SOUTH KOREA Law and Practice Contributed by: Brian Tae-Hyun Chung, Haewon Han, Ari Yoon and Jisoo Yoo, Kim & Chang
• Obligations for high-performance AI: AI busi - ness operators offering AI with a significant cumulative amount of compute used for training that surpasses a certain threshold are required to identify, assess, and mitigate risks throughout the AI lifecycle, as well as establish a risk-management system to moni - tor and address AI-related safety issues and report the results to the MSIT. The AI Framework Act relies on the existing PIPA regulations when it comes to personal informa - tion. The PIPC plays a key role in shaping these regulations. • The PIPC is actively developing AI-related policies, having published six guidelines that define the application principles and stand - ards of the PIPA. These guidelines cover topics including publicly disclosed informa - tion, unstructured data, biometric information, synthetic data, mobile image devices and transparency. • In 2023, the PIPA was amended to introduce regulations on automated decisions made by fully automated systems, such as AI. Under these regulations, data subjects have the right to request explanations of automated deci - sions and, in some cases, the right to refuse them. Data controllers must disclose the standards and procedures for these decisions and how personal information is processed, ensuring that data subjects can easily under - stand this information. • Between 2023 and 2024, the PIPC inspected how AI service providers handle personal information. As a result, it recommended improvements, such as enhancing protec - tions for personal information used in AI training data and ensuring AI service provid - ers clearly notify users that their input data is being reviewed.
• The PIPC also introduced the AI Privacy Risk Management Model, a guide to help AI service providers manage privacy risks effectively. This model outlines procedures for identifying, measuring and mitigating privacy risks associated with different AI models and applications. 1.6 Interplay Between AI and Data Protection Regulations The AI Framework Act will take effect in the first half of 2026 after one year from its promulgation. Details such as the scope of AI-related obliga - tions, the method of performance, and the level of performance will be determined by the subor - dinate laws and regulations. As the subordinate laws and guidelines for the AI Framework Act are expected to be established in 2025, it is neces - sary to keep an eye on the legislative trend. In terms of personal information, as explained in 1.5 AI Regulation , the AI Framework Act relies on the existing PIPA regulations, and the PIPC plays a key role in shaping these. The PIPC believes that applying the principle of personal information protection in a balanced manner is essential for maximising the benefits and oppor - tunities of using AI, while minimising the risk of personal information infringement potentially caused by AI. In particular, the PIPC seeks to promote the use of data by resolving legal uncer - tainties through the following systems. • Regulatory sandbox: Under certain condi - tions, products or services using new AI tech - nologies can be first released and tested and verified without being subject to all or part of the existing personal information regulations, thereby promoting the use of data necessary for the development and provision of AI. • Preliminary adequacy review system: If it is uncertain whether a service provider can
391 CHAMBERS.COM
Powered by FlippingBook