Korea Autonomous Vehicle Data Security Rules 2026
- Jun 3
- 3 min read
South Korea Tightens Autonomous Vehicle Data Security: New Video Information Obligations Effective June 18, 2026
South Korea has moved to close the data-protection gap that opened when it relaxed anonymization rules for autonomous-vehicle (AV) video. The Ministry of Land, Infrastructure and Transport (MOLIT) has amended the Act on the Promotion and Support of Commercialization of Autonomous Vehicles to introduce a binding security-and-destruction regime for the video information that self-driving systems collect. The amendment was promulgated on March 17, 2026 and takes effect on June 18, 2026, giving AV manufacturers and operators a narrow window to put compliant processes in place.
Regulatory Background
Earlier in 2026, Korea eased a long-standing constraint on AV development: operators running vehicles under temporary driving permits were permitted to use collected video for performance and safety R&D without mandatory anonymization or pseudonymization. That change removed a bottleneck in the data pipeline used to train autonomous-driving systems, but it also created an obvious risk—large volumes of unblurred footage capturing faces, license plates, and other identifiable information moving through development environments.
This new amendment is the counterweight. Rather than relying on anonymization at the point of collection, the framework now places enforceable duties on how that video information is secured, governed, and ultimately destroyed.
Korea Autonomous Vehicle Data Security: What the Amendment Requires
The amendment works on two levels—primary obligations written into the Act, and delegated implementation details to be specified through subordinate regulation.
Core statutory obligations
Technical and administrative safeguards. Entities collecting video information through autonomous vehicles must implement the technical and administrative measures necessary to ensure its security.
Mandatory destruction. The amendment establishes requirements for the destruction of collected video information, formalizing retention limits rather than leaving disposal to internal discretion.
Penalties and administrative fines. Non-compliance is now subject to penalties or administrative fines, converting what were effectively best-practice expectations into enforceable legal duties.
Delegated implementation matters
The amendment also prescribes the matters delegated by the Act for its implementation, including:
The scope of video information processing devices covered by the obligations;
The requirement to establish an internal management plan for video information; and
The retention of access records documenting who accessed the video information and when.
Together these provisions create a recognizable data-governance lifecycle: defined devices in scope, a written internal control plan, logged and retained access records, security controls throughout, and mandatory destruction at end of life—backed by enforcement.
What This Means for Manufacturers
For OEMs, importers, and AV technology providers operating or testing in Korea, this amendment shifts data protection from an R&D convenience question to a compliance obligation with legal exposure.
Unblurred footage is now a governed asset. The relaxed anonymization rule does not reduce responsibility; it relocates it. If your development pipeline ingests raw video, you are now responsible for securing and disposing of it under the Act.
Documentation is no longer optional. An internal management plan and retained access records are explicit requirements. Regulators can ask to see them, and their absence is itself a compliance failure.
Enforcement risk is real. With penalties and administrative fines attached, gaps in encryption, access control, retention scheduling, or disposal can translate directly into liability.
Scope clarity matters. Because the amendment delegates the definition of "video information processing devices," manufacturers should confirm which of their onboard cameras, sensors, and recording subsystems fall within scope before assuming they are exempt.
It aligns with Korea's wider data-protection tightening. This sits within a broader 2026 trend of stronger data-security enforcement in Korea, so a conservative compliance posture is prudent.
Certification & Compliance Impact Summary
Compliance area | Before the amendment | After June 18, 2026 |
Video data anonymization (R&D use) | Relaxed—usable without anonymization under temporary permits | Unchanged; the trade-off is new security duties |
Security safeguards for video information | Largely best-practice / internal policy | Mandatory technical & administrative measures |
Data destruction | Discretionary | Mandatory destruction requirements |
Internal management plan | Not statutorily required | Required for video information |
Access record retention | Not mandated | Required to be retained |
Devices in scope | Undefined | Defined via delegated regulation |
Non-compliance consequences | Limited | Penalties / administrative fines |
Timeline & Required Actions
March 17, 2026: Promulgation. The amendment is officially published. The compliance clock starts.
Now through mid-June 2026: Gap assessment. Map every system that captures or stores autonomous-vehicle video. Determine which devices likely fall within the delegated "video information processing device" scope.
Before June 18, 2026: Build the control framework.
Draft and approve an internal management plan for video information.
Implement technical and administrative security measures (encryption, access controls, network segmentation).
Stand up access-record logging and retention so access events are captured and preserved.
Define and document a destruction schedule and procedure for collected video.
June 18, 2026: Effective date. All obligations are enforceable; penalties and administrative fines apply from this point.
Ongoing: Monitor delegated regulation. Track MOLIT's subordinate rules for the precise device scope, plan requirements, and access-record retention periods, and adjust controls accordingly.
