Summary:
Original Link:
Original Article:
Introduction to the PIPC Guideline on Generative AI (Aug 2025)
Korea’s Personal Information Protection Commission (PIPC) has issued a draft Guideline on Processing Personal Information for the Development and Use of Generative AI. The document reflects PIPC’s regulatory experience and its commitment to fostering AI innovation while ensuring compliance with privacy law. It is deliberately practical and aligns with international best practices, enabling organizations to apply a consistent approach across jurisdictions. Overall, this is a timely and focused contribution to the responsible adoption of AI.
Key positions and practical guidance
1. Publicly available data for training
Use is permissible where a legitimate‑interest–style assessment is satisfied—purpose legitimacy → necessity → balancing—and supported by safeguards. Organizations should respect explicit anti‑scraping signals (e.g., robots.txt, CAPTCHA), exclude sensitive or non‑relevant data, and document decisions.
2. Reusing user inputs (prompts, logs) for improvement
May qualify as “additional use” without new consent when there is reasonable relatedness and predictability, minimal impact on individuals, robust filtering to remove personal data, and a simple, persistent opt‑out accompanied by clear notice.
3. Service architectures
– LLM‑as‑a‑Service: Prefer enterprise API terms that disable provider training by default. Use a Data Processing Addendum (DPA) to fix retention, reuse limits, deletion, sub‑processing controls, audit rights, and cross‑border transfer notices.
– Open‑weight / self‑built: Verify training‑data provenance, maintain model cards and license compliance, track updates/patches, and add safety layers during fine‑tuning/alignment.
4. Technical and organizational measures
Implement data preprocessing, privacy‑enhancing techniques (PETs) (e.g., pseudonymization, synthetic data, differential privacy where appropriate), input/output filters, RAG/agent safeguards, role‑based access control, audit logs, red‑teaming, and pre‑deployment privacy testing.
5. Data‑subject rights
Establish processes for access, rectification, deletion, and restriction. Where decisions are fully automated and have significant effects, ensure rights to refuse, to request an explanation, and to seek human review. The Guideline acknowledges current limits of model unlearning and recommends interim mitigations (filters, dataset updates, model refresh cycles) with transparent communication.
6. Privacy Impact Assessment
Public bodies are required to conduct a Privacy Impact Assessment (PIA) when the applicable thresholds are met. Private organizations are strongly encouraged to undertake PIAs for high-impact use cases. The PIPC has explicitly stated that completing a PIA may be considered a mitigating factor in the assessment of penalties.