Republic of Korea: Personal Information Protection Commission opened consultation on draft standards for cross-border privacy rules certification

On 28 July 2025, the Personal Information Protection Commission (PIPC) opened a public consultation on the draft standards on Cross-Border Privacy Rules (CBPR) certification to support domestic companies in obtaining certification under the Global Cross-Border Privacy Rules (CBPR) Forum, until 16 August 2025. The standards apply to Korean companies engaged in cross-border data transfers, particularly those in digital services and data processing sectors. The draft sets out 50 certification criteria based on the Asia-Pacific Economic Cooperation (APEC) Privacy Framework’s nine privacy principles. It introduces obligations, including separating certification issuance and audit functions, requiring certification assessors to hold Information Security Management System - Personal Information Protection (ISMS-P) auditor qualifications. It also requires having at least 20 audit days within the past two years, and complete CBPR assessor training, and establishing a certification committee of qualified experts.