Republic of Korea: Personal Information Protection Commission released guidelines for personal information processing for development and utilisation of generative AI

On 6 August 2025, the Personal Information Protection Commission (PIPC) released the guidelines for personal information processing for the development and utilisation of generative artificial intelligence (AI). The guidelines provide a framework for lawful and secure personal data use throughout the lifecycle of generative AI. They aim to reduce legal uncertainty and support compliance with the Personal Information Protection Act (PIPA), offering tailored guidance for each stage of the lifecycle of generative AI systems. They cover defining processing goals and lawful bases based on data source types, developing strategies for different kinds of LLMs (service-based, off-the-shelf, or in-house), and applying safeguards during training to prevent data poisoning or overfitting, such as source checks, pseudonymisation, and filtering. For deployment and use, they set out procedures for testing, acceptable use, and ongoing monitoring. Governance requires enterprise-level oversight, led by a Chief Privacy Officer responsible for managing risk, monitoring vulnerabilities, and protecting user rights. The guidelines include technical and procedural safeguards such as privacy-enhancing technologies, encryption, access controls, and opt-out features, and align with international standards such as the UK AI Playbook, EU AI Privacy Risk Framework, and NIST Privacy Framework.