South Korea AI Basic Act — Practical Compliance Guide for Companies

The AI Basic Act — what it requires

South Korea's AI Basic Act (Act No. 20676, promulgated 21 January 2025, effective 22 January 2026) establishes the country as the second jurisdiction — after the EU — with binding AI-specific legislation covering private sector activities. The Act takes a risk-based approach with mandatory obligations for high-impact AI systems.

High-impact AI classification

The Act focuses regulatory intensity on "high-impact AI" — systems with significant potential to affect life, physical safety, fundamental rights, or public safety. Classification criteria are being detailed through subordinate legislation, but the Act establishes the framework: AI systems affecting employment decisions, credit and financial services, healthcare, criminal justice, public safety, and essential services are likely candidates for high-impact classification.

For high-impact AI, the Act requires: transparency about AI system use; risk assessment and impact evaluation; documentation of system design, data, and decision-making processes; measures to prevent and address bias, discrimination, and inaccuracy; human oversight for consequential decisions.

General obligations for all AI

Regardless of risk classification: AI providers must ensure basic safety and reliability; AI-generated content must be identifiable as AI-generated; users must be notified when interacting with AI systems in certain contexts; providers must maintain records and documentation sufficient for regulatory review.

Data protection — PIPA

PIPA (Personal Information Protection Act) provides comprehensive data protection applicable to all AI processing personal data. The PIPC (Personal Information Protection Commission) enforces PIPA with authority to investigate, order corrective measures, and impose penalties. Key provisions relevant to AI: consent for collection and use (with specific consent for sensitive information); purpose limitation; automated individual decision-making provisions including the right to refuse solely automated decisions and request human review; data breach notification requirements; restrictions on cross-border data transfer.

Sector-specific regulation

Financial services. The FSC (Financial Services Commission) regulates AI in banking, insurance, and securities. The Credit Information Use and Protection Act applies to AI credit scoring. Algorithmic trading is regulated by the Financial Investment Services and Capital Markets Act.

Competition. The KFTC (Korea Fair Trade Commission) has jurisdiction over AI that may affect fair competition, including algorithmic pricing coordination and AI-driven market manipulation.

Healthcare. The Ministry of Food and Drug Safety (MFDS) regulates AI medical devices. SaMD regulations apply to AI-based diagnostic and treatment tools.

Compliance steps

Assess whether your AI systems qualify as high-impact under the classification criteria. Implement transparency requirements — disclosure that AI is in use, notification to affected individuals. Conduct risk assessments for high-impact systems. Ensure PIPA compliance for all AI processing personal data. Monitor subordinate legislation and enforcement guidelines as they are issued through 2026. For companies also operating in the EU, map the AI Basic Act requirements against EU AI Act requirements to identify overlaps and differences.

Primary sources: Library of Congress — Korea AI Basic Act · PIPC South Korea