure the safer exercise of the right to request transmission.
Is there a requirement to appoint a data protection officer (or equivalent)?
Yes. Under the PIPA, a data handler must appoint a duly qualified individual as its data privacy officer (DPO) to take charge of all aspects of the handling of personal data within its organisation. Specifically, data handlers, excluding public institutions, must appoint a person satisfying any one of the following conditions as their privacy office:
- The owner or representative director of a business; or
- An executive officer, however if there are no executive officers, then the head of the department responsible for processing personal data.
However, the recently amended Enforcement Decree of the PIPA now requires certain data handlers (i.e., those with an annual sales or income of at least KRW 150 billion and process either (i) sensitive or unique identification data of more than 50,000 data subjects, or (ii) personal data of more than 1 million data subjects) to designate a person with at least four (4) years of combined experience in personal data, information security, and information technology, including at least two (2) years specifically in personal data protection, and specifies the detailed criteria for recognising such experience .
Roles and Responsibilities
The DPO's primary role is listed under the PIPA as seven distinct requirements:
- Establishing and implementing a data protection plan;
- Completing regular surveys of the actual state and practices of personal data processing, and improving shortcomings;
- Treating grievances and remedial compensation in relation to personal data processing;
- Setting up the internal control system to prevent the leak, abuse and misuse, of personal data;
- Preparing and implementing the data protection education programme;
- Protecting, controlling and managing the personal data files; and
- Undertaking any other functions for the appropriate processing of personal data, as prescribed by the PIPA Enforcement Decree.
Additional functions under the PIPA are further defined as any of the following (PIPA Enforcement Decree, Article 32(2)):
- Assisting with the establishment, modification and implementation of the privacy policy referred to in Article 30 of the PIPA;
- Maintaining the materials related to personal data protection; and
- Destroying personal data after the retention period has expired or after it has been used for the purpose for which it was obtained.
The DPO must, when they become aware of any violation of the PIPA or any other relevant laws or regulations relating to data protection, take immediate corrective measures, and, if necessary, report such corrective measures to the head of the institution itself or the relevant organisations.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
None for private companies. Under the PIPA, only public institutions are obligated to conduct a data protection impact assessment (DPIA) in certain cases.
Does this jurisdiction have any specific data breach notification requirements?
Under the PIPA, a data handler is required to notify the following information to data subjects without delay (i.e., within 72 hours) upon becoming aware of a data breach* impacting their personal data:
- date/time of the breach and circumstances surrounding its occurrence;
- items of personal data impacted by the breach;
- countermeasures taken by the data handler and procedures to redress damages;
- measures to be taken by data subjects to minimise potential damages resulting from the breach; and
- name and contact information of the data handler’s department for reporting damages suffered from the breach.
*The involuntary loss of control of personal data in the data handler’s possession or accessibility to such personal data by an unauthorised third party (Standard Guidance on the Protection of Personal Information, Article 25).
In addition to notification to data subjects, a data handler must also report the above information (items (i) to (v)) to the PIPC or KISA without delay (i.e., within 72 hours) if any of the following conditions are met:
- the breach has impacted the personal data of one thousand (1,000) or more data subjects;
- the breach involves any sensitive or unique identification information; or
- if any personal data has been leaked due to illegal access from outside to the data handler’s systems processing personal data or information devices used by its personnel to process personal data.
What restrictions apply to the international transfer of personal data / information?
Under the PIPA, data handlers may only transfer personal data cross-border pursuant to the following legal bases:
- When the data subject has separately given their consent ;
- When there are special provisions regarding the cross-border transfer of personal data in laws, treaties, or international agreements;
- When the outsourcing of the processing of personal data or the storage thereof is
- necessary for the execution or performance of a contract and
- information that must be notified to data subjects when obtaining consent for the cross-border transfer of personal data has been disclosed in the privacy policy or has been notified individually to data subjects via methods prescribed by Enforcement Decree (e.g., email);
- If the overseas recipient has obtained data protection certification prescribed by the Personal Information Protection Commission (“PIPC”) and has taken all of the following measures;
- Security measures necessary for the protection of personal data and measures necessary to guarantee the rights of data subjects;
- Measures necessary to conduct data processing in accordance with the data protection certification in the country where personal data is to be transferred; and
- When personal data is to be transferred cross-border to a country or international organisation recognised by the PIPC as having essentially equivalent levels of data protection as those required by the PIPA.
In such cases, the data handler must include the following information in its privacy policy the following matters: (i) the legal basis for the overseas transfer; (ii) the items of personal data to be transferred; (iii) the country to which the personal data is to be transferred, and the timing and method of transfer; (iv) the name of the recipient of the personal data (or, if a corporation, its name and contact information); (v) the purposes of use and the retention and use period of the personal data by the recipient; and (vi) the methods and procedures for refusing the transfer of personal data, and the consequences of such refusal.
For reference, in cases where personal data processed overseas from Korean data subjects, the data handler must also state in its privacy policy the name of the country where the processing takes place.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Although the PIPA does not contain any provisions regarding its extraterritorial application, Korean courts and regulators have consistently held the position that Korean data protection laws such as the PIPA should apply extraterritorially to foreign companies located abroad in cases where they process the personal data of Korean data subjects in the course of “conducting business in Korea”.
As such, a Korean court would take into account all surrounding facts and circumstances to make such a determination. Typically, the following factors, among others, would make a foreign company considered “conducting business in Korea”:
- operating and/or offering in the Korean language on its website;
- advertising on a marketing banner or using pay-per-click ads offered by popular Korean portal sites; or
- sending e-mails to Korean residents with an introduction to its website.
What rules specifically deal with marketing?
The PIPA prescribes specific rules for marketing activities, including:
- requiring that consent for the processing of personal data for promoting or soliciting the sale of goods or services be obtained separately from other consents (Article 22(1)(vii)), and
- prohibiting data handlers from denying goods or services to a data subject based on their refusal to provide consent as required under Article 22(1)(vii)(Article 22(5)).
As a result, data handlers must distinguish between consent that is essential for providing their services (required consent) and consent that is not (optional consent) to ensure that data subjects can still access services even if they decline to provide optional consent.
Additionally, the Act on Promotion of Information and Communications Network Utilisation and Information Protection (Network Act) contains specific regulations governing electronic marketing, which will be discussed in further detail in our response below to the question on electronic marketing.
Do different rules apply to business-to-business and business-to-consumer marketing?
The specific rules governing marketing activities under the PIPA and the Network Act apply equally to both B2B and B2C marketing. However, in B2B marketing, information such as a company's name, address, and general contact details (e.g., company email address or telephone number) is generally not considered personal data, as it does not relate to an individual. Therefore, marketing activities based on such information are not subject to the PIPA's requirements. Additionally, consent is not required for marketing activities directed at individuals using contact information from business cards they have voluntarily provided, as long as the marketing is consistent with what could reasonably be expected when the business cards were shared.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
In principle, two types of explicit prior opt-in consent are required to conduct electronic marketing:
- consent under the PIPA for the collection and use of personal data for marketing purposes, and
- consent under the Network Act for the receipt of commercial advertising information sent via electronic means (Spam Consent).
However, Spam Consent is not required when contacting an individual for marketing purposes if there is an existing business relationship (i.e., using contact details obtained from transactions with the recipient for the same goods/services purchased within the past 6 months).
Additional requirements related to Spam Consent
If an intended recipient has granted, refused, or withdrawn Spam Consent for the receipt of electronic marketing communications, the instigator must provide notice of the following information within 14 days:
- Name of the instigator;
- The fact that Spam Consent was granted, refused, or withdrawn and the date thereof; and
- The results of the measures taken by the instigator.
After obtaining a recipient’s Spam Consent for the receipt of telemarketing calls, the instigator is required to re-affirm the recipient’s Spam Consent every two years from the initial date of consent after providing notice of the following information:
- name of the instigator;
- the fact that the recipient has granted Spam Consent and the date when it was granted; and
- methods for the recipient to express whether to maintain or withdraw his or her previous Spam Consent.
What rules specifically deal with cookies?
Under the PIPA, data handlers that process personal data are required to prepare and disclose (via their internet homepage, or any other method easily noticeable to data subjects) a privacy policy that includes, among other things, matters concerning the installation, operation, and the right to refuse a device that automatically collects personal data, such as internet access information files (i.e., cookies). In addition, see above for the rights of data subjects to contest automated decision-making.
What are the consequences of non compliance with data protections laws (including marketing laws)?
Under the PIPA, the PIPC may impose various administrative sanctions such as corrective orders, administrative fines (ranging from KRW 10 million to KRW 50 million), and administrative penalties (up to 3% of sales revenue less any amounts unrelated to the activity in violation of the PIPA) for various violations of the PIPA. Public prosecutors may also investigate any violations of the PIPA which are also subject to criminal punishment (ranging from imprisonment of 2 ~ 10 years or a criminal fine of KRW 20 million ~ KRW 100 million). Additionally, data handlers may become civilly liable to any data subjects who suffer damages as a result of such violations. Some examples of the most commonly cited violations (including those related to marketing rules) and corresponding penalties are provided below.
- Failure to process personal data pursuant to consent or other legal bases may be subject to an administrative penalty of up to 3% of sales revenue and imprisonment (up to 5 years) or a criminal fine (up to KRW 50 million).
- Failure per se to implement any security measures required by the PIPA may be subject to an administrative fine of up to KRW 50 million. A data handler may also face an administrative penalty of up to 3% of sales revenue for any loss, theft, leakage, falsification, alteration or damage of personal data in its possession unless it has duly implemented all security measures required by the PIPA.
- Failure to obtain separate consent for the processing of personal data for promoting or soliciting the sale of goods or services may be subject to an administrative fine of up to KRW 10 million.
- Failure to comply with the prohibition against denying goods or services to a data subject based on their refusal to provide consent as required under Article 22(1)(vii) may be subject to an administrative fine of up to KRW 30 million.
- Failure to obtain Spam Consent prior to sending commercial advertising information via electronic means or failure to comply with any related requirements may be subject to an administrative fine of up to KRW 30 million.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
In addition to the aforementioned rules on cross-border transfers of personal data and factors that may increase the likelihood of the extraterritorial application of the PIPA, multinational organisations should also be mindful of the following:
- Consent is the primary and most widely used legal base for the processing of personal data in Korea. While the PIPA does permit the processing of personal data without consent under specific legal bases such as contractual or legal necessity, legitimate interest, or exigent circumstances, these alternatives are not commonly relied upon in practice. This is primarily due to the practical challenges and inconvenience involved in having to demonstrate the existence or applicability of these legal bases for each instance of data processing. For example, unlike under the GDPR, the controller’s ‘legitimate interest’ is only recognised in Korea as a legal base for the processing of personal data under very limited circumstances where such legitimate interest clearly overrides the rights of the data subject, the processing is substantially relevant to such legitimate interest, and the processing is conducted only to a reasonable extent. Consequently, reliance on these alternatives is less frequent compared to other jurisdictions, as the burden of proving their relevance can be cumbersome, especially if data subjects or regulators raise concerns regarding the absence of consent.
- Under the PIPA, data handlers are required to implement a comprehensive set of security measures to prevent the loss, theft, leakage, falsification, alteration or damage of personal data. These measures include: (i) establishing and implementing an internal control plan for the secure processing of personal data within the organisation; (ii) restricting and limiting access authority to personal data; (iii) using encryption technology or comparable measures to ensure the safe storage and transmission of personal data; (iv) maintaining access records and implementing measures to prevent the falsification or alteration of personal data to safeguard against data breaches; (v) installing and regularly updating security software for personal data protection; and (vi) implementing physical security measures, such as establishing secure storage facilities or installing locking devices. The specific standards for each of these security measures are detailed in the Standards of Personal Information Security Measures, issued by the PIPC under the PIPA.
- It is important to note the PIPC has shown an increasing tendency to rigorously enforce data privacy requirements against foreign companies processing large volumes of personal data of individuals in Korea. This trend is evident in the substantial fines imposed on Google and Meta for various violations of the PIPA in 2023. As such, multinational organisations handling significant amounts of data should prioritise compliance with the PIPA to mitigate legal risks.
What upcoming data protection developments should multinational organisations be aware of?
Under the recently amended Enforcement Decree of the PIPA, set to take effect on 15 September 2024, the standards for what constitutes valid consent will be heightened, with a particular focus on the voluntary nature of consent. As a result, the PIPC has announced that the practice of obtaining required consent will no longer be permissible from this date forward. However, the PIPC has not yet provided additional guidance on how and to what extent it plans to restrict the practice of obtaining required consent. We will likely need to wait for the publication of the relevant regulatory guidelines, expected around September, to gain further clarity on this matter. Consequently, data handlers may need to increasingly rely on other legal bases (e.g., contractual necessity, legitimate interest) for the collection and use of personal data that is essential for the provision of their services.