Post-‘Lee-Luda’ personal information protection in Korea: developer responsibility and autonomous AI governance

Abstract

In South Korea, artificial intelligence (AI)-related personal information protection has long been an issue, and the Lee-Luda (also referred to as ‘Iruda’) incident drove the development of specific policies and guidelines. The Lee-Luda case is fairly important for AI governance in Korea, since the Personal Information Protection Commission (PIPC) decision was the first to make a judgment on the Personal Information Protection Act (PIPA) violations as a result of development and operation of AI. Following the Lee-Luda case, Korean society became more aware of the risks posed by privacy infringement in the age of intelligent information technology. Lawmakers began to establish legal frameworks for the protection of personal information while developing AI products and services. This study reviews legal issues and suggests policy directions while highlighting the significance of the Lee-Luda case, which was an epochal turning point in the protection of personal information related to AI products and services in Korea. First, the authors review the PIPC’s decision on Scatter Lab’s violation of the PIPA, analyse the legal issues in the Lee-Luda case, and derive the significance and limitations of the decision. Next, the authors suggest that it is desirable for AI governance to move towards self-regulation in a manner that ensures the autonomy of AI developers and operators; they also review the recent trends in the laws and policies on data protection that have been continually developed since the Lee-Luda case, especially with a focus on the AI Personal Information Protection Self-Checklist (Self-Checklist).