South Korea's PIPC flexes its muscles: What to know about AI model deletion, cross-border transfers and more

South Korea's Personal Information Protection Commission has forged a robust privacy regime that reflects distinct domestic priorities while increasingly shaping the global debate.

A string of headline investigations — from Kakao Pay, Apple, Alipay to Meta, AliExpress and the Chinese AI start-up DeepSeek — shows the regulator marrying meticulous guidance with muscular enforcement. Most strikingly, it has ordered the destruction of an artificial intelligence model trained on unlawfully obtained data, an approach that puts South Korea at the leading edge of global privacy practice.

A new playbook in three acts

Model deletion becomes real. The 2021 Scatter Lab case confirmed the Personal Information Protection Act's reach into AI training data, but the January 2025 Kakao Pay decision brought teeth. After finding the wallet provider sent 40 million users' data to Alipay, which in turn built "NSF scores" for Apple Pay without notice or consent, the PIPC not only levied KRW8.3 billion in fines — it ordered Alipay to erase the algorithm itself.

Why does that matter? Because model deletion eliminates the very asset an AI developer hopes to monetize. While the U.S. Federal Trade Commission has occasionally required "algorithm disgorgement," European data-protection authorities have so far focused on underlying data. South Korea's precedent shows regulators can, and will, go after the crown jewels when a dataset is poisoned at the source.