Pseudonymization as a gateway to AI data use: South Korea's emerging privacy governance model

Across jurisdictions, regulators are exploring different ways to support artificial intelligence development without undermining data protection. South Korea is taking a particularly distinctive path. On 31 March 2026, the Personal Information Protection Commission released its revised Pseudonymized Information Processing Guidelines, signaling an approach that tests how far the boundaries of data protection can be extended while formally preserving its core principles.

Rather than loosening its framework, South Korea is turning pseudonymization into a regulatory gateway — a legal condition that enables certain forms of data use without consent. This shift is not driven by legislation alone. Through recent regulatory guidance and a notable Supreme Court decision, South Korea is shaping a system in which pseudonymization does more than reduce risk: it determines who can use data, under what conditions, and for which purposes.

Pseudonymization as a built-in legal gateway

To understand this shift, it is important to examine how pseudonymization is positioned in South Korean law. The Personal Information Protection Act permits the use of pseudonymized data without consent for purposes such as statistics, scientific research and public interest recordkeeping, and structures data combination around pseudonymization.

Crucially, in South Korea, pseudonymization is not merely a safeguard layered on top of a separate legal basis. It is embedded in the law as a condition that enables secondary use itself.

This marks a key difference from EU General Data Protection Regulation-based practice. In the EU, particularly in AI training contexts, the primary question is whether a lawful basis — such as legitimate interest — can be established, with pseudonymization functioning as a measure that supports that justification. In South Korea, by contrast, pseudonymization operates as a gateway into a legal regime that permits certain types of processing without consent.