Republic of Korea: Issued preliminary findings and recommendations following PIPC investigation into AI service providers' compliance with Personal Information Protection Act

On 28 March 2024, the Personal Information Protection Commission (PIPC) issued recommendations following an investigation into artificial intelligence (AI) service providers compliance with the Personal Information Protection Act. Specifically, the PIPC assessed the data protection compliance of 6 operators who develop or distribute large-scale language models (LLMs) or provide AI services based on them and issued recommendations to rectify non-compliance with the Act. The recommendations aim to strengthen efforts to remove critical personal identification information during training with publicly available data, enhance guidance related to the training and use of user input data, and ensure specificity in personal information handling policies and rapid response to vulnerabilities discovered. The PIPC noted that non-compliance was related to the processing of publicly available data, processing user input data, and measures for preventing or responding to personal information infringement and transparency.