この記事は現在英語でのみご利用いただけます。
AI Governance in South Korea: The AI Basic Act, Personal Information, and Sector Regulation
South Korea enacted its AI Basic Act in December 2024 — one of the first comprehensive national AI laws outside the EU. Combined with the PIPA (personal information law), sector regulators, and Korea's technology leadership, this is the complete 2026 governance guide.
Key Takeaways
South Korea's AI Basic Act, enacted December 2024 and entering force in 2026, creates a risk-based framework for AI governance — one of the first comprehensive national AI laws globally, following the EU AI Act.
The AI Basic Act designates 'high-impact AI' (고영향 AI) — AI used in areas including employment, credit, healthcare, and public safety — as subject to the most stringent obligations including impact assessments and transparency requirements.
The Personal Information Protection Act (PIPA) and the Korea Communications Commission have created specific guidance on AI and personal data — requirements for consent, purpose limitation, and automated decision-making rights parallel GDPR.
The Financial Services Commission (FSC) and Financial Supervisory Service (FSS) have issued AI governance guidance for financial institutions — model risk management, explainability, and fairness testing are all expected.
South Korea's technology sector — Samsung, LG, Kakao, Naver, SK — is among the most AI-active globally, and Korean tech companies face both domestic AI regulation and EU AI Act obligations for their European operations.
"情報提供のみを目的としています。この記事は法律、規制、財務または専門的なアドバイスを構成するものではありません。具体的なアドバイスについては、資格を持つ専門家にご相談ください。"
The AI Basic Act: Korea's comprehensive AI framework
South Korea's Framework Act on Artificial Intelligence (인공지능 기본법), enacted in December 2024, represents a significant step in Korea's AI governance development. The Act establishes a risk-based framework that distinguishes between general AI and "high-impact AI" (고영향 AI) — AI deployed in contexts where errors could have serious consequences for individuals or society. High-impact AI contexts include: employment and human resource decisions, credit assessment and financial services, education and examination assessment, medical diagnosis and healthcare, and public safety and law enforcement.
High-impact AI deployers face specific obligations under the Act: notification to users that they are interacting with AI, transparency about AI capabilities and limitations, human oversight mechanisms ensuring individuals can request human review of AI decisions, impact assessment requirements for certain deployments, and registration with designated regulatory authorities. The specific implementation details are elaborated in subordinate regulations and sector-specific guidance that continued to develop through 2025 and 2026.
PIPA and AI: personal data obligations
Korea's Personal Information Protection Act (PIPA), substantially amended in 2023, creates specific obligations for AI systems processing personal data. The PIPA's automated decision-making provisions — modelled partly on GDPR Article 22 — give individuals the right to refuse decisions made by automated means if those decisions significantly affect their legal status or have major consequences. Where such decisions are made, the data subject can request explanation of the decision and human review. For financial services, employment, and healthcare AI, these rights are particularly significant.
The Personal Information Protection Commission (PIPC) has been active in developing AI-specific guidance under PIPA, including guidance on AI training data consent, transparency obligations for AI systems, and the application of automated decision-making rights in commercial contexts. PIPC enforcement on AI matters has increased significantly, with investigations into major Korean tech companies' AI data practices.