Korea's Data Governance Framework

The Personal Information Protection Act: Korea's Data Constitution

The Personal Information Protection Act (PIPA) serves as the cornerstone of South Korea's data governance framework and one of the most comprehensive data protection laws in the Asia-Pacific region. Originally enacted in 2011 and substantially amended through the Data Three Acts reform of 2020 and subsequent updates in 2023, PIPA establishes the legal framework governing the collection, use, storage, and transfer of personal information by both public and private entities. For K-Moonshot, PIPA creates the regulatory environment within which AI training data is sourced, processed, and governed, directly affecting the programme's capacity to develop sovereign AI models and data-intensive research applications.

PIPA is enforced by the Personal Information Protection Commission (PIPC), an independent regulatory body established in 2020 as part of the Data Three Acts reform. The PIPC assumed data protection authority previously distributed across multiple ministries, creating a unified regulatory structure analogous to the EU's national data protection authorities under the GDPR. The PIPC's enforcement powers include the authority to issue corrective orders, impose administrative fines of up to 3 percent of relevant revenue, and refer cases for criminal prosecution in severe violations.

The Data Three Acts Reform: Unlocking Data for AI

The Data Three Acts reform of August 2020 represented the most significant overhaul of Korea's data governance framework since PIPA's original enactment. The reform amended three statutes: PIPA, the Act on the Promotion of the Use and Protection of Credit Information, and the Act on the Use and Protection of Location Information. The amendments were designed to unlock the economic value of data while maintaining robust privacy protections, a balance particularly relevant to K-Moonshot's data-intensive missions.

Pseudonymization Framework

The most consequential element of the Data Three Acts reform was the introduction of a comprehensive pseudonymization framework. Under the reformed PIPA, pseudonymized data, personal information processed so that individuals cannot be identified without additional information, may be used for purposes beyond the original collection purpose, including statistical analysis, scientific research, and archiving in the public interest, without obtaining additional consent from data subjects.

This pseudonymization framework is critical for K-Moonshot's AI research missions. Mission 1 (Drug Development Acceleration) requires access to large-scale health data for AI-driven drug discovery and clinical trial optimization. Mission 2 (Brain Implant Commercialization) generates sensitive neural data that must be managed under strict privacy constraints. Mission 7 (Physical AI Models) leverages industrial data from manufacturing processes. In each case, the pseudonymization framework provides a legal pathway for using personal and sensitive data in AI research without requiring individual consent for each research use, significantly reducing the data access barriers that would otherwise constrain mission-critical R&D.

Unified Regulatory Authority

The reform consolidated data protection regulatory authority under the PIPC, resolving jurisdictional overlaps that had previously created regulatory uncertainty and compliance complexity. This consolidation provides K-Moonshot research institutions and companies with a single regulatory interlocutor for data governance questions, simplifying compliance and enabling more consistent interpretation of data protection requirements across different mission areas.

MyData Initiative: Data Portability for Innovation

Korea's MyData initiative represents one of the world's most ambitious government-led data portability programmes. Launched initially in the financial sector and subsequently expanded to healthcare, telecommunications, and public services, MyData establishes the right of individuals to access, control, and authorise the sharing of their personal data across institutions and sectors.

Financial MyData

The financial MyData programme, operational since 2022, allows individuals to consolidate their financial data (bank accounts, credit cards, insurance policies, investment accounts) through authorised data intermediaries and share it with service providers of their choosing. The programme has achieved significant adoption, with millions of Koreans using MyData-enabled financial services. The financial MyData infrastructure demonstrates the viability of consent-based data portability at scale and provides a model for data sharing in other sectors relevant to K-Moonshot.

Healthcare MyData

The extension of MyData principles to healthcare data is particularly relevant to K-Moonshot's biomedical missions. Healthcare MyData enables individuals to authorise the sharing of their medical records, diagnostic data, and treatment histories with research institutions, AI developers, and clinical trial operators. This consent-based data sharing mechanism, combined with the pseudonymization framework, creates a pathway for building the large-scale health datasets needed for Mission 1's AI-driven drug development acceleration. The challenge lies in achieving sufficient adoption to generate datasets of the scale and diversity required for meaningful AI model training.

Implications for AI Training Data

MyData's broader significance for K-Moonshot lies in its potential to create curated, consent-based datasets for AI model training. Traditional approaches to AI training data, web scraping, data purchasing, and synthetic data generation, each carry limitations in data quality, consent validity, and representativeness. MyData-enabled datasets, built on explicit individual authorisation, provide a governance foundation that is both ethically robust and legally defensible, addressing the growing international scrutiny of AI training data provenance.

Data Commons and Open Data for AI

The Korean government has established multiple data commons initiatives that make public-sector datasets available for AI research and commercial development. These programmes directly support K-Moonshot's AI development objectives by providing training data resources that are accessible to Korean researchers and companies without the cost and legal complexity of procuring proprietary datasets.

AI Hub

The National Information Society Agency (NIA) operates AI Hub, a government-funded platform that provides curated datasets, pretrained models, and AI development tools to Korean researchers, startups, and enterprises. AI Hub datasets span multiple domains including Korean language text, speech recognition, computer vision, healthcare imaging, and manufacturing quality control. For K-Moonshot, AI Hub provides a centralised data resource that supports research across multiple missions, from Korean-language AI model development (sovereign AI) to AI-assisted manufacturing (Mission 7).

Public Data Portal

The Korean government's Public Data Portal (data.go.kr) provides access to over 80,000 government datasets covering demographics, economics, transportation, environment, and public services. While not specifically designed for AI training, these datasets provide supplementary training resources for K-Moonshot AI applications that require contextual knowledge of Korean society, economy, and infrastructure.

Cross-Border Data Transfer Regulations

PIPA's cross-border data transfer provisions govern the international flow of Korean personal data, with direct implications for K-Moonshot's international research collaborations and the global deployment of Korean AI products.

Under PIPA, cross-border transfers of personal information require one of several legal bases: explicit consent from data subjects, transfer to a jurisdiction that has received an adequacy determination from the PIPC, implementation of appropriate safeguards (such as Standard Contractual Clauses), or specific exemptions for research or public interest purposes. The European Commission's 2022 adequacy decision for Korea, recognising PIPA as providing protection essentially equivalent to the GDPR, facilitates data flows between Korea and the EU and validates Korea's data protection framework on the international stage.

For K-Moonshot, cross-border data transfer rules affect international research collaborations that require data sharing with foreign partner institutions. KAIST, SNU, and other Korean research institutions participating in international AI research programmes must comply with PIPA's transfer provisions when sharing research data with foreign collaborators. The adequacy-based framework with the EU facilitates Korea-EU research collaborations, while transfers to other jurisdictions require case-by-case assessment of appropriate safeguards.

Data Governance Challenges for K-Moonshot

Several data governance challenges specific to K-Moonshot's mission areas require attention from policymakers and programme administrators.

Health Data Fragmentation

Korea's healthcare data, while extensive (the national health insurance system covers virtually the entire population), is fragmented across multiple institutions including the National Health Insurance Service, the Health Insurance Review and Assessment Service, individual hospitals and clinics, and private healthcare providers. Integrating these data sources into unified datasets for Mission 1's AI-driven drug development requires institutional coordination and standardisation efforts that go beyond data protection law into the domain of health information interoperability.

Industrial Data Sharing Barriers

K-Moonshot missions that depend on industrial data, particularly Mission 7 (Physical AI) and Mission 6 (Humanoid Robots), face challenges in accessing manufacturing and operational data from private companies. While PIPA governs personal data, industrial and commercial data sharing is governed by a patchwork of contract law, trade secret protections, and sector-specific regulations that create barriers to the data pooling needed for training generalised AI models. The government has explored data trusts and industrial data exchanges as mechanisms to facilitate sharing while protecting proprietary interests, but adoption remains limited.

AI Training Data Provenance

The global trend toward scrutinising the provenance of AI training data, driven by copyright disputes, privacy concerns, and regulatory requirements, creates compliance obligations for K-Moonshot AI developers. Korean AI companies and research institutions must be prepared to document the sources, consent bases, and processing histories of training data used in K-Moonshot models. This documentation burden is manageable for curated government datasets and MyData-sourced data but becomes more complex for web-scraped data, commercially purchased datasets, and synthetic data generated from proprietary sources.

Biometric and Neural Data

Mission 2 (Brain Implant Commercialization) generates neural data that falls into a category between traditional biometric data (covered by PIPA's special category provisions) and an entirely new data type that existing law was not designed to govern. Neural data raises unique governance questions: Can neural data be effectively pseudonymized when brain activity patterns are inherently unique to individuals? What consent mechanisms are appropriate for continuous neural data collection from implanted devices? How should neural data be classified in the context of cross-border transfer regulations? These questions require governance innovation that extends the existing PIPA framework into uncharted territory.

Data Sovereignty and Localization

Korea's data governance framework incorporates elements of data sovereignty, the principle that data generated within Korean jurisdiction should remain subject to Korean regulatory authority, without imposing the strict data localization requirements that characterise some other Asian data protection regimes (such as China's data localization provisions under the PIPL).

PIPA's cross-border transfer provisions create a functional degree of data localization by requiring legal bases for international transfers, but they do not mandate that data be physically stored within Korean territory. This approach balances sovereignty concerns with the practical needs of a globally connected economy that depends on cross-border data flows for trade, research, and technology development.

For K-Moonshot, the data sovereignty dimension is most relevant to the programme's sovereign AI model development. Korean-language training data, government datasets, and MyData-sourced data provide a foundation for sovereign AI capabilities that are inherently localised within the Korean data governance framework. This data foundation supports K-Moonshot's objective of developing AI systems that are optimised for Korean contexts and governed under Korean law, while the cross-border transfer framework allows international research collaboration where needed.

Future Directions: Data Governance for the AI Era

Korea's data governance framework is evolving to address the specific challenges of AI-era data management. Several reform directions are under consideration or active development.

AI-Specific Data Processing Rules

Proposed amendments to PIPA would introduce AI-specific provisions governing the use of personal data in AI training, recognising that AI model training involves processing patterns that differ from traditional data use. These provisions would clarify the legal basis for using personal data in large-scale model training, establish transparency requirements for AI training data sourcing, and define the boundaries of the research exemption in the context of commercial AI development.

Data Trust Frameworks

Korea is exploring data trust frameworks that would allow multiple data holders to pool data under a trusted intermediary for AI training and research purposes. Data trusts could address the industrial data sharing barriers that constrain K-Moonshot missions by providing governance structures that protect data contributors' proprietary interests while enabling the aggregation needed for effective AI model training.

Synthetic Data Governance

As synthetic data generation becomes increasingly important for AI training, data governance frameworks must address the status of synthetically generated data that is derived from personal information. Korea's framework currently treats synthetic data as outside PIPA's scope if it cannot be linked to identifiable individuals, but the boundaries of this treatment become uncertain as synthetic data generation techniques improve and the potential for re-identification increases.

Korea's data governance framework, anchored by PIPA and extended through MyData, data commons, and sector-specific initiatives, provides K-Moonshot with a regulatory foundation that balances privacy protection with innovation enablement. The challenge for policymakers is to maintain this balance as AI capabilities advance and data governance challenges grow more complex. The framework's success will be measured by whether it enables K-Moonshot's data-intensive missions to access the training data they need while maintaining the public trust and international credibility that Korea's data protection reputation provides.