South Korea’s privacy commissioner, Ko Hak-soo, sat down with MLex on the sidelines of the IAPPs Global Privacy Summit to discuss next steps in the country’s trailblazing “MyData” initiative, a sweeping effort intended to give users the legal power to retrieve and repurpose their personal data across sectors — putting control back in the hands of users. MyData is an example of an effort that some Internet thinkers say is greatly needed to radically rework the current Internet economy based on commercial exploitation of users' personal data.
Personal data in South Korea isn’t just a resource to be collected — it’s a right that individuals are being empowered to exercise. At the center of that transformation is MyData, a sweeping initiative that gives users the legal power to retrieve and repurpose their personal data across sectors — putting control back in the hands of users.For businesses, it opens the door to building new kinds of services, ones that are powered by user data but designed with user control in mind.
Now, as the initiative moves into its next phase, the country’s privacy chief says real-world implementation is about to begin.
Speaking to MLex on the sidelines of a privacy conference* in Washington, Ko Hak-soo, chairman of the Personal Information Protection Commission, or PIPC, said five pilot projects under the data portability scheme are scheduled to launch as early as next month — the next step in what he described as a carefully phased implementation.
“This isn’t about opening the floodgates all at once,” Ko said. “We’ve spent the past couple of years building the legal and technical foundations. Now, five designated pilots are ready to launch, starting next month.”
The pilot programs — three involving medical data, one in telecoms and another in travel — will test both infrastructure and consumer benefits (see here), according to the chairman. One healthcare pilot, for example, will let users consolidate medical records from multiple sources into a hospital-affiliated app that can offer recommendations for chronic disease management, medication schedules and dietary planning. The telecom pilot will enable users to access and transfer their usage and billing data to receive personalized mobile plan recommendations, while the travel project will use individuals’ travel histories to curate custom itineraries aligned with their preferences and past behavior.
This phased rollout of the data-portability initiative has had mixed results in other jurisdictions. For example, Australia’s Consumer Data Right, which was established in 2019, also envisaged a sector-by-sector rollout, starting with financial services and expanding to energy and telecommunications. It was seen at the time as a way of injecting competition in sectors plagued by customer “stickiness” — a reluctance to change providers to get a better deal.
— Business alternatives —
As the world’s data protection professionals assembled in Washington this week, the novelty of the approach by South Korea and Australia to put more power over personal data into the hands of individuals was clear.
Some, like Lawrence Lessig of Harvard Law School, an influential Internet law thinker, blame a business model aimed at exploiting people’s personal data to harness their attention on digital ads and other content for social problems such as political polarization and misinformation.
Lessig, in a keynote speech at the IAPP conference, called for a new personal data paradigm, referring to US Supreme Court Justice Louis Brandeis’ distillation of the essence of privacy: “the right to be left alone.”
“If we think about the life we lead every day, we realize how little of our day we are allowed to be alone — how little of our existence is walled off and capable of being separated from the constant engagement and triggers that are driving the business model that wants to pull you into the devices that then sells your data,” Lessig said. “Why not think about how to build a privacy law to give us the right to be let alone again? Why not help build the society that I think all of us want, rather than enabling the consent architecture that the engagement business model needs.”
The question is whether people will embrace an alternative that gives them more control of their data rather than allowing private companies to use their personal data for its commercial needs.
In Australia, the take-up of the Consumer Data Right initiative was poor, with companies unwilling to embrace the opportunities and customers often unaware that they could move their personal data to different providers. This prompted the government to step in last year, promising to revive the program and expand it further, to include non-bank lenders (see here). It’s unclear whether these efforts will be enough to revive the data-portability program.
Mindful of the challenges inherent in Australia’s Consumer Data Right, last month New Zealand introduced its own sector-by-sector data-portability mechanism (see here). The country’s lawmakers have been using the Australian experience as a cautionary tale of how such policies can be announced but not embraced by the targeted sectors.
South Korea will be hoping that MyData isn't’ plagued by the same problems. The country has laid the legal foundation for the mechanism in Articles 35-2 to 35-4 of the recently amended Personal Information Protection Act, which established what Ko describes as “data transmission rights” — empowerment of individuals to demand that personal information be sent, securely and in machine-readable format, to third parties they choose. This goes beyond the access or collection rights found in many privacy regimes. Crucially, these rights apply not only to South Korean companies but also to foreign businesses targeting South Korean users.
To support this data-portability system, the PIPC has created a legal category of intermediaries — “data management agencies” — that are designated to handle personal data flows on behalf of users. These entities — or companies that apply for the designation — must meet strict technical and security standards and are overseen by the commission to ensure transparency, accountability and user control.
The PIPC has also laid out criteria for which entities must serve as data providers — factoring in metrics such as annual revenue, data volume, processing capacity and industry characteristics — and has defined the specific types of information eligible for transfer.
“This is a very complicated area,” Ko said. “First, from a technical standpoint, you’re dealing with multiple IT systems that need to exchange data constantly and seamlessly. Second, these systems are managed by stakeholders with very different business interests and motivations.”
— PIPC hopes —
Since officially taking effect in March, the MyData system has been rolling out in stages. Healthcare and telecommunications are the first sectors to begin implementation, while the energy sector is scheduled to follow in June 2026. Seven additional areas — transportation, education, employment, real estate, welfare, retail and leisure — will be added over time as the framework expands.
Although no companies have yet applied for formal designation to receive data, the PIPC told MLex that several firms — ranging from startups to major financial institutions — have expressed some interest. The regulator hopes the launch of pilot services will serve as a catalyst for broader industry participation.
Ko said corporate reluctance and pushback haven't surfaced.
“Not so far,” the privacy chief said. “If anything, the complaint from businesses is that it’s unclear what kind of business case they can make from this. There’s not much room yet to generate revenue — for now, it’s more about offering convenience to users.”
Ko said the overarching goal of the MyData scheme is to let users realize tangible benefits from their data, not just to consent to its collection. He described the initiative as one of the commission’s most active efforts.
At the same time, he made clear that the system is not designed to serve the interests of major platforms such as Google or Naver by enabling them to gather even more user data.
“From the beginning, that’s been an important consideration,” Ko said. “One of the worries is that platforms could use this as a pretext to accumulate more data, claiming it’s for the user’s benefit. But we’re very (mindful) of that possibility.”
That vision is beginning to draw international interest. Ko confirmed that the World Bank recently approached the commission to explore how the South Korean model could serve as a reference for cross-border or regional frameworks.
“We had a visit from the World Bank, and they showed interest in possibly turning this into more of a global-level project,” he said “But it would involve a lot of work, especially on the technology side. You need to set common standards, coordinating across different organizations and build a unified framework through which APIs can be triggered and data exchanged. So yes, it’s a heavy lift.”
-Additional reporting by James Panichi and Saloni Sinha
*IAPP Global Privacy Summit 2025, Washington, DC, April 22-24, 2025.
Please e-mail editors@mlex.com to contact the editorial staff regarding this story, or to submit the names of lawyers and advisers