In South Korea, the Framework Act on the Development of Artificial Intelligence and the Creation of a Foundation for Trust (the “AI Framework Act”) was promulgated in 2025 and took effect in January 2026 after a one-year grace period.

The AI Framework Act is composed of three main sections:

• AI Policy Promotion Systems: This section covers, inter alia, the establishment of a basic plan and operation of the Presidential Committee on AI, the AI Policy Centre, and the AI Safety Institute.
• Support for AI Technology and Industry Development: This section covers, inter alia, the establishment of an industrial foundation, support for the development of AI technology and industry revitalisation.
• Obligations to Ensure Trust in AI: This section covers, inter alia, AI ethical principles and self-regulation, obligation to ensure safety, responsibilities and transparency for high-performance, high-impact, and generative AI, while leaving other types of AI unregulated.

Meanwhile, the Financial Services Commission (FSC) of Korea has issued the draft of separate Financial AI Guidelines to regulate the use of AI targeting consumers.

In addition, the discourse over AI in South Korea (“Korea”) mainly revolved around two areas:

• the legality of processing publicly available personal information for artificial intelligence training in light of data privacy concerns; and
• the potential copyright infringement when using such data.

AI and machine learning are still leading innovation in various industries, including the medical, financial, and manufacturing sectors, and their influence continues to expand. Beyond simply transforming services for users, these advancements in AI are fundamentally reshaping industrial structures. For instance, the scale of recruitment in tech-based companies is currently shrinking.

AI technology has demonstrated its prowess across various everyday applications, including providing personalised services by analysing consumer data through machine learning, improving business response times through business process automation, and operating chatbots based on generative AI. Furthermore, the use of such AI has recently led to growing interest in AI agents. While the financial sector is eager to adopt AI agents, their widespread implementation is being hindered by IT regulations specific to the financial industry. In contrast, other sectors are showing deep interest in and actively exploring AI agent models.

The South Korean government identifies the adoption and expansion of Artificial Intelligence as a pivotal pillar of its national policy. To this end, the government has committed significant budgetary resources to securing high-performance GPUs and constructing AI data centres, ensuring that the private sector can leverage these critical infrastructures.

Furthermore, to catalyse the seamless integration of AI across society, the government unveiled the “AI Action Plan” in 2026, which encompasses 99 specific executive tasks. This Action Plan sets out individual mandates under three primary strategic objectives: Establishing a Robust AI Ecosystem, Advancing a Pan-National AI Transformation (AX), and Contributing to a Global AI Society. These tasks are strategically distributed among relevant government ministries to ensure co-ordinated and effective implementation across all sectors of the economy.

As explained in 1 Legal Framework, South Korea has introduced the AI Framework Act, a comprehensive legislation governing artificial intelligence. This Act is designed to foster the growth of the AI industry while simultaneously incorporating specific regulatory measures to ensure transparency, safety and responsibilities of AI.

While South Korea’s AI Act shares a substantive framework with the EU AI Act, it was enacted with a more calibrated regulatory intensity to maintain a lower threshold of compliance.

Please see1 Legal Framework.

The South Korean government has officially promulgated the Presidential Decree and five Guidelines pursuant to the AI Framework Act. Although the official public Notices specifically defining “High-Impact AI” and “High-Performance AI” have not yet been formally enforced, the substantive criteria for these categories have already been disclosed to the public through the aforementioned Guidelines. Consequently, the subordinate legal architecture under the AI Framework Act is, for all practical purposes, considered complete.

In addition to this primary legislative framework, government departments have issued the following guidelines:

• The Korea Media Communications Commission (KMCC), which is a regulatory body in the broadcasting and telecommunications fields, focusing on user protection, published guidelines in 2019 to encourage AI development that ensured the protection of users based on the principles of accountability, non-discrimination, and transparency. The KMCC has also published a guideline on user protection involving generative AI on 28 February 2025.
• The Financial Services Commission (FSC) issued, in 2022, its detailed policy guidelines on development and utilisation of AI in the financial sector, setting forth various factors to be considered when developing and using AI. The FSC announced the draft of revised guideline in December 2025.
• The Personal Information Protection Commission (PIPC) announced, in 2023, its policy direction for safe use of personal information in the era of AI, which includes the principles for processing of personal information at each stage of AI development and service. Later, the PIPC published a guideline on the processing of personal information for the development of AI services on 17 July 2024, and a risk management model for AI privacy risk in data utilisation on 19 December 2024. In addition, the PIPC has a preliminary appropriateness determination system for the use of personal information for artificial intelligence, which allows companies to inquire about the appropriateness of using personal information for artificial intelligence development.

This is not applicable in Korea.

This is not applicable in Korea.

The Personal Information Protection Act has been amended to introduce the data subject’s right not to be subject to an entirely automated decision, similar to the automated decision-making right in the European GDPR, which will become effective from 15 March 2024.

Furthermore, the amended Personal Information Protection Act includes provisions for individuals to request explanations or human review of automated decisions, as well as the ability to reject such decisions if they materially affect their rights and obligations as data subjects.

In addition to proposed amendments to the AI Framework Act, the National Assembly is actively deliberating a diverse array of specialised legislation. These include bills concerning the Construction of AI Data Centres, the Utilisation of AI in National Defence, and support measures for the Adoption of Artificial Intelligence by Small and Medium-sized Enterprises (SMEs). This legislative trend reflects a strategic shift toward establishing a more granular and sector-specific legal framework to govern the multi-faceted applications of AI technology.

Furthermore, regarding the Personal Information Protection Act (PIPA), the National Assembly is currently deliberating a legislative amendment that would explicitly permit the use of data containing personal information for AI training and development purposes. This move is aimed at establishing a clearer legal basis for the utilisation of vast datasets in AI innovation while maintaining a balance with data privacy rights.

No significant precedents in this area have been found.

The main regulator for the AI Framework Act is the MSIT, and the Presidential Committee on AI is also relevant. The Presidential Committee on AI reviews and decides on the government plan, strategic investment, and other government actions on AI.

Setting aside the government agencies that are responsible for drafting AI regulatory policies, the PIPC is the most active government agency in regulating AI-related issues.

Please see 3.3 Jurisdictional Directives.

The Ministry of Science and ICT (MSIT) has announced that while the AI Framework Act officially took effect in January 2026, a one-year grace period has been granted before the active enforcement of statutory sanctions. Consequently, as of this date, no enforcement actions or penalties have been imposed by the MSIT under the provisions of the AI Framework Act.

However, other regulatory authorities have conducted administrative investigations regarding the utilisation of artificial intelligence under the existing legal framework.

In 2024, the PIPC listed precautions to be taken when using publicly available personal information. This was released after the Commission conducted an inspection on AI service providers in 2023.

The Korea Fair Trade Commission has investigated the business practices of mobility and advertising businesses from the perspective of the fairness of algorithms.

The AI Framework Act provides for the establishment of the AI Safety Institute. The AI Safety Institute is responsible for defining and analysing AI-related risks, providing criteria for evaluating them, and researching technologies and standardisation for AI safety.

Additionally, the Telecommunication Technologies Association (TTA), an affiliated agency of the Korea Communications Commission, issued an artificial intelligence development guide in 2023.

The Financial Security Institute, an affiliated agency of the Financial Services Commission, has published AI security guidelines. This institute is preparing the updated guidelines.

Generally, the Korean Standards Association plays an important role in adopting international standards.

As a cornerstone of its national strategy, the Korean government is spearheading the Public Sector AI Transformation (AX) to fundamentally reinvent public administration. Central to the 2026 AI Action Plan, this government-led initiative targets a 95% AI adoption rate within the public sector by 2030.

First, the government is establishing a unified AI infrastructure, leveraging “Sovereign AI” through K-AI foundation models and domestic NPU chips. This allows ministries to share high-performance computing resources rather than building fragmented systems. Second, it introduces an AI-integrated civil service platform, where agents manage tasks from initial inquiries to final resolutions, streamlining bureaucracy and enhancing productivity.

Third, the government is deploying 18 flagship AX projects in high-impact areas such as disaster management and “proactive welfare”, where AI pre-emptively delivers benefits to eligible citizens. To drive these policies, the government has introduced immunity from audit and performance incentives for officials leading AI adoption. Combined with the AI Public Project Support Centre, these measures ensure that technical and legal hurdles are minimised, fostering a “Digital Platform Government” that is both efficient and trustworthy.

There have been no judicial decisions related to government use of AI.

The AI Framework Act explicitly excludes from its scope any AI systems developed or utilised solely for national defence or national security purposes. Consequently, to address this regulatory exclusion, active legislative discussions are currently underway to establish a separate legal framework specifically governing AI employed for national defence and security purposes.

Generative AI has become a central focus of AI regulation in Korea following the entry into force of the AI Framework Act in 2026. Rather than introducing a separate regulatory category for foundation models, Korea adopts a functional approach, regulating systems based on their use as generative AI or as high-impact AI.

The most significant regulatory requirement is transparency. Providers of generative AI services must disclose the use of AI in advance and ensure that AI-generated outputs are identifiable either in a human-recognisable or machine-readable manner. In particular, labelling and watermarking obligations are emphasised in response to deepfake-related risks, reflecting a regulatory approach that prioritises post-risk control over ex ante approval.

Copyright issues remain unresolved and continue to be a key area of legal uncertainty. AI-generated outputs are unlikely to be protected as works unless sufficient human creativity is involved, and the legality of using copyrighted materials for training, as well as liability for outputs resembling existing works, is still being debated under existing copyright law frameworks.

From a data protection perspective, generative AI is subject to general data protection rules. The Personal Information Protection Commission has taken the position that core principles such as lawful data sourcing, purpose limitation, and responses to deletion or correction requests apply throughout the AI life cycle.

With respect to liability, Korea has not introduced a dedicated AI liability regime. Instead, liability is expected to be assessed under existing doctrines, including contract, tort, and product liability. Accordingly, businesses are increasingly focusing on transparency and internal governance as key tools for managing legal risk in advance.

The use of AI in the Korean legal sector has moved beyond a limited pilot stage and is gradually expanding under increasing institutional oversight. In the private sector, law firms and legal tech companies have begun to deploy AI-based tools for legal consultation, document analysis and case law research. In the public sector, AI adoption has progressed more rapidly, with prosecutorial authorities introducing AI functionalities within the Korean Criminal Justice Information System (KICS), and courts expanding AI-assisted features such as case summarisation and precedent recommendation through the e-litigation system.

The judiciary has also begun to address the ethical and institutional implications of AI use through internal governance discussions and guidance. In particular, courts emphasise that fairness, accountability and human judgement must be preserved, and that AI should be used only as a supporting tool rather than as a substitute for judicial decision-making.

To date, there have been no significant court cases in Korea directly addressing legal tech or AI-based legal services. However, disputes have arisen in relation to platform-based legal services, including issues of unauthorised practice of law, professional regulation and the legality of intermediation structures. These issues are likely to evolve further as AI-driven legal services become more widespread.

From an ethical perspective, key risks include hallucinations in generative AI, which may produce inaccurate legal information, potential breaches of client confidentiality when using external systems, and over-reliance on AI tools. Accordingly, independent verification of AI outputs, robust data security controls and proper supervision by legal professionals are essential.

Overall, AI is increasingly accepted in Korea as a tool to enhance efficiency in legal practice, but its use remains subject to strict human oversight and professional responsibility.

Korea does not provide a unified, AI-specific liability regime. Instead, liability for harm caused by AI is assessed under existing civil law frameworks, including tort, contract and product liability, on a case-by-case basis.

Where AI is embedded in products, issues such as design defects or safety failures may be analysed under product liability principles. In contrast, AI provided as a service is more likely to be assessed based on negligence or breach of contractual obligations. In the context of generative AI, non-physical harms – such as defamation, copyright infringement and the dissemination of inaccurate information – are becoming increasingly significant, making the identification of responsible parties and causation more complex.

In addition, the opacity of AI systems presents evidentiary challenges in establishing causation. As a result, system logs, model governance and internal control mechanisms are likely to play an important role in future liability assessments.

The AI Framework Act does not introduce a dedicated civil liability regime. Instead, it adopts a preventive, regulatory approach centred on transparency and safety obligations, emphasising ex ante risk management rather than ex post liability.

In particular, high-impact AI systems are subject to obligations relating to risk management, documentation and user protection, which are intended to encourage businesses to identify and mitigate legal risks in advance.

At the same time, data protection law provides a partial accountability framework by recognising individuals’ rights to request explanations of, and object to, automated decisions.

Overall, Korea is taking an incremental approach, relying on existing civil law and administrative regulation to shape AI liability, rather than introducing a standalone AI liability regime.

Korean law does not yet recognise agentic AI systems as a distinct legal category. However, as the level of autonomy increases, regulatory focus is shifting toward enhanced requirements for transparency, human oversight and accountability.

Agentic AI systems, which can perform tasks and interact with external systems autonomously, raise more complex issues regarding the attribution of legal responsibility than conventional AI. Nevertheless, AI is not recognised as a legal subject under Korean law, and responsibility remains attributable to natural persons or organisations deploying such systems.

In particular, data protection rules emphasise whether meaningful human involvement exists in the decision-making process. Where decisions are fully automated, additional obligations – such as explanation and response mechanisms – may apply.

From a governance perspective, practical requirements are likely to focus on internal control mechanisms, including logging, traceability of decisions, and the ability to intervene in system operations.

The liability framework for autonomous AI systems, including autonomous driving AI, has not yet been independently established under Korean law and is currently assessed under existing civil law doctrines. However, autonomous driving AI is likely to fall within the category of “high-impact AI” under the AI Framework Act, which is subject to enhanced regulatory requirements compared to general AI systems.

Under the AI Framework Act, obligations relating to high-impact AI are primarily imposed on developers and deployers. These entities are required to implement risk management systems, ensure safety, protect users, secure explainability, and prepare and retain relevant documentation. Although these obligations do not establish a direct civil liability regime, they are likely to serve as an important benchmark in assessing whether a party has fulfilled its duty of care in the event of an incident.

However, the entities subject to regulatory obligations do not necessarily coincide with those bearing civil liability. In practice, liability may be allocated among developers, operators, users, or other relevant parties depending on contractual arrangements, the degree of control or supervision, and the existence of fault. This issue becomes more complex as system autonomy increases, making it difficult to attribute responsibility to a single actor.

In addition, autonomous AI systems involve complex data processing and decision-making processes, which can make it difficult to determine causation in the event of an accident. As a result, system logs and data governance mechanisms are likely to play a critical role in dispute resolution. Furthermore, in environments where multiple systems are integrated, errors may propagate across systems, further complicating the allocation of liability.

Ultimately, liability for autonomous AI is expected to evolve not through a single unified doctrine, but through the interaction between the high-impact AI regulatory framework under the AI Framework Act and existing civil liability principles.

Algorithmic bias in AI systems has emerged as a significant legal issue, as it may lead to discriminatory outcomes affecting particular groups. This concern is particularly pronounced in areas such as finance, recruitment and credit assessment, where AI-driven decisions can have a substantial impact on individuals’ rights and obligations. In Korea, regulatory frameworks and guidelines emphasise the need to mitigate bias at the data collection and training stages, conduct post-deployment validation of outcomes, and ensure a degree of explainability.

If discriminatory outcomes arise, liability may be triggered under general tort principles or relevant regulatory regimes. Accordingly, businesses are increasingly expected to establish fairness management systems from the model design stage, including data governance, bias testing and monitoring.

Biometric technologies, such as facial recognition, fingerprint and iris identification, are subject to strict regulation as they involve the processing of sensitive personal data. Under Korea’s data protection framework, biometric data may qualify as sensitive information, and its collection and use are therefore subject to enhanced legal requirements. In particular, the use of such technologies in the public sector, including for law enforcement purposes, may be classified as high-impact AI under the AI Framework Act, triggering additional regulatory obligations.

Emotion recognition technologies, which infer individuals’ emotional states, raise further concerns regarding privacy intrusion and the risk of inaccurate or misleading assessments. Although specific legal standards governing such technologies are still developing in Korea, there is growing regulatory and policy attention to their potential impact, suggesting that stricter oversight may emerge in the future.

Deepfakes and synthetic media present significant legal risks, including the dissemination of false information, defamation and violations of portrait rights. In Korea, these issues are increasingly subject to regulatory attention. The AI Framework Act introduces labelling obligations for AI-generated content, particularly where such content may be mistaken for reality. In addition, existing criminal and civil law frameworks may apply to the creation and distribution of harmful synthetic media, potentially resulting in criminal sanctions or liability for damages.

Looking ahead, further discussions are expected regarding platform responsibility, regulation of content distribution, and the development of technical verification measures to address the risks associated with synthetic media.

Transparency has become a core principle of AI regulation in Korea. The AI Framework Act requires providers of generative AI services to disclose the use of AI in advance and to ensure that AI-generated outputs are appropriately labelled. For high-impact AI systems, additional obligations may include ensuring explainability and implementing user protection measures.

In parallel, data protection law requires organisations to disclose the criteria and procedures underlying automated decision-making and to provide individuals with rights to request explanations and raise objections. These requirements function as fundamental safeguards for user protection and trust, while also driving the need for internal governance and disclosure frameworks within businesses.

The AI Framework Act does not impose an obligation on businesses to conduct impact assessments, but Article 35 provides incentives for businesses to conduct impact assessments by stipulating that “when a national organisation or other entity intends to use a product or service using high-impact AI, it shall give priority to the product or service that has undergone impact assessment”.

Where an AI business provides a product or service using high-impact AI, it shall make efforts to conduct a prior assessment of the impact that such product or service may have on the basic rights of individuals (hereinafter referred to as the “Impact Assessment”). The Impact Assessment shall include the following matters:

• identification of subjects whose lives, physical safety, and basic rights may be affected by the product or service utilising the high-impact AI;
• identification of the types of basic rights that may be affected in connection with the high-impact AI;
• the nature and scope of the social and economic impacts on the basic rights of individuals that may arise from the high-impact AI;
• the usage patterns of the high-impact AI;
• the quantitative or qualitative evaluation indicators and the methodology for calculating results used in the Impact Assessment;
• matters concerning the prevention of risks and the recovery of losses caused by the high-impact AI; and
• matters concerning implementation plans for improvements if the results of the Impact Assessment indicate that such improvements are necessary.

The AI Framework Act, which came into force on 22 January 2026, categorises AI used in hiring as high-impact (Article 2(4)). High-impact AI deployers are required to give prior notice to users (Article 31(1)). In addition, a business that uses AI for recruitment must establish a risk management plan, establish and implement a plan to explain the final results of AI to the extent technically feasible, the main criteria used to derive the final results of AI, and an overview of the training data used to develop and utilise AI, and establish and operate a user protection plan, creation and storage of documents that confirm the management and supervision of human beings over high-impact AI and the contents of measures to ensure safety and reliability, and other measures for matters deliberated and resolved by the Presidential Committee on AI to ensure the safety and reliability of high-impact AI shall be implemented (Article 34(1)). Furthermore, any use of AI in hiring must make efforts to make a prior impact assessment on the basic rights of people (Article 35(1)).

The AI Framework Act defines high-impact AI as a judgement or evaluation that has a significant impact on the rights and obligations of individuals, such as recruitment and loan screening. However, there has been no specific discussion yet regarding whether the introduction of AI for employee performance evaluation would fall under the category of high-impact. Therefore, it remains unclear whether employee evaluation and monitoring will be included within the scope of high-impact AI.

Platform companies are making significant use of recommendation algorithms that use AI. They are most commonly used to provide personalised services based on the user’s behavioural information.

Financial companies are actively utilising or trying to utilise AI in providing customer consulting and support services, calculating credit ratings, designing insurance products, managing assets and risks, and detecting abnormal transactions and money laundering.

In particular, as chatbot services become more sophisticated with the advances made by generative AI, many financial companies are providing customer consulting and support services using chatbots, and AI is increasingly being used for asset management and personalised marketing purposes.

As the use of AI increases, the risks for financial institutions are also increasing. For instance, as the number of investment product transactions using AI increases, there is a possibility that a large number of unintended orders are placed all at once due to algorithm errors, which will increase market volatility. In addition, there is a possibility that financial companies may sell products that are not suitable for customers or fail to properly perform their obligations to explain while utilising AI for product recommendation.

The AI Framework Act defines AI used for loan screening as high-impact AI (Article 2(4)). Therefore, the use of AI for loan screening is subject to regulations related to high-impact AI.

Also, the Korean financial supervisory authorities have announced AI guidelines (and AI security guidelines) in the financial sector to ensure that financial companies using AI technology protect financial consumers’ rights and take responsibility for their services.

In particular, the AI guidelines in the financial sector require financial companies to prevent unreasonable discrimination against consumers. Accordingly, financial companies should establish fairness standards based on the characteristics of services and conduct evaluations based on certain standards to prevent the possibility of unexpected discrimination that may occur due to AI-enabled services.

Big data analytics platforms based on video information are gaining traction as an important trend in healthcare. Non-medical institutions are required to receive data from medical institutions, but there are many challenges in obtaining such data. For example, medical institutions tend to be cautious about providing medical data and there are many legal regulations in this area. To resolve this issue, the government is developing special legislation for healthcare data.

On the other hand, the AI Framework Act applies to AI used in medical devices defined in the Medical Device Act (products used for the purpose of diagnosing, treating, reducing, curing, or preventing diseases; products used for the purpose of diagnosing, treating, reducing, or correcting injuries or disabilities; products used for the purpose of inspecting, replacing, or modifying structures or functions; products used for the purpose of controlling pregnancy) or digital medical devices defined in the Digital Medical Products Act (products used for the purpose of diagnosing, treating, or observing the prognosis of diseases to which intelligent information technology, robotics, information and communication technology, etc, are applied, products used for the purpose of predicting treatment response and treatment outcomes of diseases, products used for the purpose of monitoring treatment effects or side effects of diseases, etc), to impose obligations of high-impact AI systems (Article 2(4)).

The AI Framework Act defines AI systems utilised for the major operation and management of transportation means, facilities, and systems as high-impact AI (Article 2(4)). In principle, autonomous driving systems in self-driving vehicles fall under the category of high-impact AI.

Specifically, AI systems related to Level 4 (High Automation) – which operate the vehicle without driver intervention under specific conditions – are classified as high-impact AI. Furthermore, Level 3 (Conditional Automation) systems – where AI generally handles driving controls but requires driver intervention in limited situations or system boundaries – are highly likely to be categorised as high-impact AI.

However, an AI system is excluded from high-impact AI if it does not involve road driving control, or if there are statutory safety standards for the system such that compliance with those standards can significantly mitigate the severity of damage in the event of an accident.

With respect to liability in the event of an accident, the Compulsory Motor Vehicle Liability Security Act provides measures to seek reimbursement against the manufacturer in the case of any defect in the vehicle while maintaining the existing drivers’ liability, and to establish an accident investigation committee to investigate the autonomous driving data recording device affixed to the autonomous vehicle. Meanwhile, the Rules on Safety and Performance of Motor Vehicles and Motor Vehicle Components (Motor Vehicle Safety Standards), sub-regulations of the Motor Vehicle Management Act, have safety standards for Level 3 autonomous driving systems.

When designing or operating an online interface, e-commerce business entities or online distributors are prohibited under Article 21(1)1 of the Electronic Commerce Act from using "dark patterns" – deceptive practices that induce unnecessary expenditures by exploiting consumer confusion or inadvertence. The following six types of acts are strictly prohibited:

• Hidden Subscription Renewals: Mandatory prior consent from consumers is required when increasing periodic payment amounts or converting a free service into a paid one.
• Drip Pricing: The practice of displaying or advertising only a partial amount instead of the total purchase cost of goods, etc, without justifiable grounds is prohibited.
• Pre-selected Options: The act of pre-selecting options while inquiring about the purchase of additional products during the checkout process of a specific item is prohibited.
• False Hierarchy: The inducement of specific choices favourable to the business by creating significant differences in the size, shape, or colour of selectable items is prohibited.
• Obstruction of Cancellation or Withdrawal: Acts that interfere with a consumer’s ability to cancel a service or withdraw membership are prohibited.
• Repeated Interference: The act of repeatedly requesting a consumer to change their selection through pop-up windows or similar means is prohibited.

Robotics present a number of data privacy issues, including the use of video information taken by robotics driving systems while moving. Although it has been necessary to use mosaiced (pseudonymised) video data to ensure that no individual can be identified even when developing robotics technology, the PIPC has prepared a measure to permit the use of non-mosaiced original video through a regulatory sandbox, and accordingly, several companies have applied for the sandbox for the development of robotic technologies.

An AI model can be protected through patents for its novelty and advancement. In such a case, the source code for realising the AI model can be protected as the computer program works. If an AI tool provider restricts the input method for using the generative AI tools in question, and also restricts the method of using the product through the service terms and conditions, to prevent infringement of intellectual property rights in the course of using the AI services, any user who fails to comply with such restrictions may be held liable for a breach of the terms and conditions.

The subject of copyright protection is a “work” that constitutes a creative form of expression. Portions of datasets or computer programs where such creative expression is recognised can be protected by copyright. However, the architecture itself is likely to be excluded from copyright protection as it falls within the realm of ideas. Nevertheless, specific expressions, such as the source code used to implement that architecture, may be eligible for copyright protection.

In Korea, trade secrets are defined as information – including production methods, sales methods, or other technical or business information useful for business activities – that is not publicly known, possesses independent economic value, and has been maintained as a secret (Article 2(2) of the Unfair Competition Prevention and Trade Secret Protection Act). If model weights and training methodologies meet these requirements, they can be protected as trade secrets.

A database producer holds the right to reproduce, distribute, broadcast, or transmit the whole or a substantial part of their database. While individual elements of a database are generally not considered a substantial part, even the reproduction of individual elements or portions that do not reach a “substantial part” may be deemed equivalent to the reproduction of a substantial part if such acts are performed repeatedly or systematically for a specific purpose, in a manner that conflicts with the normal exploitation of the database or unreasonably prejudices the interests of the database producer (Article 93 of the Copyright Act).

On 30 June 2023, in a lawsuit filed by Stephen Thaler, an AI developer in the United States, as part of the so-called DABUS project to seek recognition of AI as an inventor, the Seoul Administrative Court ruled that “invention” under Article 2(1) of the Patent Act refers to the highly advanced creation of a technical idea using the laws of nature and that such a technical idea presupposes human reasoning, and therefore, under the current laws, AI cannot be recognised to have the legal capacity to “invent”. The appellate court also ruled that the inclusion of AI as an inventor under the current provisions of the Patent Act is beyond the limits of legitimate legal interpretation, and that if there are objects that should be protected as AI inventions in the future, they should be supplemented through legislation from public discourse (Seoul High Court 2023Nu52088). The case is currently under appeal (Supreme Court 2024Du45177).

In addition, the Copyright Act defines “work” as a creative production that expresses human thoughts and emotions (Article 2(1) of the Copyright Act) and “author” as “a person who creates a work” (Article 2(1) of the Copyright Act). The Ministry of Culture, Sports and Tourism stated in the Generative AI Copyright Guide issued on 27 December 2023 that, under the current laws, an AI cannot be recognised as an author.

The training for developing AI models requires a large amount of data, where the training data may include works protected by copyright law. However, if someone uses another person’s copyrighted work for AI training without obtaining permission from the copyright owner, the Korean courts will most likely find such unauthorised use as constituting copyright infringement. Nevertheless, if the use falls under fair use, liability for copyright infringement may be avoided.

According to Article 35-5(1) of the Korean Copyright Act, fair use of copyrighted works without the copyright holder’s permission does not constitute infringement if it does not conflict with the normal exploitation of the work and does not unjustly harm the legitimate interests of the copyright holder. Fair use considers factors, such as the purpose and nature of the use, the type and use of the work, the proportion and significance of the portion used relative to the entire work, and the impact of the use on the current or potential market or value of the work.

The Korean Supreme Court has clarified the criteria for this provision (see Supreme Court decision 2021Da272001 issued on 11 July 2024).

• Regarding “the purpose and nature of the use”, this factor considers whether the use transforms the original work to express new meanings or messages beyond mere substitution, whether it has a distinct purpose and nature from the original, whether the transformation exceeds what is necessary for creating a secondary work, and whether the use is for public interest or non-profit purposes.
• For “the type and use of the work”, these factors include whether the original work is factual or informational in nature and whether it has been published or released.
• Regarding “the proportion and significance of the portion used”, this factor considers whether the quantity or qualitative importance of the portion used is small relative to the entire original work, and whether the user used only the necessary amount.
• Concerning “the impact on the market or value”, this factor assesses whether the use substitutes or damages the current or reasonably expected market demand for the original work or its derivative works.

Whether using copyrighted works for AI training qualifies as fair use remains to be decided by the civil courts, and no relevant rulings have been made yet.

The Korean Ministry of Culture, Sports and Tourism, in its “Guide to Copyright for Generative AI”, advises that, since the application of fair use is unclear, there is a possibility of copyright infringement when using copyrighted works for AI training without permission from copyright holders. Therefore, it recommends obtaining appropriate compensation and legal authorisation from rights holders in advance, whenever possible.

In a related case, the three over-the-air broadcasting companies filed a lawsuit against NAVER on 13 January 2025, alleging copyright infringement, claiming that NAVER used news articles for learning without permission when developing HyperClova and HyperClovaX, its generative AI services (Seoul Central District Court 2025 Gahap 5105).

In the case of works created using AI that include creative human contribution, copyright registration is possible.

In Korea, there have been cases where a human selected, arranged, and combined images generated by generative AI, and such works were recognised as compilation works, with copyright registration granted (“AI 수로부인” - English translation: “AI Wife of Suro”). In other words, registration was granted where a human selected and re-edited AI-generated images to create a scene composition, and the creative contribution was recognised.

The choice between proprietary and open-source models is at the discretion of the business. When using an API, data is transmitted to the service provider's servers, which may lead to issues regarding the protection of trade secrets or personal information. To create a derivative work of a copyrighted original, permission must be obtained from the copyright holder. If a model is used in violation of an open-source licence, it may give rise to liability for breach of contract or copyright infringement.

The Personal Information Protection Commission (PIPC) of Korea mandates that when personal information is processed for AI training, personal information controllers must strictly adhere to fundamental data protection principles, most notably data minimisation and the duty to provide comprehensive notification to data subjects.

Furthermore, the PIPC requires a rigorous assessment of the lawful basis for processing data in the context of AI learning, categorised by the source of the data:

• Publicly Available Data: The collection and use of such information may be justified under the “legitimate interests” clause (Article 15(1)(6) of the PIPA), provided that the controller's interests are not overridden by the fundamental rights of the data subjects and that adequate technical and managerial safeguards are implemented.
• User-Provided Data: For the repurposing of existing user data, the PIPC necessitates an evaluation of whether such processing remains compatible with the original purpose for which the data was initially collected.

To enhance legal certainty for AI developers, the PIPC is also refining standards for the pseudonymisation of unstructured data (such as voice and video) and has introduced an “ex-ante adequacy assessment” scheme. Under this proactive governance model, businesses can collaborate with the Commission to establish safeguard plans, and upon successful implementation, they may be granted exemption from administrative dispositions, thereby fostering a “Privacy by Design” approach in the AI era.

See 17.1 AI Training and Data Protection.

When transferring data containing personal information overseas for purposes such as AI training, personal information controllers must establish a separate legal basis for international transfer, such as obtaining the explicit consent of the data subject. Furthermore, as discussed in17.1 AI Training and Data Protection, all fundamental principles governing the processing of personal information must be strictly observed during such transfers.

The proliferation of AI is reshaping market structures by placing data, algorithms and computing resources at the centre of competition, thereby requiring an evolution of traditional competition law analysis. In particular, market concentration driven by data accumulation and network effects may reinforce entry barriers and restrict competition, making these issues a key focus of regulatory scrutiny.

In this context, the Korea Fair Trade Commission (KFTC) published its “Data and Competition” policy report in 2025, highlighting that data functions as a core competitive asset in the digital economy, while the concentration of data in the hands of dominant firms may lead to the exclusion of competitors and the entrenchment of market power. The report identifies several major competition concerns associated with data, including restrictions on data access, limitations on interoperability, the use of privacy as a pretext for restricting competition, data-driven collusion (including algorithmic collusion), and mergers involving the combination of datasets.

In particular, the KFTC has indicated that restrictions imposed by dominant platform operators on competitors’ access to data, as well as limitations on API access and system interoperability, may raise competition law concerns. It has further suggested that interoperability may be considered an important factor in assessing abuse of dominance going forward.

In addition, as algorithm-driven pricing and decision-making become more prevalent in AI-enabled markets, there is an increasing risk of co-ordinated effects even in the absence of explicit agreements. The KFTC has signalled its intention to strengthen monitoring of potential algorithmic collusion in such contexts.

From a merger control perspective, transactions involving AI and data-driven businesses are likely to be assessed not only in terms of market share, but also with regard to the competitive impact of data combination, the reinforcement of network effects and the potential increase in barriers to entry.

Overall, the Korean competition authority recognises data and AI as central elements of competition policy and is expected to continue developing its approach through enhanced market monitoring and the articulation of enforcement principles to address emerging forms of anticompetitive conduct.

There is no separate cybersecurity legislation for AI yet. Therefore, cybersecurity measures should be taken in accordance with the Act on Promotion of Information and Communications Network Utilisation and Information Protection, which is generally applicable to online businesses. In addition, it is necessary to refer to the guidelines published by the AI Safety Institute. Although these guidelines primarily focus on the safety and reliability of artificial intelligence rather than traditional cybersecurity, it is important to recognise that the two domains overlap significantly in their practical application.

AI has significant implications across environmental, social and governance (ESG) dimensions. From an environmental perspective, the energy consumption and carbon footprint associated with large-scale model training and data centre operations have become key concerns, with increasing attention on measurement and disclosure. From a social perspective, major issues include algorithmic bias and discrimination, workforce impacts resulting from automation, and data protection risks.

From a governance standpoint, there is a growing emphasis on establishing AI ethics committees, internal control systems and responsible AI frameworks. In addition, organisations are expected to conduct ESG risk assessments in connection with AI adoption and investment, as well as supply-chain due diligence when using third-party AI solutions.

While Korea has not yet established AI-specific ESG disclosure requirements, discussions are expanding to incorporate AI-related risks into broader sustainability reporting and regulatory frameworks.

As AI adoption expands, establishing structured governance at the organisational level has become a key priority. In Korea, with the introduction of obligations for high-impact AI under the AI Framework Act, AI governance is increasingly treated as part of enterprise-wide compliance and risk management rather than a purely technical function.

Governance structures typically combine board- or senior management-level oversight with internal control functions such as AI ethics or risk management teams, ensuring co-ordination between legal, compliance and technical functions.

AI risk management frameworks focus on identifying, assessing and mitigating risks across data, models and use cases, with particular emphasis on ex ante risk assessment and ongoing monitoring for high-impact AI. This is closely linked to life cycle governance, requiring controls across development, training, deployment and operation.

Integration with existing governance systems is essential, as AI risks overlap with data protection, cybersecurity, consumer protection and competition law. In practice, organisations are expected to maintain an inventory and classification of AI systems, supporting impact assessments, documentation and regulatory compliance.

The use of third-party AI solutions also raises supply-chain risks, requiring contractual safeguards, due diligence and ongoing monitoring. In addition, organisations should establish incident response mechanisms to address system failures, data breaches and harmful outputs.

AI governance should be applied proportionately, with stricter controls for high-impact AI and streamlined measures for lower-risk systems. However, implementation challenges remain, including limited expertise and resource constraints, leading many organisations to adopt phased and prioritised approaches.