TMT 2026 Comparisons

South Korea’s digital economy is governed not by a single statute but by a combination of laws, including the following:

• the Personal Information Protection Act (PIPA);
• the Act on Consumer Protection in Electronic Commerce, etc (the “E-Commerce Act”);
• the Telecommunications Business Act (TBA);
• the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc (the “Network Act”); and
• the Monopoly Regulation and Fair Trade Act (the “Fair Trade Act”), among others.

(All references herein to “Korea” refer to South Korea.)

PIPA

The PIPA is the general law governing all personal information processing and regulates the collection, use, third-party provision and cross-border transfer of personal information by digital service providers.

E-Commerce Act

The E-Commerce Act comprehensively regulates consumer protection in transactions conducted through online shopping malls and platforms, including business operators’ information disclosure obligations, withdrawal of subscriptions, refunds, and dispute resolution procedures. It also sets forth the responsibilities and obligations of mail-order brokerage businesses (online marketplaces), thereby directly affecting the allocation of transactional responsibility on digital platforms (see 1.5 Consumer Protection).

TBA and Network Act

The TBA prescribes the registration/reporting requirements and user protection obligations of facilities-based telecommunications carriers and value-added telecommunications service providers (including numerous digital services such as platforms and messengers). The Network Act complements this framework by requiring technical and administrative safeguards by information and communications service providers, prohibiting the distribution of illegal information and imposing user protection obligations, thereby supporting the overall safety and reliability of online services.

Fair Trade Act

In the digital economy context, the Fair Trade Act serves as a foundational statute regulating abuse of market dominance, cartels and unfair trade practices, thereby protecting competition and consumer welfare in online and platform markets.

Recently, key Fair Trade Act issues in the digital economy have included:

• regulation of online platform monopoly power;
• responses to algorithmic collusion; and
• AI- or data-driven manipulation of prices and rankings/exposure.

Please see 1.1 Legal Framework.

Income Tax and Corporate Income Tax

Residents are subject to Korean taxation on all domestic and foreign-source income (Income Tax Act, Article 3), while non-residents are taxed in Korea only on Korea-source income (Income Tax Act, Article 119).

Domestic corporations and foreign corporations with Korea-source income are subject to corporate income tax (Corporate Tax Act, Article 3(1)).

However, in the case of multinational digital platform companies, it is often difficult to impose corporate income tax on app market revenue or advertising revenue because a permanent establishment is not recognised in Korea.

No Digital Services Tax (DST)

Korea has not introduced a digital services tax. This reflects concerns such as the potential for double taxation, given that many large domestic companies operate digital services and hold significant shares of the IT market.

Value-Added tax (VAT)

Following a December 2015 amendment to the VAT Act, Korea began imposing VAT on electronically supplied services such as games, audio, video files and software. In December 2018, to enhance tax neutrality between domestic and foreign businesses, the scope of electronically supplied services provided by offshore businesses subject to VAT was expanded.

Global Minimum Tax

In December 2022, Korea enacted the global minimum tax by adding Articles 60 to 86 to the International Tax Coordination Law, becoming the first country to legislate the regime. The global minimum tax, agreed upon by more than 140 countries, aims to prevent tax rate competition and tax avoidance by multinational enterprises. The first filing is expected in June 2026. The regime applies to multinational groups with consolidated revenue of approximately KRW1 trillion or more (EUR750 million or more) in at least two of the four preceding fiscal years and is designed to ensure taxation at an effective rate of at least 15%.

Where a non-resident engaged in the publishing or broadcasting business conducts advertising services for others both in and outside Korea, the portion of income attributable to advertising performed in Korea is treated as Korea-source income and is subject to Korean income tax or corporate income tax.

In this regard, the National Tax Service imposed KRW154 billion in tax on Google Korea in 2020 by characterising certain income as royalties. Google Korea challenged the assessment, and related litigation remains ongoing. Depending on the outcome, the legal framework governing taxation of digital advertising platform fee income earned by foreign corporations without a domestic permanent establishment may change, requiring close attention.

E-Commerce Act

The E-Commerce Act aims to protect consumer rights by regulating the following in e-commerce and mail-order sales:

• withdrawal of subscriptions;
• refunds;
• labelling and advertising;
• disclosure of business information; and
• dispute resolution.

Statutory requirements such as the following must be directly reflected in systems, terms and conditions, and UI (Articles 10, 13, and 17):

• disclosure of business information;
• advance notice of cooling-off and refund terms and limitation grounds;
• ensuring the truthfulness and clarity of electronic labelling and advertising; and
• retention of transaction records.

Following the 2024 amendment to the E-Commerce Act, dark patterns became a key regulatory focus. Prior consent is now required for subscription fee increases or conversion to paid services, and five types of dark pattern practices are prohibited:

• drip pricing;
• pre-selection of options;
• misleading hierarchical structures;
• obstruction of cancellation or withdrawal; and
• repeated interference.

In addition, consumer protection guidelines have been issued under the E-Commerce Act (the Guidelines on Consumer Protection in Electronic Commerce, etc). Where a consumer files a damage relief application in connection with an E-Commerce Act violation, the Korea Fair Trade Commission or other authorities may refer the matter to a consumer dispute mediation body (Article 33).

Framework Act on Consumers

The Framework Act on Consumers is a general statute providing for the following:

• consumers’ eight fundamental rights;
• business operators’ responsibilities;
• the duties of the state and local governments; and
• the establishment of the Consumer Dispute Mediation Committee.

It grants the Korea Consumer Agency authority to conduct consumer counselling, damage relief and dispute mediation, and provides for the establishment of a Consumer Dispute Mediation Committee within the Agency (Article 60). The damage relief procedure consists of consumer counselling, application for relief, notification to the business, fact-finding investigation, recommendation for settlement, and, if settlement fails, application for mediation.

The Korea Consumer Agency also publishes Consumer Dispute Resolution Standards to facilitate the efficient resolution of disputes between consumers and businesses.

TBA

Under the TBA, telecommunications service providers must endeavour to prevent harm to users and promptly address legitimate opinions or complaints raised by users (Article 32). The Korea Communications Commission may evaluate and publicly disclose the results of such user protection efforts. The Act also prohibits providing telecommunications services in a manner that materially harms users’ interests.

Content Industry Promotion Act

The Content Industry Promotion Act provides for:

• promotion of the digital content industry (including games, OTT content, webtoons and music/video streaming);
• protection of users’ rights; and
• dispute mediation mechanisms.

A Content Dispute Mediation Committee is established to mediate disputes between users and content businesses regarding content transactions and use (Article 29).

Key regulatory statutes governing blockchain and virtual assets include the Act on Reporting and Using Specified Financial Transaction Information (the “AML Act”), the Act on the Protection of Virtual Asset Users, etc (the “Virtual Asset User Protection Act”) and the Capital Markets Act.

AML Act

Following the 2021 amendment to the AML Act, virtual asset service providers (VASPs) became subject to obligations such as reporting to the Korea Financial Intelligence Unit (FIU), securing real-name accounts, customer due diligence, and suspicious transaction reporting. In addition, the Travel Rule applies to virtual asset transfers: for transfers of KRW1 million or more between VASPs, both the sending and receiving parties must exchange identifying information such as names and wallet addresses.

Virtual Asset User Protection Act

The Virtual Asset User Protection Act was enacted in 2023 and took effect in 2024. It provides for protection of users’ assets, prohibition of unfair trading practices, and supervisory and enforcement authority of financial regulators over the virtual asset market and VASPs. NFTs issued solely for content collection purposes (eg, videos or images) are excluded from the definition of virtual assets.

Capital Markets Act

Security tokens (STOs), while issued in digital form, constitute securities and are therefore regulated under the Capital Markets Act. Financial authorities are currently advancing reforms to establish a regulatory framework for the issuance and distribution of tokenised securities within the existing Capital Markets Act framework.

Separately, the MSIT is pursuing enactment of a Basic Blockchain Act to promote blockchain technology and foster the broader industry ecosystem beyond virtual assets. Establishment of a statutory foundation for blockchain technology is expected to enable its application across various public services, including mobile identification, online voting, local currencies, and management of public vouchers.

Cloud Computing Act

Korea’s Act on the Development of Cloud Computing and Protection of Users (the “Cloud Computing Act”) functions as the foundational law for the cloud industry and user protection. It sets out the following provisions:

• definition of cloud computing;
• responsibilities of cloud service providers;
• measures in the event of service interruption or failure;
• obligations to protect users’ data and information;
• users’ rights to request data transfer/deletion; and
• detailed information security standards necessary to enhance the safety and reliability of cloud computing services.

Financial Sector

For cloud computing in the financial sector, Article 14-2 of the Supervisory Regulations on Electronic Financial Transactions (use of cloud computing services) and the Financial Security Institute’s Guide on the Use of Cloud Computing Services in the Financial Sector apply together.

Given continued concerns that excessive cloud and network separation regulations hinder the adoption and use of new digital technologies, certain regulations (eg, procedures for using cloud services and network separation rules) were relaxed through amendments in 2022.

Medical Sector

Cloud computing in the medical sector is additionally governed by Article 7 of the Standards on Facilities and Equipment Necessary for the Management and Preservation of Electronic Medical Records. Where electronic medical records are managed or preserved through cloud computing, compliance with the information security standards under the Cloud Computing Act is required, along with the establishment of redundant networks. Moreover, the physical location of the relevant systems and back-up equipment must be limited to Korea.

PIPA

Cloud environments in which personal information is processed or stored are subject to the PIPA. Where personal information processing is outsourced to a third party through cloud services, provisions on entrustment (Article 26) and cross-border transfer (Article 28-8, etc) may apply, and appropriate safeguards must be implemented in accordance with the Standards for Ensuring the Safety of Personal Information.

AI Framework Act

Similar to the EU AI Act, Korea enacted the Framework Act on the Development of Artificial Intelligence and Establishment of a Trust-Based Foundation (the “AI Framework Act”) as a comprehensive, foundational regulatory statute governing AI. The Act was promulgated in January 2025 and took effect in January 2026.

Key provisions of the AI Framework Act include:

• definitions of AI systems, AI business operators, and high-impact AI;
• fundamental principles governing AI and the responsibilities of the state and related entities; and
• measures to ensure AI safety and trustworthiness, including –
1. transparency and safety obligations for AI operators,
2. obligations to determine whether an AI system qualifies as high-impact AI (with additional obligations such as impact assessments where applicable),
3. establishment of monitoring and response systems for AI-related incidents, and
4. requirements to appoint a domestic representative.

Subordinate regulations and guidelines for the AI Basic Act were also announced and published in late January 2026.

Deepfakes

The AI Framework Act imposes transparency obligations requiring that outputs such as deepfakes be clearly disclosed or labelled as AI-generated.

Separately, amendments to the Act on Special Cases Concerning the Punishment, etc of Sexual Crimes now criminalise the editing, synthesis or processing of deepfake pornographic materials even for personal use without intent to distribute. Liability extends not only to creators but also to individuals who possess, purchase, store or view such materials.

In addition, under the Public Official Election Act, deepfake content created for election campaigning must clearly indicate that it was generated using AI, and use of such content is prohibited starting 90 days prior to election day.

AI in Transportation

The Act on the Promotion and Support of the Commercialization of Autonomous Vehicles (the “Autonomous Driving Commercialization Act”) governs:

• designation of pilot operation zones;
• development of autonomous driving infrastructure;
• support for testing and commercialisation;
• allocation of liability; and
• mandatory insurance requirements.

Where AI systems used in autonomous driving qualify as high-impact AI, the additional obligations applicable under the AI Framework Act apply.

With respect to personal information, guidance issued by the Personal Information Protection Commission – such as the Guide to Processing Publicly Available Personal Information for AI Development and Services, the AI Privacy Risk Management Model, and the Guide to Processing Personal Information for the Development and Use of Generative AI – clarifies the legal basis for processing personal information collected via vehicle-mounted cameras. Personal information collected and used strictly for autonomous driving may be processed without consent where necessary to achieve the data controller’s legitimate interests that clearly outweigh the data subject’s rights. However, use of such data for AI training beyond that purpose generally requires the data subject’s consent or regulatory exemptions obtained through applicable sandbox programmes.

Intellectual Property

Korea’s Copyright Act does not explicitly recognise use of copyrighted works for AI training as a standalone statutory limitation. Accordingly, the key legal issue is whether such use qualifies as “fair use”, which operates as a general limitation on copyright.

Given the absence of established case law or settled doctrine, this issue remains legally unsettled, and practical standards should be developed by reference to relevant guidance such as the Generative AI Copyright Guide.

KC Certification

IoT devices are classified as “broadcasting and communications equipment” under the Radio Waves Act and must undergo conformity assessment (“KC certification”) prior to manufacture, import or sale to ensure compliance with radio interference and electromagnetic human protection standards.

Following amendments in 2020, conformity assessment procedures for certain IoT-converged wireless devices were partially simplified. For smart home appliances and wearable devices, where certified wireless modules (eg, Bluetooth, Wi-Fi, NFC) are removed or replaced with other certified modules, products may be sold upon filing a change report.

Information Security Certification

Manufacturers or collectors of information and communications network-connected devices must implement protective measures to ensure network stability and information reliability.

Pursuant to the Network Act and the Public Notice on Information Security Certification for Network-Connected Devices, IoT security certification may be obtained from the Korea Internet & Security Agency (KISA).

Data Protection

The Guidelines for the Protection of Automatically Processed Personal Information present concrete safeguards, including application of the Privacy by Design principle from the planning and design stages of IoT services, as well as the “Ten Rules” for protecting personal information automatically processed in IoT environments.

Where IoT services process personal location information, additional regulation under the Act on the Protection and Use, etc of Location Information (the “Location Information Act”) may apply, including:

• registration or reporting requirements;
• user consent obligations;
• specification of terms; and
• limitations on retention periods.

Communications Secrecy

Under the Protection of Communications Secrets Act, not only the content of communications but also communications confirmation data (such as calling and called numbers, timestamps, and originating locations) are protected from access by third parties. Law enforcement access requires strict procedures, including court authorisation or warrants.

When operating an IoT solution business, it is necessary to assess whether the business falls within the scope of a facilities-based telecommunications business subject to registration under the TBA.

Following the 2020 amendment to the TBA, where an IoT service is provided by using (ie, reselling) the mobile network of a wholesale provision-obligated carrier, certain registration requirements applicable to facilities-based telecommunications businesses have been partially relaxed.

In data sharing scenarios, the PIPA generally applies. Where an IoT device processes information capable of identifying an individual – such as facial data, voice data, location data or lifestyle patterns – the service provider qualifies as a personal information controller under the PIPA. In such cases, transferring data to another business generally constitutes third-party provision and requires the data subject’s consent. Where data is shared overseas, the cross-border transfer requirements under Article 28-8 must be satisfied.

In addition, where the personal information includes personal location information, additional regulation under the Location Information Act, as discussed at 4.1 Machine-to-Machine Communications, Communications Secrecy and Data Protection, may apply.

Under the Broadcasting Act, entities seeking to operate terrestrial, satellite or general cable broadcasting services must obtain authorisation from the Korea Communications Commission and undergo review of business plans, financial capability, technical competence and public interest considerations. Channel user businesses must register with or report to the Commission and meet capital and facility requirements. Foreign investment in broadcasting businesses is restricted (Article 14).

Internet-based pay television (IPTV) services are separately regulated under the Internet Multimedia Broadcasting Business Act (the “IPTV Act”). Internet multimedia broadcasting service providers require authorisation, while content providers must register, report or obtain approval. Foreign ownership of IPTV service providers is also restricted (Article 9).

By contrast, OTT services and UGC platforms such as YouTube, Netflix and Wavve are classified not as broadcasting businesses but as value-added telecommunications service providers under the TBA. As such, they are not subject to Broadcasting Act regulation, and foreign investment is not restricted. However, providers exceeding certain thresholds are subject to service stability obligations under telecommunications law (see 6.1. Scope of Regulation and Pre-Marketing Requirements).

TBA

A telecommunications business is defined as a business that intermediates others’ communications or provides telecommunications facilities for others’ use. Telecommunications businesses are categorised into facilities-based and value-added telecommunications businesses. Facilities-based businesses provide transmission or reception of voice, data or video without altering content, or lease telecommunications line facilities. All other telecommunications businesses are classified as value-added.

Facilities-based telecommunications businesses require registration with the Ministry of Science and ICT (MSIT), while value-added businesses generally require filing a report.

Facilities-based businesses exceeding certain thresholds must implement technical and administrative measures such as vulnerability assessments, core facility management and traffic dispersion. Value-added telecommunications businesses above certain thresholds are subject to obligations to ensure service stability, including user request handling and reasonable payment mechanisms.

Network Act

Information and communications service providers and manufacturers or collectors of network-connected devices are required to implement safeguards to ensure network stability and information reliability. Such safeguards include security governance, network security, facility security, and physical and access controls. Certain telecommunications businesses must also obtain Information Security Management System (ISMS) certification.

Korea has no statute that directly codifies net neutrality. However, the MSIT issued the Guidelines on Net Neutrality and Internet Traffic Management in 2012, establishing principles such as the following:

• user rights;
• transparency;
• prohibition of blocking and unreasonable discrimination; and
• reasonable traffic management.

The Ministry has articulated a post-regulation approach to zero-rating, indicating that potentially unfair practices may be addressed ex post under the TBA’s prohibition on unreasonable or discriminatory conditions.

Disputes and legislative debate concerning network usage fees have continued, exemplified by the SK Broadband–Netflix dispute. Legislative proposals continue to be introduced requiring large content providers to enter into network usage agreements with telecommunications carriers.

Since 2019, Korea has operated an ICT regulatory sandbox allowing market entry through temporary permits or demonstration exemptions where regulatory barriers exist, provided public safety is not compromised. To date, more than 2,000 new technologies and services have been approved through this mechanism.

Korea does not have a general statute specifically governing technology agreements; the civil law principle of freedom of contract applies.

However, the Act on the Regulation of Terms and Conditions applies to standard form contracts, and unfair provisions – such as those disclaiming liability for intent or gross negligence, excessively limiting liability or granting unilateral modification rights – may be deemed invalid.

Data Localisation

While there is no general data localisation requirement, personal information transferred overseas must satisfy the requirements of the PIPA.

In the financial sector, certain information processing systems must be located in Korea. Similarly, in the medical sector, systems and back-up equipment managing electronic medical records through cloud services must be physically located in Korea.

Service Agreements

There are no generally mandated clauses applicable to telecommunications service agreements. However, under the TBA, facilities-based telecommunications businesses whose revenue exceeds a prescribed threshold are required to file their terms of service with the MSIT.

Interconnection Agreements

Pursuant to the TBA, facilities-based telecommunications businesses that meet certain statutory criteria are required to enter into interconnection agreements and permit interconnection where another telecommunications business requests interconnection of telecommunications facilities. The MSIT’s Standards for Interconnection of Telecommunications Facilities govern matters such as the following:

• interconnection network configuration and operation;
• interconnection facility costs;
• interconnection call charges;
• methodologies for calculating interconnection costs; and
• ancillary service fees.

Electronic Signatures

The Electronic Signature Act governs electronic signatures and certification service providers. The Act provides that “the legal effect of a signature, seal, or name-and-seal shall not be denied solely because it is in electronic form” and that where the parties elect to use an electronic signature as the signing method, it has the same legal effect as a handwritten signature, seal, or name-and-seal.

In 2020, the Operational Standards for Electronic Signature Certification Services and a compliance recognition system were introduced. Where an electronic signature certification service provider recognised as compliant causes damage to a subscriber or user in connection with the performance of certification services, the provider is required to compensate for such damage and to maintain insurance coverage for that purpose.

Electronic Documents

The Framework Act on Electronic Documents and Transactions recognises the legal validity of electronic documents and permits their treatment as written documents if statutory requirements are met. Where paper documents are scanned and stored in electronic form, the Regulation on Procedures and Methods for Creating Digitized Documents applies, including detailed requirements such as time-stamp-based time certification and integrity verification.

Digital Identity

The Network Act establishes a system under which the government designates “identity verification agencies” that are authorised to verify users without directly using resident registration numbers in online environments. Entities recognised as capable of performing identity verification safely and reliably through alternative means (such as mobile phones, i-PINs, credit cards or certificates) may be designated to provide such services.

In the financial sector, electronic identity verification frameworks are established under the Supervisory Regulations on Electronic Financial Transactions and related guidelines. Following a 2015 amendment that abolished the mandatory use of accredited certificates, the Financial Services Commission issued the Guidelines on Non-Face-to-Face Real-Name Verification, which require the use of at least two overlapping verification methods from among five prescribed methods (ie, submission of identification documents, video calls, account transfers, verification by entrusted institutions, and biometric authentication).

In Korea, the Game Industry Promotion Act (the “Game Industry Act”) comprehensively regulates promotion of the game industry, game rating classification, regulation of illegal or speculative games, youth protection, and the obligations of game distribution and provision businesses.

• Any person wishing to engage in game production, game distribution, or game provision businesses must obtain registration or authorisation.
• Any person intending to produce or distribute a game for the purpose of distribution or provision for use must, prior to such production or distribution, obtain a rating classification for the game’s content from the Game Rating and Administration Committee or the Game Content Rating Board.
• Game-related businesses must comply with requirements such as refraining from enabling or permitting gambling or other speculative acts through games and avoiding encouragement of speculative behaviour.
• A person who produces, distributes or provides a game must display the types of probabilistic items used in the game and the probability supply information for each type on the game itself, its website, and related advertisements or promotional materials. Where this obligation is violated and damage is caused to users, the business is liable for damages to the affected users.

Under the Game Industry Act, ex post management relating to fair rating classification of games and their distribution, as well as investigations and oversight of rating bodies and game-related businesses, falls within the jurisdiction of the Ministry of Culture, Sports and Tourism.

In addition, the Game Rating and Administration Committee is established as a dedicated body for rating classification and ex post management. Its functions include:

• rating classification;
• modification and cancellation of ratings;
• post-release monitoring; and
• determinations regarding speculative elements and youth harmfulness.

In December 2021, the Committee cancelled rating classifications for certain P2E (Play-to-Earn) games based on the Game Industry Act provision stating that “tangible and intangible outcomes obtained through games cannot be exchanged for money”.

Meanwhile, where a game company provides games online or on mobile platforms and sells paid items, such activities constitute mail-order sales under the E-Commerce Act. Accordingly, enforcement powers under the E-Commerce Act, including corrective measures and administrative penalty surcharges, may be exercised by the Korea Fair Trade Commission. Recently, the Korea Fair Trade Commission imposed corrective orders and administrative penalty surcharges totalling KRW11.6 billion on an online game service provider for violating the E-Commerce Act by changing the probabilities of probabilistic items in online PC games to consumers’ disadvantage without proper disclosure, or by providing false or misleading disclosures.

Games and Copyright

Under the Copyright Act, a game work is a composite work combining:

• literary works;
• musical works;
• artistic works;
• audiovisual works;
• computer program works; and
• other protected subject matter.

The Supreme Court of Korea has held that “games can be protected as copyrighted works because key components, implemented technically in accordance with the production intent and scenario, are selected and arranged and organically combined, resulting in creative individuality that clearly distinguishes them from other games”, thereby recognising that the game itself may qualify as a protected copyrighted work.

The Supreme Court has further held that a game character may be protected as a separate work independent of the original work, and that substantial similarity between characters may constitute copyright infringement.

Trade Marks

Under the Trademark Act, the following acts constitute trade mark use that may give rise to infringement:

• affixing another person’s registered trade mark to goods or packaging;
• distributing or displaying goods or packaging bearing the trade mark; and
• displaying the trade mark in advertising or similar materials.

Following amendments to the Trademark Act, “displaying information provided through telecommunications lines by electronic means” is expressly included as an act of “display”, thereby clearly encompassing trade mark use in NFTs or metaverse environments as “display of a trademark”.

Well-known or famous marks may be protected under the Unfair Competition Prevention and Trade Secret Protection Act even in the absence of trade mark registration.

The Korean Intellectual Property Office has prepared the Examination Guidelines for Virtual Goods for trade mark applications, which set forth standards regarding the following:

• recognition of virtual goods names;
• classification of virtual goods (including the introduction of detailed similarity group codes); and
• assessments of similarity among virtual goods.

Social media is regulated on an individual basis under the Network Act, the TBA and the PIPA, among other statutes.

Network Act

The Network Act governs information and communications services as a whole, including social media, and addresses matters such as:

• labelling and advertising prohibitions for youth-harmful media;
• protection of rights on information and communications networks;
• the right to request deletion of information;
• users’ rights to request the provision of information;
• prohibition of the distribution of illegal or harmful information; and
• protection of children in conversational information and communications services.

Illegal information includes:

• content that infringes another person’s reputation;
• content provided for commercial purposes without compliance with statutory obligations such as age verification or labelling requirements applicable to youth-harmful media;
• content constituting gambling or other speculative activities; and
• content involving the trading of personal information.

Where an information and communications service provider offers a service based on a system that processes information by enabling text- or voice-based conversations for children under the age of 14, the provider must endeavour to ensure that inappropriate content is not provided to such children.

Meanwhile, policy discussions are ongoing regarding potential restrictions on adolescents’ use of social media. Proposed amendments to the Network Act include bills requiring parental consent for SNS use by minors under the age of 16, limiting SNS membership to individuals aged 14 or older, and restricting the provision of information to content tailored specifically for youth.

TBA

SNS, messaging services and video platforms qualify as telecommunications business operators providing “value-added telecommunications services” under the TBA. Accordingly, they are required to file a report as value-added telecommunications business operators and are subject to statutory obligations to prevent the distribution of illegal filmed materials and similar content.

PIPA

Social media operators qualify as personal information controllers under the PIPA and are required to comply with the Act in its entirety. This includes obligations relating to:

• the collection and use of personal information;
• third-party provision;
• restrictions on use beyond the stated purpose;
• implementation of security safeguards;
• breach notification and reporting; and
• protection of personal information of children under the age of 14.

Korea Media and Communications Commission

The Korea Media and Communications Commission (KMCC) has authority to supervise social media operators pursuant to the Network Act and the TBA.

• With respect to the prohibition on the distribution of illegal information under the Network Act, the KMCC may, through the Korea Communications Standards Commission, order information and communications service providers to refuse, suspend or restrict the handling of illegal information, and may impose corrective measures for violations of the Network Act.
• Under the TBA, administrative fines may be imposed on parties that intentionally fail to take necessary measures – such as deletion or access blocking – to prevent the distribution of illegal filmed materials, and corrective measures may be ordered for violations of the Act.
• In this regard, in 2025, corrective orders and administrative fines were imposed on seven companies, including X (formerly Twitter), Google and Meta, for violating obligations under the TBA relating to measures required to prevent the distribution of illegal filmed materials.

MSIT

The MSIT may supervise social media operators through mechanisms provided under the TBA, including reporting requirements applicable to value-added telecommunications businesses, fact-finding surveys of such businesses, and service stability measures aimed at preventing service disruptions.

Personal Information Protection Commission

The Personal Information Protection Commission (PIPC) has authority to supervise social media operators with respect to the processing of personal information.

• The PIPC may order corrective measures for violations of the PIPA and may impose administrative penalty surcharges of up to 3% of total revenue for certain violations.
• In 2022, the PIPC imposed corrective orders and administrative penalty surcharges of approximately KRW100 billion on Google and Meta for violating the PIPA by collecting personal information (including users’ cross-service behavioural data) without user consent and using such information for online targeted advertising.
• In 2024, the PIPC imposed administrative penalty surcharges and fines totalling KRW21.6232 billion, together with corrective orders, on Meta for collecting and using sensitive personal information without a lawful processing basis.

No response has been provided in this jurisdiction.

No response has been provided in this jurisdiction.