Republic of Korea: National Assembly adopted Bill amending Personal Information Protection Act (Bill No. 2216765)

On 12 February 2026, the National Assembly adopted Bill No. 2216765, which amends the Personal Information Protection Act by consolidating 14 previously proposed amendments into a single framework. The Bill clarifies responsibilities and establishes oversight structures. The Bill designates the business owner or representative as the ultimate party responsible for processing and safeguarding personal information. Personal information processors who meet the criteria set out in the Presidential Decree must report the appointment of a personal information protection officer, whose role is further reinforced to include personnel management and budget oversight. The Bill also introduces mandatory personal information protection certification for processors meeting standards related to sales volume and the scale of data processing, aiming to improve the reliability and security of personal data management systems. Notification requirements are expanded to cover not only loss, theft, or leakage, but also forgery, alteration, or damage of personal data. Companies must also notify authorities when there is a potential risk of leakage, as defined by the Presidential Decree. Finally, the Bill establishes penalties for repeated or serious breaches. Companies responsible for intentional or grossly negligent violations affecting over 10 million individuals, repeated violations within three years, or failure to follow corrective orders may face surcharges of up to 10% of total sales. The surcharge may be reduced under specific conditions, such as investments in personnel, facilities, and preventive measures, to encourage proactive compliance.