MLex exclusive: South Korea's privacy chief reflects on a year of transformation

In its relatively short history, South Korea's Personal Information Protection Commission has emerged as a key privacy regulator, notably imposing significant fines on tech giants such as Google and Meta Platforms for privacy infringements. In an exclusive interview with MLex®, Chairman Ko Hak-soo reflects on his eventful first year at the helm and the path he's forging for a country on the cusp of transformation. Battling challenges posed by the AI juggernaut with resource constraints, Ko is determined in his mission: to balance the scales of innovation and individual rights and ensure that privacy does not become the price paid for progress. In his eyes, “trust” is the linchpin that achieves this delicate balance.

Keep scrolling for this deep dive from MLex, or start your 14-day free trial now to unlock more critical insights from this interview.

13 November 2023
By Jenny Lee

Looking back on a year full of legislative milestones and groundbreaking shifts in technology, South Korea’s privacy chief, Ko Hak-soo, admits that it hasn't all been sunshine and roses.

Since taking the reins of the Personal Information Protection Commission, or PIPC, in September last year, Ko has been acutely aware of the gravity of his role, which involves steering the course of privacy governance through the relentless tide of digital transformation.

This past year has been anything but simple. The rise of artificial intelligence, or AI, and other cutting-edge technologies has brought to light new, more complex privacy issues. Ko, who is guiding an agency in its infancy and with limited resources, has had to tackle these challenges head-on while simultaneously championing innovations that uplift society.

Yet, through each hurdle, he remains committed to a vision of fostering trust — trust in the systems that manage personal information and trust that this data, even when utilized, remains secure. He sees winning over trust from those whose data is at stake as the foundational pillar for propelling South Korea toward a future where privacy and innovation coexist and thrive.

Sitting down with MLex for an exclusive interview, Ko opens up about his pivotal first year the job: the victories, the struggles, and the path he's forging for a country on the cusp of transformation.

Charting uncharted waters

During Ko’s tenure, the PIPC has made great strides. The commission forged ahead with pioneering policy reforms and has not shied away from robust enforcement action against global tech giants such as Google and Meta Platforms.

The PIPC's best work, which Ko holds dear, culminated in February when a major overhaul of South Korean privacy legislation was passed by parliament, secured government endorsement in March and was put into effect in September.

This revamp has already ignited, and is poised to further drive, sweeping changes across the data-privacy landscape. They include a rise in the fine caps for privacy violations, amplified rights for data subjects, a move towards greater alignment with global standards and a refinement to the privacy framework that resonates with the demands of the digital age.

“The overhaul of the Personal Information Protection Act is of tremendous importance because it heralds an array of fundamental changes, both big and small,” the chairman says. “But more crucially, it serves as a catalyst for us to go beyond the letter of the law and shape the future course of our commission. As a newly established entity, we have spent the past three years establishing a solid base. Now, with the law’s amendment, we stand at a pivotal juncture, ready to map out a vision for future initiatives.”

Infused with a renewed sense of purpose, the PIPC is gaining significant traction in charting new territory. Ko’s approach is steering the agency through a policy-making marathon, where recent efforts have concentrated on crafting a comprehensive policy roadmap for AI governance.

This blueprint, unveiled to the public in August, advocates for a principles-based approach to AI regulation, prioritizing flexibility over fixed rules. It offers a set of expansive, adaptable guidelines designed to dovetail with the varied and complex nature of AI development and usage.

In tandem with the regulation of AI, South Korea is also devoting resources to expanding the MyData service, an initiative fostering data portability that allows individuals to seamlessly transfer their personal data to online platforms and services.

Born from a recent legislative update that grants data subjects the ability to ask for their data to be transferred to themselves or to third-party data controllers, the MyData service, Ko believes, will be a key enabler of digital autonomy. He anticipates that it will catalyze a transformative shift, empower individuals to manage the movement of their own data, challenge the status quo of corporate data monopolies, spur innovative enterprises and reshape the structure of the data-driven economy.

Navigating challenges

Amid a flurry of follow-up activities emanating from these changes, Ko confesses that leading the agency has not been without its trials.

“The challenges are innumerable,” the commissioner says, his smile masking the resilience required for this daunting role.

For Ko, a significant challenge has been cementing the commission's presence and role within the government and across industries. In the three years following its creation in August 2020, the PIPC has grappled with a lack of recognition—its existence or critical functions were at times obscure to many.

“Although awareness has improved in recent years, many still lack a clear understanding of the agency's objectives and duties,” he says.

Adding to this is the breakneck speed of technological advancements. AI and other technologies fueled by personal data such as biometrics and video footage, are reshaping the world faster than traditional policy frameworks can adapt. Products and services such as OpenAI's ChatGPT are emerging globally, bringing with them a host of new challenges that demand quick and thorough policy action.

In this whirlwind of innovation, Ko’s PIPC operates under challenging circumstances. Despite a modest budget and limited manpower, the commission shoulders a monumental task. It is called upon not only to identify and proactively head off privacy concerns but also to chart the course for policy in a landscape that is constantly evolving. The PIPC is one of the smallest central government agencies at the ministerial level, with just four departments, 15 teams and 172 employees.

“The challenge lies in not only responding to change but also in predicting the concerns and unintended consequences of technology before they fully manifest,” the chairman says. “We're now seeing a surge in the demand for new policies and guidelines, growing faster than ever before. Addressing this in a timely manner is indeed a formidable task, especially when you consider that it all falls on the shoulders of our compact team.”

Anchoring trust in turbulent times

Despite these pressures, Ko and his agency are clear about their objectives.

They are carving out a role as a dependable guiding force for businesses, especially in navigating the intricate “gray areas” that often leave them grappling with the legality of their personal-data handling practices.

Simultaneously, they are determined to ensure accountability in monitoring and addressing the data-handling operations of businesses, big and small, local and international. This vigilant oversight acts as a shield against the misuse of South Koreans' personal data, no matter where the threat originates.

Yet, these efforts are not just isolated goals. They are part of a grander scheme that embodies the commission's fundamental principle — to balance the scales of innovation and individual rights, ensuring that privacy does not become the price paid for progress.

“Many have asked me since I took office whether I am an advocate for personal data protection or utilization,” Ko says. “However, this is not a matter of choice between the two — it’s about establishing trust.”

For Ko, the answer lies in a harmonious approach that does not compromise one for the other but rather strikes a delicate equilibrium where trust of data subjects serves as the linchpin.

“The debate should move beyond the binary of protection versus usage to how we can establish trust,” he says. “This requires that we protect adequately while also facilitating the necessary use of data.”

The privacy chief stresses the maintenance of rigorous safeguards for personal data to avert potential risks, alongside the cultivation of a trust-centric environment for its use. “However, it's equally important to critically re-examine and modernize any regulations that are out of step with current realities,” he added.

“Misguided regulatory approaches have the potential to halt technological progress and curb the expansion of the data-usage sectors, simultaneously endangering privacy protections,” he points out. “Our approach must involve laying down fundamental principles and tailoring regulations to fit the nuances of each case.”

Ko emphasizes that this approach is especially critical amid the fast-paced changes driven by AI and evolving technologies, where uncertainty often looms for businesses and consumers alike.

For more content from this exclusive interview and to access our specialist Data Privacy & Security reporting in real time, start your free trial today.

Free 14-day trial

, including

An independent news agency, MLex® provides exclusive market insight and real-time reporting on regulatory risk from 15 bureaus across the globe.

See for yourself why we're trusted by the world’s leading law firms, corporations, consultancies and regulators.

MLex exclusive: South Korea's privacy chief reflects on a year of transformation

Charting uncharted waters

Navigating challenges

Anchoring trust in turbulent times

More from this interview

More news from Asia-Pacific

Top news from Europe

Top news from North America

MLex podcasts

Image captions