In January 2025, South Korea’s Personal Information Protection Commission (PIPC) ordered Alipay to destroy an AI model built from 40 million Korean users’ personal data. The model, an NSF (Non-Sufficient Funds) scoring algorithm, was trained on data that Kakao Pay had transferred to Alipay without user consent. The fine totaled KRW 8.37 billion (~$5.7 million). But the model deletion order is the real precedent. Korea’s data regulator can now require companies to destroy the AI itself, not just pay fines and promise to do better.
This article covers every major AI-related enforcement action in Korea, the legal basis the PIPC uses, and what it means for your compliance planning.
Key Takeaways
- The PIPC ordered Alipay to delete an AI model (NSF scoring algorithm) trained on unlawfully transferred Korean user data. This is Korea’s strongest AI enforcement precedent.
- Korea’s enforcement threat comes from PIPA (data protection law), not the AI Basic Act. PIPA fines reach up to 10% of total turnover from September 2026. The AI Basic Act caps at KRW 30 million (~$21,000).
- The PIPC has imposed over KRW 60 billion in AI-related and data fines since 2021, targeting Kakao Pay, Kakao Corp, Meta, Lotte Card, and foreign AI services.
- The PIPC suspended DeepSeek’s service in Korea within days of launch for privacy violations, showing it can act preemptively against foreign AI companies.
- PIPA Article 37-2 gives Korean users the right to refuse automated decisions and request human review. This provision applies to all AI systems processing personal data.
[Source: PIPC enforcement records; PIPA amendment Feb 2026; DataGuidance; IAPP]
What Happened in the Kakao Pay Case?
In January 2025, the PIPC concluded that Kakao Pay had transferred personal data of approximately 40 million users to Alipay (a subsidiary of Ant Group, based in Singapore) without consent or disclosure. Alipay used this data to build an NSF scoring algorithm for Apple Pay micropayment bundling. [Source: BusinessKorea, Jan 23, 2025; DataGuidance, Jan 24, 2025]
The PIPC fined Kakao Pay KRW 5.968 billion and Apple Distribution International Limited KRW 2.45 billion plus KRW 2.2 million in penalties, totaling KRW 8.37 billion (~$5.7 million). More significantly, the PIPC ordered Alipay to destroy the AI model trained on the unlawfully transferred data. [Source: PIPC decision, Jan 22-23, 2025; Lexology, Feb 19, 2025]
This order has no close precedent in Asian AI enforcement. The PIPC did not just fine the companies and move on. It required the destruction of the algorithmic output of the violation, treating the trained model as a derivative work of the unlawful data. [Source: IAPP, Jun 4, 2025]
Why Is Model Deletion Different from Fines?
A fine is a cost of doing business. A model deletion order destroys the business value derived from the violation.
The US Federal Trade Commission has used similar remedies (labeled “algorithmic disgorgement”) against Everalbum/Paravision, Weight Watchers/Kurbo, and Rite Aid. But those were consent decrees, not statutory orders. The PIPC’s order has explicit statutory basis under PIPA’s corrective powers. [Source: IAPP comparative analysis, Jun 2025]
Three implications for AI companies. First, training data provenance is now an asset protection issue, not just a compliance checkbox. If the PIPC determines your training data was unlawfully obtained, the resulting model is at risk. Second, the PIPC has signaled willingness to target the algorithm itself, not just the data. Third, foreign companies are not exempt. Alipay is a Singapore-based entity that received the deletion order.
Our view: Korea’s model deletion precedent is the most aggressive AI enforcement tool in Asia. Companies should treat their training data pipeline with the same rigor as their financial audit trail.
What Authority Does the PIPC Have Over AI?
The PIPC enforces PIPA, not the AI Basic Act. But PIPA’s reach into AI is extensive.
PIPA Article 37-2 (amended 2023) establishes automated decision-making rights: data subjects can refuse decisions made solely by automated processing that significantly affect their interests, and controllers must explain the decision logic on request. This applies to any AI system processing Korean personal data that makes consequential decisions. [Source: PIPA Art. 37-2; PIPC binding notice, Sep 2024]
PIPA’s penalty structure was dramatically strengthened in February 2026. The maximum fine increases from 3% to 10% of total turnover for serious violations, effective September 11, 2026. CEO personal supervisory liability was added. This makes PIPA enforcement, not AI Basic Act enforcement, the primary financial risk for AI companies in Korea. [Source: IAPP, Mar 2026; PIPA amendment Feb 12, 2026]
The PIPC can investigate, impose administrative fines, issue corrective orders (including model deletion), publish findings publicly, and refer criminal cases for prosecution. It operates independently under the Prime Minister’s Office. [Source: PIPA; regulators.md]
The AI Basic Act (effective January 2026) gives MSIT separate enforcement authority over AI-specific obligations like transparency and high-impact classification. But MSIT’s maximum fine is KRW 30 million (~$21,000). The regulatory power imbalance is clear: PIPC can impose billions in fines and order model destruction, while MSIT’s enforcement tools are comparatively limited. [Source: AI Basic Act Art. 42-43; Choi, Network Law Review, Fall 2025]
What Other AI Enforcement Actions Has Korea Taken?
| Case | Year | Target | Fine (KRW) | Fine (USD) | AI-Specific? |
|---|---|---|---|---|---|
| Scatter Lab / Lee Luda chatbot | 2021 | Scatter Lab | 103.3M | ~$71K | Yes: training data from 9.4B conversations |
| Kakao Pay / Alipay model deletion | 2025 | Kakao Pay + Apple | 8.37B | ~$5.7M | Yes: model deletion order |
| Kakao Corp open chat data leak | 2024 | Kakao Corp | 15.14B | ~$10.4M | No, but largest-ever PIPC fine |
| Meta algorithmic profiling | 2024 | Meta Platforms | 21.62B | ~$14.8M | Yes: inferred sensitive data via ML |
| DeepSeek service suspension | 2025 | DeepSeek (China) | Pending | Pending | Yes: foreign AI service blocked |
| AliExpress overseas transfer | 2024 | AliExpress | 1.978B | ~$1.35M | Indirect: data pipeline |
| TELUS International AI data breach | 2025 | TELUS | 89.2M | ~$61K | Yes: AI training data |
| Lotte Card | 2026 | Lotte Card | 9.62B | ~$6.6M | Financial data (2.97M users) |
[Source: PIPC decisions; DataGuidance; Korea Times; IAPP. Lotte Card amount requires additional verification.]
The Scatter Lab case (2021) was Korea’s first AI enforcement action. The startup harvested 9.4 billion conversations from 600,000 users to train its “Lee Luda” chatbot, including data from 200,000 children under 14. Training data with personal information was uploaded to GitHub. The chatbot generated offensive and sexually explicit content. [Source: The Register, Apr 29, 2021; DataGuidance, Apr 28, 2021]
The Meta case (2024) is notable for targeting algorithmic profiling. The PIPC found that Meta collected sensitive data (religion, political views, sexuality) from approximately 980,000 Korean Facebook users by analyzing behavioral signals (pages liked, ads clicked) without legal basis. This shows PIPC scrutiny extends to inference-based data creation by AI, not just direct collection. [Source: Reuters, Nov 5, 2024]
The DeepSeek suspension (February 2025) demonstrated the PIPC’s ability to act preemptively. Within days of DeepSeek’s launch in Korea, the PIPC suspended the service, citing privacy policy failures, unauthorized data transfers to China, and lack of age verification. DeepSeek complied with corrective measures and resumed service in April 2025 under continued monitoring. [Source: DataGuidance, Apr 24, 2025; Korea JoongAng Daily, Apr 24, 2025]
How Does Korea’s Enforcement Compare to Other Jurisdictions?
| Approach | Korea (PIPC) | EU | US (FTC) | China (CAC) |
|---|---|---|---|---|
| Primary tool | Model deletion + fines | Fines (up to 7% turnover) | Consent decrees + algorithmic disgorgement | Algorithm correction orders + service suspension |
| Max financial penalty | 10% turnover (PIPA, Sep 2026) | EUR 35M / 7% turnover | Case-specific (no statutory AI cap) | Case-specific |
| Service suspension | Yes (DeepSeek precedent) | Via market surveillance | No direct equivalent | Yes (common) |
| Preemptive action | Yes | Limited (pre-market conformity assessment) | Limited | Yes |
| Criminal referral | Yes | Member state discretion | Yes (DOJ referral) | Yes |
[Source: Comparative analysis from enforcement.md]
Korea’s enforcement posture is closer to China’s (preemptive, willing to suspend services) than to the EU’s (structured, penalty-focused) or the US’s (negotiated consent decrees). The key differentiator: Korea’s PIPC combines the financial penalty power of a European-style regulator with the operational intervention power (service suspension, model deletion) more typical of Asian regulators.
What Does This Mean for AI Companies in Korea?
Three practical implications.
First, your training data pipeline is now a legal liability, not just an operational concern. If the PIPC determines your AI model was trained on unlawfully obtained Korean personal data, the model itself can be ordered destroyed. This is not theoretical; it happened to Alipay in January 2025.
Second, foreign AI services are not exempt. DeepSeek (China), Meta (US), AliExpress (China), and Alipay (Singapore) have all faced PIPC enforcement. If your AI service is accessible to Korean users, the PIPC considers itself to have jurisdiction.
Third, the penalty escalation is real. From KRW 103 million (Scatter Lab, 2021) to KRW 21.62 billion (Meta, 2024) to 10% of total turnover (PIPA amendment, September 2026). The trajectory is steep.
What Should You Do Now?
- Audit your AI training data for Korean personal information. If your model was trained on data from Korean users, verify that proper consent was obtained for each data source. PIPC investigates the entire data supply chain, not just the final model.
- Implement PIPA Art. 37-2 compliance. Build opt-out mechanisms for automated decisions and explanation capabilities. Users must be able to refuse AI-driven decisions and request human review.
- Appoint a Korean data protection officer. If you meet the domestic representative thresholds under the AI Basic Act (Art. 36), you also need PIPA compliance infrastructure.
- Budget for the 10% turnover risk. From September 2026, serious PIPA violations carry fines up to 10% of total turnover plus CEO personal liability. This is not the AI Basic Act’s KRW 30 million. This is the real financial exposure.
- Monitor PIPC decisions monthly. The PIPC publishes enforcement decisions that establish compliance expectations. The Kakao Pay model deletion, Meta profiling fine, and DeepSeek suspension each set new precedents.
For the full legal framework, see our South Korea AI Basic Act guide. For how Korea’s enforcement compares to the EU’s penalty structure, see our Korea vs EU AI Act analysis. For which sectors are classified as high-impact and face the most enforcement scrutiny, see our 11 sectors mapped.
Reg Intel is not a law firm and does not provide legal services. This content is for informational purposes only and does not constitute legal advice. Consult qualified Korean legal counsel for jurisdiction-specific compliance guidance.
Last verified: April 7, 2026
Sources
Official Sources
- PIPC enforcement decisions via pipc.go.kr
- PIPA (Personal Information Protection Act), including Feb 2026 amendments
- AI Basic Act (Law No. 20676) Art. 42-43
Analysis and Commentary
- IAPP, “South Korea: PIPC’s Muscular and Accelerating Enforcement Posture” (June 4, 2025) — Link
- IAPP, “South Korea Overhauls PIPA” (March 2026) — Link
- DataGuidance, “Kakao Pay PIPC Decision” (January 24, 2025) — Link
- Lexology, “Korea PIPC Kakao Pay Analysis” (February 19, 2025) — Link
- Choi, Yo Sop, “The New AI Regulation in Korea: Problems of Jurisdictional Overlaps,” Network Law Review (Fall 2025)
Data Sources
- BusinessKorea, “Kakao Pay Fine” (January 23, 2025) — Link
- Korea JoongAng Daily, “DeepSeek Suspension” (April 24, 2025) — Link
- Reuters, “Meta Fined by South Korea” (November 5, 2024) — Link
- The Register, “Scatter Lab Luda Fine” (April 29, 2021) — Link
- Korea Times, “Kakao Corp Open Chat Fine” (May 23, 2024) — Link
Compare: EU vs South Korea
For the global keystone comparison across twelve dimensions — high-impact vs high-risk classification, mandatory vs voluntary conformity, KRW 30M vs €35M penalties, Korea’s innovation chapter, and a five-step dual-market compliance baseline — see EU vs South Korea AI Act: High-Impact vs High-Risk Compared (2026).