What happened
South Korea promulgated a major revision to its Personal Information Protection Act (PIPA) with an effective date of September 11, 2026. The revision introduces punitive fines of up to 10% of total turnover and explicitly assigns supervisory data protection responsibility to the CEO.
Why it matters
The 10% turnover ceiling makes South Korea's penalty regime among the most aggressive globally, surpassing the EU's GDPR maximum of 4%. For organisations using AI systems that process personal data of Korean citizens, the CEO-level accountability requirement raises the stakes for AI governance.
Action needed
Organisations with AI deployments processing data of South Korean individuals should begin gap assessments against the revised PIPA now, ahead of the September 2026 effective date. Ensure CEO-level governance frameworks are documented.