South Korea Reworks Privacy Policy Rules to Reflect the Realities of Generative AI

Key Takeaways

• Privacy Policies Get a Practical Overhaul: The Personal Information Protection Commission revised its guidelines to improve readability while reducing administrative burden and strengthening transparency for individuals.
• More Flexible Disclosure and Notification Rules: Organizations can group third-party recipients into categories and take a risk-based approach to notifying policy changes, with stricter expectations for high-impact updates.
• Clearer Boundaries for On-Device Processing: The guidelines distinguish between data stored on external servers and data processed entirely on-device, shaping when full privacy policies are required versus encouraged disclosures.
• Generative AI Transparency Takes Center Stage: A new annex pushes organizations to disclose AI use cases, handling of user inputs and outputs, model training practices, opt-out options, and complaint channels.

Deep Dive

South Korea’s Personal Information Protection Commission is adjusting how it expects companies to explain their data practices, updating its Guidelines on Writing a Privacy Policy to better reflect how information is actually handled in an era shaped by generative AI and on-device computing.

The changes do not reinvent the concept of a privacy policy. Instead, they quietly reshape it and make room for the messier, more dynamic ways data now moves through modern services, while trying to keep the end result understandable for the people reading it.

A privacy policy, the PIPC notes, remains a core tool for telling individuals what information is collected and how it is used. But the regulator is also acknowledging a tension that has been building for years. Policies have grown longer and more complex, even as the systems they describe have become harder to pin down. The revisions are meant to ease that strain, reducing administrative burdens for organizations while reinforcing individuals’ rights to understand and control their data.

Some of the most immediate changes are practical.

Companies that rely on large, shifting groups of third parties (delivery workers, drivers, and similar roles) will no longer be expected to list every recipient individually in their policies. They can group them into categories instead. The catch is that the detail cannot disappear. Users must still be given a clear way to access the full list when they want it.

The same pragmatism shows up in how policy changes are communicated. Updates that could materially affect people’s rights need to be disclosed promptly. But lower-risk adjustments, like changes to subcontractor lists, can be bundled and disclosed within a set period, such as four weeks. It is a small shift, but one that reflects how frequently these lists now change in practice.

The guidelines also draw clearer boundaries around on-device processing, an area that has grown alongside the spread of AI features built directly into smartphones and other devices. If personal data is stored on external servers, a privacy policy is still required, even if some processing happens locally. Where data never leaves the device, organizations are encouraged to explain that fact and describe how the data is deleted, rather than being subject to the same formal requirements.

There are also more explicit expectations for data processors. Privacy policies now need to include information such as the chief privacy officer and details about subcontractors, elements the PIPC links directly to protecting individuals’ rights.

For behavioral data, the regulator is pushing for something more tailored. Instead of generic, catch-all explanations, the updated guidance introduces scenario-based approaches designed to help organizations describe their data use in ways that actually match how it works. Short-form privacy notices are also tightened up, with clearer requirements around what must be disclosed—from data categories and purposes to retention periods and how individuals can exercise their rights.

The most telling addition, though, sits at the back of the document.

A new annex focuses entirely on generative AI services, reflecting how central they have become to the data landscape. It encourages companies to be upfront about how these systems are used, including what they are for, who they are built for, and what happens to the information users put into them. That includes inputs like text, voice recordings, and attachments, as well as the outputs generated by the systems themselves.

The guidance also points to questions that have quickly moved from theoretical to practical. Are user inputs being used to train AI models? Can users opt out? What happens if an output is inappropriate, and how can it be reported? Companies are expected to address these points directly in their policies, and to take particular care when sensitive or uniquely identifiable information is involved.

To help organizations work through the changes, the PIPC is holding a briefing session for practitioners on April 28 at the Korea Science and Technology Center.

Secretary-General Cheongsam Yang put the revisions in the context of a fast-moving technological environment, emphasizing the need for people to better understand how and why their data is being processed.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.