Innovation and Data Privacy Are Not Natural Enemies: Insights from Korea’s Experience 

The following is a guest post to the FPF blog authored by Dr. Haksoo Ko, Professor at Seoul National University School of Law, FPF Senior Fellow and former Chairperson of South Korea’s Personal Information Protection Commission. The guest post reflects the opinion of the author only and does not necessarily reflect the position or views of FPF and our stakeholder communities. FPF provides this platform to foster diverse perspectives and informed discussion.

1. Introduction: From “trade-off” rhetoric to mechanism design

I served as Chairman of South Korea’s Personal Information Protection Commission (PIPC) between 2022 and 2025. Nearly every day I felt that I was at the intersection of privacy enforcement, artificial intelligence policy, and innovation strategy. I was asked, repeatedly, whether I was a genuine data protectionist or whether I was fully supportive of unhindered data use for innovation. The question reflects a familiar assumption: that there is a dichotomy between robust privacy protection on one hand and rapid AI/data innovation on the other, and that a country must choose between the two.

This analysis draws on the policy-and-practice vantage point that I gained to argue that innovation and privacy are compatible when institutions establish suitable mechanisms that reduce legal uncertainty, while maintaining constructive engagement and dialogue. 

Korea’s recent experience suggests that the “innovation vs. privacy” framing is analytically under-specified. The binding constraint is often not privacy protection as such, but uncertainty as to whether lawful pathways exist for novel data uses. In AI systems, this uncertainty is heightened by the intricate nature of their pipelines. Factors such as large-scale data processing, extensive use of unstructured data, composite modeling approaches, and subsequent fine-tuning or other modifications all contribute to this complexity. The main practical issue is less about choosing among lofty values; it is more about operationalizing workable mechanisms and managing risks under circumstances of rapid technological transformation.

Since 2023, Korea’s trajectory can be read as a pragmatic move toward mechanisms of compatibility—institutional levers that lower the transaction costs of innovative undertakings while preserving proper privacy guardrails. These levers include structured pre-deployment engagement, controlled experimentation environments, risk assessment frameworks that can be translated into repeatable workflows, and a maturing approach to privacy-enhancing technologies (PETs) governance.

Conceptually, the approach aligns with the idea of cooperative regulation: regulators offer clearer pathways and procedural predictability for innovative undertakings, while also deepening their understanding of the technological underpinnings of these new undertakings. 

This article distills the mechanisms Korea has attempted in an effort to operationalize compatibility of privacy protection with the AI-and-data economy. The emphasis is pragmatic: to identify which institutional levers reduce legal and regulatory uncertainty without eroding accountability, and how those levers map to the AI lifecycle.

2. Korea’s baseline architecture of privacy protection

2.1 General statutory backbone and regulatory capacity

Korea maintains an extensive legal framework for data privacy, primarily governed by the Personal Information Protection Act (PIPA), and further reinforced through specific guidance and strong institutional capacity of the PIPC. The PIPA supplies durable principles and enforceable obligations, while guidance and engagement tools translate those principles and statutory obligations into implementable controls in emerging contexts such as generative AI.

The PIPA embeds familiar principles into statutory obligations: purpose limitation, data minimization, transparency, and various data subject rights. In AI settings, the central challenge has been their application: how to interpret these obligations in the context of, e.g., model training and fine-tuning, RAG (retrieval augmented generation), automated decision-making, and AI’s extension into physical AI and various other domains.

2.2 Principle-based approach combined with risk-based operationalization

Korea’s move is not “light-touch privacy,” but a principle-based approach combined with risk-based operationalization. The PIPC concluded that, given the uncertain and hard-to-predict nature of technological developments surrounding AI, adopting a principle-based approach was inevitable: an alternative like a rule-based approach would result in undue rigidity and stifle innovative energy in this fledgling field. At the same time, the PIPC recognized that a major drawback of a principle-based approach could be the lack of specificity and that it was imperative to issue sufficient guidance to show how principles are interpreted and applied in practice. Accordingly, the PIPC embarked on a journey of publishing a series of guidelines on AI.

In formulating and issuing these guidelines, an emphasis was consistently placed on the significance of implementing and operationalizing risk-based approaches. Emphasizing risk-based operationalization has several noteworthy implications. First, risk is a constant feature of new technologies, and pursuing zero risk is not realistic. As such, the focus was directed towards minimizing relevant risks, instead of seeking their complete elimination. Second, as technologies evolve, the resulting risk profile would also change continuously. Thus, putting in place procedures for periodic risk assessment would be crucial so that a proper mechanism for risk management could be at play. Third, a ‘one-size-fits-all’ approach would rarely be suitable, and multiple tailored solutions often need to be applied simultaneously. Furthermore, it is advisable to consider the overall risk profile of an AI system rather than concentrating on a few salient individual risks. This is akin to the Swiss cheese approach in cybersecurity: deploying multiple independent security measures at multiple layers on the assumption that every layer may have unknown vulnerabilities. 

Through a series of guidelines, the PIPC indicated that compliance can be achieved by implementing appropriate safety measures and guardrails that are proportionate to the risks at issue. Some of the guidelines that the PIPC issued include guidelines on pseudonymizing unstructured data, guidelines on utilizing synthetic data, guidelines on data-subject rights in automated decision-making, and guidelines on processing data captured by mobile hardware devices (such as automobiles and delivery robots).

3. Mechanisms of compatibility: What Korea has deployed

The PIPC devised and deployed multiple mechanisms to convert the “innovation vs. privacy” framework into a tractable governance program. They function as a portfolio: some instruments reduce uncertainty through ex ante engagement, while others enable innovative experimentation under structured constraints. Still, others turn principles into repeatable compliance workflows. The PIPC aimed to offer organizations a set of options, acknowledging that, depending on the type of data and the purposes for which the data would be used, different data processing needs would arise. The PIPC recognized that tailored mechanisms would be necessary to address these diverse requirements effectively.

3.1 Case-by-case assessments to reduce uncertainty

AI services could reach the market before regulators can fully resolve novel interpretive questions. In some cases, regulators may commence investigations after new AI services have been launched. As such, businesses may have to accept that they may face regulatory scrutiny ex post. The uncertainty resulting from this unpredictability could make innovators hesitant to launch new services. Accordingly, the PIPC has implemented targeted engagement mechanisms designed to deliver timely and effective responses on an individual basis. For organizations, this would provide predictability, in an expedited manner. The PIPC, on the other hand, through these mechanisms, would gain in-depth information about the intricate details and inner workings of new AI systems. By adopting this approach, the PIPC could develop the necessary expertise to make well-informed decisions that are consistent with current technological realities. The following provides an overview of several mechanisms that have been implemented.

(1) “Prior adequacy review”: Structured pre-deployment engagement

A “prior adequacy review” refers to a structured pre-deployment engagement pathway. The participating business would, on a voluntary basis, propose a data processing design and safeguard package in consideration of the risks involved; the PIPC would then evaluate the adequacy of the proposal against the identified risks; and, if deemed adequate, the PIPC would provide ex ante comfort that the proposed package aligns with the PIPC’s interpretation of the law.

The discipline is the trade: reduced uncertainty in exchange for concrete safeguards and future audits. Safeguard packages could include structured data sourcing and documentation, minimization and de-identification of data where feasible, strict access control, privacy testing and red-teaming for model outputs, input and output filtering for data privacy, and/or structured handling of data-subjects’ requests.

More than a dozen businesses have used this mechanism as they prepared to launch new services. One example is Meta’s launch of a service in Korea for screening and identifying fraudulent advertisements using celebrities’ images without their authorization. While there was a concern about the legality of processing someone’s images without his/her consent, the issue was resolved, in part, by considering the technological aspect that can be called the “temporary embedding” of images. 

(2) “No action letters” and conditional regulatory signaling

A “no action letter” is another form of regulatory signaling: under specified facts and conditions, the PIPC clarifies that it will not initiate an enforcement action. The overall process for a “no action letter” is much simpler than for a prior adequacy review. Its development was informed by the “no action letter” framework, which is widely used in the financial sector.

Where used, its value is to reduce uncertainty significantly to an articulated set of commitments. Although preparatory work had taken place earlier, the mechanism was officially implemented in November 2025. The first no action letter was issued in December 2025 for an international research project that used pseudonymized health data of deceased patients. 

(3) “Preliminary fact-finding review” 

A “preliminary fact-finding review” serves as an expedited evaluative process particularly suited to rapidly evolving sectors. Its primary objective is to develop a comprehensive understanding of the operational dynamics within an emerging service category and to identify pertinent privacy concerns. Although this review may result in the issuance of a corrective recommendation, which is a form of an administrative sanction, issuing such a corrective recommendation is typically not a principal motivation for conducting a preliminary fact-finding review.

For organizations, the value of this review process lies in gaining directional clarity without having to worry about the possibility of immediate escalation into a formal investigative proceeding. For the PIPC, the value is an enlightened understanding of market practices, which in turn serves to inform guidance and targeted supervision. 

In early 2024, the PIPC conducted a comprehensive review of several prominent large language models, including those developed or deployed by OpenAI, Microsoft, Google, Meta, and Naver. The assessment focused on data processing practices across pre-training, training, and post-deployment phases. The PIPC issued several minor corrective recommendations. As a result of this review, the businesses obtained legal and regulatory clarity regarding their data processing practices associated with their large language models. 

3.2 Controlled experimentation environments: Providing “playgrounds” for R&D

A second group of mechanisms centers on establishing controlled experimental environments. For instance, in situations requiring direct access to raw data for research and development, policy priorities shift towards enabling experimentation while simultaneously reinforcing safeguards that address the corresponding heightened risks. The following is an overview of several specific mechanisms that were implemented in this regard.

(1) “Personal Data Innovation Zones” 

“Personal Data Innovation Zones” provide secure environments where vetted researchers and firms can work with high-quality data in a relatively flexible manner. The underlying idea is an appropriate risk-utility calculus. That is, once a secure data environment—an environment that is more secure than usual with strict technical and procedural controls—is established, research within such a secure environment can be conducted with more room for flexibility than usual. 

Within a Personal Data Innovation Zone, for instance, data can be used for a long period of time (up to five years with a renewal possibility), data can be retrieved and reused rather than being disposed of after one-time use, and adequacy review of pseudonymization can be conducted using sampled data, instead of reviewing the entire dataset. So far, five organizations, such as Statistics Korea and Korea National Cancer Center, have been designated as having satisfied the conditions for establishing secure data environments. 

(2) Regulatory sandboxes for personal data

Regulatory sandboxes for personal data permit time-limited experiments under specific conditions designed by regulators. Through this mechanism, approval may be granted to organizations that have implemented suitable safeguard measures. One example of this mechanism that has supported new technological developments is a case involving the use of unobfuscated original video data to develop algorithms for autonomous systems such as self-driving cars and delivery robots. Developing algorithms for self-driving cars and delivery robots would almost inevitably require permitting the use of unobfuscated data since, otherwise, it would be exceedingly cumbersome to obfuscate or otherwise de-identify personal data that can be found in all of the video data to be used. In the review process, certain conditions would be imposed in order to safeguard the data properly, often emphasizing strict access control and the management of data provenance. 

(3) Pseudonymized data and synthetic data: From encouragement to proceduralization

The PIPC has also moved from generic endorsement of privacy-enhancing technologies (PETs) to procedural guidance. Pseudonymized data and synthetic data are the clearest examples. A phased process was developed—preparation, generation, safety/utility testing, expert or committee assessment, and controlled utilization—with an emphasis on risk evaluation.

Some organizations, in particular certain research hospitals, established data review boards (DRBs), although doing so was not a statutory requirement. A DRB’s role would include, among others, evaluating the suitability of using pseudonymized data, assessing the identifiability of personal data from a dataset that is derived from multiple pseudonymized datasets, and assessing identifiability risks from synthetic data. 

4. Institutional design features that make the mechanisms credible

4.1 Building credibility and maintaining active channels of engagement

Compatibility is not achieved by guidance alone. Pro-innovation tools require institutional credibility. From the perspective of businesses, communicating with regulators can readily trigger anxiety. Businesses may worry that information they share could invite unwanted scrutiny. Given this anxiety, regulators need to be proactive and send out a consistent and coherent signal that information gathered through these mechanisms will not be used against the participating businesses. Maintaining sustained and reliable communication channels is critical. 

4.2 Expertise and professionalism as regulatory infrastructure

Case-by-case reviews, sandboxes, and risk models are only credible if the regulator has expertise in data engineering, AI system design, security, and privacy risk measurement—alongside legal and administrative capacity. To be effective, principle-based regulation requires sophisticated interpretive capability.

5. Implications: Why compatibility is plausible

Korea’s experience shows that the “innovation vs. privacy” framing is analytically under-specified. At an operational level, greater challenges tend to occur at the intersection of uncertainty, engagement, and institutional capacity. When legal and regulatory interpretations are vague and enforcement is unpredictable, innovators may perceive privacy as a barrier. When safeguards are demanded but not operationalized, privacy advocates may perceive innovation policy as de facto deregulation.

Korea’s mechanisms have attempted to resolve new challenges by translating principles into implementable controls, creating structured engagement and experimentation pathways. Privacy law does not inherently block innovation; poorly engineered compliance pathways do.

6. Conclusion

Korea’s experience supports a disciplined proposition: innovation and data privacy are compatible when compatibility is properly designed and executed. Compatibility does not come from declaring a balance; it comes from mechanisms that reduce uncertainty for innovators while increasing the credibility of the adopted safeguards for data subjects.

Korea’s toolkit—a principle-based approach combined with risk-based operationalization, structured risk management frameworks, active engagement channels, and credibility supported by professionalism and expertise—offers privacy professionals and policymakers a practical reference point for governance in the AI era.