Fourteen years ago, I described Korea’s new data privacy Act, the Personal Information Protection Act (PIPA) as “Asia’s Toughest Data Privacy Law”,(1) listing 17 ways in which its principles went beyond those found in the OECD Guidelines or APEC standards. The adoption of the GDPR in 2016 meant that a global standard for a stronger privacy law now applied.

In March 2026 Korea promulgated what has been described as the “most consequential rewrite”(2) of PIPA(3) for some years, although it had been amended regularly since 2012. This paper considers just how consequential the 2026 amendments are likely to be, and where they position Korea in terms of Asian and global data privacy standards. They come into effect in September 2026.