Executive Summary

On July 3, 2026, Korea's Personal Information Protection Commission (PIPC) unveiled its Third Basic Plan for Personal Information Protection, covering 2027 through 2029. Its core move is to grant a conditional exemption from the pseudonymization and anonymization that have long been treated as prerequisites for using personal data. If the data was collected lawfully, video, voice, and images can now be used to train AI in their raw form, provided the use clears the PIPC's review and a risk assessment.

Behind this lies a long-standing complaint from industry: the very signals AI needs to learn, such as facial expressions, the way people move through a disaster scene, or the surrounding context, are the ones erased during pseudonymization. The Commission's answer is to retire the blanket approach that blocked all data by the same yardstick and to steer toward a principle-based system that manages data in proportion to the risk it carries. This piece looks at how that shift rewrites the grammar of compliance.

As the door to raw data opens, the defense an enterprise can offer moves from a denial that it never used the data to a demonstration of which data it used, through what procedures, and under what controls. Being able to produce a dataset's lineage and risk history on demand, in other words data governance and provenance, becomes not an option but the infrastructure required to pass the review.

1

Why the Pseudonymization Safeguard Was Lifted

Until now, analyzing or using personal data in Korea has run, in practice, through a gate: pseudonymization, the masking of identifiers such as names and resident registration numbers. The path to using raw data was narrow, and pseudonymization served as the last safeguard protecting privacy.

The problem surfaced as the kind of data changed. With tabular, structured data, erasing identifiers does not badly damage statistical value. With video, voice, and images, the story is different. The moment a face is blurred, a voice is altered, and a background is wiped, the very signals AI needs to learn, the subtle shifts in expression or the paths people took through a disaster scene, vanish along with them. Industry has argued that pseudonymization keeps data safe at the cost of destroying its training value.

What masking identifiers keeps — and what it erases Structured data Names, ID numbers masked ✓ Statistical value holds Most analysis/training needs met Video & voice data Face, voice, background masked ✗ Training signal lost too Expression, movement, context lost
▲ Pseudonymization's impact on structured data vs. video/voice data | Original Pebblous diagram

The Third Basic Plan's exemption is aimed squarely at this point. For personal data that has already been collected lawfully, it creates an exception that allows use in raw form for the purpose of developing AI. It is more accurate to say that the safeguard was not removed outright, but that a different form of control was set as a condition, opening the door precisely where the nature of the data means pseudonymization undermines the purpose.

2

Not Permission, but Clearance

The exemption should not be read as unconditional approval. A company that wants to use raw data has to pass through two gates. One is the PIPC's review; the other is a risk-factor assessment that weighs, in advance, the risks that will arise from using the data. The door has opened, but a checkpoint stands in front of it.

Lawfully collected raw data PIPC review Gate 1 ▽ checkpoint Risk assessment Gate 2 ▽ checkpoint AI training The door has opened, but both gates must still be cleared
▲ The two gates raw data must clear before it can train AI | Original Pebblous diagram

That checkpoint did not appear out of nowhere. Back in December 2024, the PIPC had already established an AI Privacy Risk Assessment and Management Model, helping AI companies diagnose and manage their own risk. This Basic Plan is closer to an expansion built on that foundation, widening the scope of application to reach raw data.

The scope of what gets assessed widens along with it. Emerging technologies enter the frame: the accountability structure of agentic AI that decides and acts on its own, the rights protections owed by physical AI that gathers data from its surroundings in real time, and the prevention of cyber threats and data manipulation that abuse AI. At the same time, three sectors, telecommunications, education, and employment, are designated as high-risk areas, where the PIPC and the relevant ministries inspect and manage jointly. That is why any company holding data should first work out which gate it is standing in front of.

3

From Blanket Bans to Risk-Proportionate Management

The phrase running through this Basic Plan is a shift from uniform regulation to a principle-based system proportionate to the level of risk. Instead of drawing the same prohibition line across all data, it clears a path for low-risk uses and concentrates control on high-risk ones. The center of gravity moves from "do not use" to "manage in a way that fits the risk."

Before Blanket ban Same prohibition for all data Blocked even when risk is low shift After Risk-proportionate management Low risk → use is cleared High risk → control concentrated The regulatory shift set out in the Third Basic Plan (2027–2029)
▲ From blanket bans to risk-proportionate management | Original Pebblous diagram

The direction also moves toward prevention. Judging that heavier penalties after an incident can only go so far, the Commission is pursuing, in parallel, a CEO accountability rule that names executive responsibility, a coercive fine that raises the effectiveness of investigations, and a consent-decree scheme that waives sanctions when a company puts sufficient recurrence-prevention measures and victim compensation in place. Sharpening punishment and widening the path to lawful use sit inside a single plan. The PIPC itself described this three-year plan as centered on redesigning the personal data governance system for the AI environment and establishing a prevention-first protection framework.

The amended Personal Information Protection Act taking effect on September 11, 2026 had already opened an exemption for using pseudonymized data in AI training. This Third Basic Plan is the next step, a blueprint that conditionally opens even raw data that has not been pseudonymized. If the earlier amendment is the rule taking effect now, this plan is closer to setting the direction for 2027 through 2029. (Related report: analysis of the amended PIPA taking effect in September)

4

The Enterprise Shield Changes Shape

Once the path to using raw personal data opens, the shape of the shield a company can raise before regulators changes too. Until now, the safest answer was a denial that it had neither collected nor used the data. But the moment such use enters the realm of the lawful, "we didn't use it" becomes a choice that falls behind in competition. The new shield becomes "this is how we managed it," a demonstration of who used which data, through what risk assessment, and how.

The old shield "We didn't use it" Proves non-use of data Avoids use altogether swap The new shield "This is how we managed it" Shows source, consent, risk history Lineage ready to unfold on demand How the enterprise defense shifts once raw-data use enters the lawful realm
▲ The raw-data era changes how enterprises defend their data use | Original Pebblous diagram

That demonstration cannot be made in words. Where the data came from and within what consent and purpose scope it was collected, who accessed it under what authority during training, and which risk assessment it cleared, all of this has to be attached to the data as its history. Being able to unfold that lineage the moment a reviewer asks is the practical condition for passing the exemption.

Here the standing of data governance and provenance changes. They are no longer a nice-to-have management activity but a necessary condition for using raw data lawfully. Compliance moves from an after-the-fact response to a matter of infrastructure, something that has to be designed at the very entrance where data enters the pipeline.

5

What the Next Three Years Require

The Basic Plan also carries mechanisms to help companies: an AX Reassurance Support Center that resolves legal uncertainty, an expansion of regional data safe zones for handling pseudonymized and anonymized data securely, and an upgrade of the MyData platform that will widen from an initial ten fields into welfare, care, and healthcare. Yet however dense this support is, the responsibility for proving the right to use the data still rests, in the end, with the company that holds it.

So the checklist for any organization that wants to handle raw personal data is clear.

  • A system that records the source of the data, its lawful basis, and the scope of consent
  • A process that folds a risk assessment into the stage before training and runs it on an ongoing basis
  • A lineage-tracking structure that keeps access and processing history traveling with the data

The detailed implementing rules have yet to be announced, and much of the pass criteria and scope for risk assessments remains to be spelled out. But the direction is already set. The three years starting in 2027 are less about regulation that blocks data from being used than about regulation that requires proof it was used well. For organizations that prepare that proof in advance, the door stands open; for those that do not, it becomes a checkpoint they cannot pass. Thank you for reading.

R

References

Official Documents

  • 1.Personal Information Protection Commission. (2026). Third Basic Plan for Personal Information Protection (2027–2029): Promoting Trust-Based AI Innovation. Announced at the Ministerial Meeting on Economic Affairs (2026-07-03).
  • 2.Personal Information Protection Commission. (2024). AI Privacy Risk Assessment and Management Model.

Industry & Press

  • 3.Seoul Economic Daily. (2026). "Korea Overhauls Data Privacy Framework for AI Era." en.sedaily.com
  • 4.ZDNet Korea. (2026). "PIPC to Shift to Flexible AI-Applied Regulation: Third Basic Plan for Personal Information Announced." zdnet.co.kr
  • 5.Aju Business Daily. (2026). "PIPC Announces Third Basic Plan for Personal Information Protection: A Shift to AI-Era Tailored Regulation." ajunews.com
  • 6.The Korea Economic Daily. (2026). "PIPC Reforms the Personal Information Protection System for the AI Era." hankyung.com
  • 7.Financial News. (2026). "Government Pursues a Consent-Decree Scheme for Personal Data Breach Incidents." fnnews.com