TMT 2019

Last Updated June 13, 2019

South Korea

Law and Practice


Kim & Chang has a TMT practice recognised as leading the sector in South Korea. The firm represents leading technology, telecommunications, internet and media companies, both Korean and multinational, and its practice consists of more than 100 members including attorneys, advisers, other professionals and support staff possessing expertise and experience in TMT. Prior to joining Kim & Chang, many of its members gained valuable skills and knowledge working in a variety of capacities, including high-ranking official positions in the government and senior executive positions for companies in the telecommunications sector. The practice members often serve as advisers to legislators, regulators and policy-makers, enabling the firm to keep pace with the rapid developments and constant changes that are characteristic of the TMT sector. The practice regularly provides alerts and updates to bring breaking developments to clients and other interested colleagues in areas of interest to them.

Generally speaking, the Korean government takes a positive stance towards cloud computing services, and has sought to support and promote cloud computing services. For instance, the Act on Promotion of Cloud Computing and Protection of Its Users (the 'Cloud Computing Act'), which aimed to promote the use of cloud computing services and protect its users, went into effect in 2015.

However, Korea has several licence/certification requirements that must be met in order to provide cloud computing services, including specific localisation requirements (eg, local data centre requirements) and physical network separation requirements applicable to cloud computer service customers (especially those in the public, financial and healthcare sectors). While there have been many discussions on relaxing regulations on cloud computing services, there still remain many regulations that hinder foreign companies seeking to provide cloud computing services in Korea. These regulations are discussed in greater detail below.

Telecommunication Licence Requirements

In Korea, the Telecommunications Business Act (TBA) currently broadly categorises telecommunications service providers into facility-based telecommunications service providers (FSPs), specific telecommunications service providers (SSPs) and value-added telecommunications service providers (VSPs).

Both FSPs and SSPs provide 'key services' that involve telecommunications carrier services (eg, transmission and network facility leasing). The key difference between FSPs and SSPs is that, while FSPs provide key services through the use of their own telecommunication network and related facilities, SSPs do so using an FSP’s telecommunication network facilities and services (eg, mobile virtual network operators (MVNOs)). VSPs are defined as telecommunications service providers that provide telecommunications services other than 'key services' and, therefore, the term VSP is extremely broad and covers a wide variety of companies, including cloud computing services and colocation services, online data processing services and content-on-demand services.

Therefore, a cloud computing or co-location service provider in Korea is required to file a VSP report, while a data centre operator is required to obtain:

  • an FSP licence (akin to common carrier licence in the USA) if it owns circuit facilities for the provision of such service; or
  • an SSP licence if it provides a standalone circuit resale service (ie, leasing a circuit from carriers in Korea and re-leasing it to customers).

However, it is important to note that the distinction between FSPs and SSPs will be abolished starting 25 June 2019, at which point services currently requiring an FSP or SSP licence will need to register as an FSP only.

Other Licence Requirements

In addition to the foregoing, the following licences, while not unique to cloud businesses, may be required depending on the business structure:

  • ICC Licence: If an entity engages in construction of telecommunication facilities (eg, installing telecommunication infrastructure or facilities), it is required to obtain a Registration of the Information and Communications Construction Business pursuant to the Information & Communications Construction Business Act.
  • E-Commerce Report: If an entity is engaged in online B2C sales, generally it would be subject to an e-commerce report requirement. Under the E-Commerce Act, an online retailer (ie, anyone who engages in business of selling products or services to consumers by providing information related to such products or services and receiving orders online) must file an e-commerce report with the local government that has jurisdictional authority.
  • Location Information Business Licence and Location-Based Service Provider Report: If an entity engages in a 'location information business' (ie, collection of location information and provision of such information to location-based service providers), such entity must obtain permission from the Korea Communications Commission (KCC) under the Act on the Protection, Use, etc, of Location Information ('Location Information Act'). If an entity uses personal location information to provide a 'location-based service' (ie, services based on location information), such entity must report as a location-based service provider to the KCC under the Location Information Act.

Major Regulatory Requirements Under the Cloud Computing Act

The Cloud Computing Act, which applies to cloud computing services providers, sets forth certain regulatory compliance obligations and recommendations for relevant service providers. The main items of the Cloud Computing Act are as follows:

  • quality and performance standards;
  • information protection standards (a standard for Cloud Security Assurance Programme (CSAP) certification);
  • security breach notifications;
  • disclosure of country information where data is stored;
  • consent for provision or use of customer information;
  • return/destruction of customer information;
  • damages and liabilities to customers; and
  • disclosure of warrants.

Other Major Regulatory Requirements

There are other major regulatory requirements that may apply to an entity providing cloud services in Korea:

  • Designation of Domestic Agent: Under an amendment to the Act on Promotion of Information and Telecommunications Network Utilisation and Information Protection (“Network Act”), which will come into effect on 19 March 2019, telecommunications service providers that:
    1. do not have a domestic address or place of business in Korea; and
    2. meet certain standards on number of users and sales amount, are required to                      designate a domestic agent, who is authorised to handle duties of a privacy officer, provide notices and reports and submit relevant documents on behalf of the company.
  • ISMS certification: Under the Network Act, an entity is required to undergo Information Security Management System certification, which is a type of security certification, if the business meets certain criteria, including:
    1. FSPs providing telecommunication services nationwide;
    2. operators of integrated telecommunication facilities provided for third-party telecommunication services (eg, data centre operators); and
    3. certain standards on number of users or sales.
  • Regulation on Standard Contract: If any agreement is prepared in advance by a party for the purpose of entering into a contract with multiple persons, such agreement is likely to be deemed a 'standardised contract', in which case its terms would be subject to the Regulation of Standardised Contracts Act (RSCA). The RSCA provides that certain 'unfair' provisions in standardised contracts may be null and void (the standard of review to determine whether a provision is unfair is based on the reasonable person standard), and the Korea Fair Trade Commission has the authority to issue corrective orders for non-compliance with the               RSCA.

In Korea, there are specific regulations that apply to individual industries and sectors that can be an obstacle to the provision of cloud computing services.

Regulations on Public Sector Customers

The use of cloud services by customers in the public sector, including government institutions, local governments and government-owned public institutions (eg, academic institutions in the education sector) (collectively, 'Public Agencies') is actually very limited by the regulations below. There have been many recent discussions, however, to ease these regulations, and the regulatory landscape with regards to Public Agencies is rapidly changing.

The Guideline on Use of Commercial Cloud Services by Public Institutions promulgated by the Ministry of the Interior and Safety sets forth the following procedures and requirements for use of commercial cloud services by Public Agencies (it must be noted that this guideline is currently in discussion to be abolished or revised in the near future):

  • Information Resource Rating System: Public Agencies are subject to a three-tiered information resources rating system, based on which information resources held by Public Agencies are evaluated and given a rating of 1 through 3 based on, among others, nature of data, system linkage, feasibility of replacement/substitution, severity of damage in case of accident/breach. Among the three tiers of the information resource rating, only agencies that are rated in the second and third tiers are permitted to use commercial cloud services.
  • CSAP Certification: Cloud service providers are required to obtain CSAP certification from the Korea Internet & Security Agency. The criteria for certification are based on the Standards on Information Protection under the Cloud Computing Act, which provide an additional standard applicable to cloud services used by Public Agencies, including administrative and technical security measures (eg, physical network separation and local location requirements).

In addition, pursuant to the e-Government Act, any information protection system used by Public Agencies, including cloud computing systems, must undergo security compatibility review procedures established by the National Intelligence Service.

Regulations on Financial Sector Customers

Until 2018, financial companies and electronic financial business operators had only been able to use cloud services to process 'non-critical information' that do not contain personal credit information and/or unique identifying information.

In July 2018, the Financial Services Commission announced systematic advancements entitled the 'Plan to Increase Cloud Use in the Financial Sector', and as a result, an amendment to the Electronic Financial Supervisory Regulations (the 'Supervisory Regulations') and a new Guideline on the Use of Cloud Services in the Financial Industry became effective on 1 January 2019.

The key features of the amendment to the Supervisory Regulations include:

  • expansion of the scope of cloud usage to enable the processing of 'critical information' containing personal credit information and/or unique identifying information in cloud systems;
  • introduction of security standards (eg, data protection, prevention of and response to service failure, etc) for cloud services;
  • enhancement of internal controls for use of cloud services; and
  • publication of the financial supervisory authority’s management/supervision measures in cloud service usage.

However, there are requirements in these amendments that may be burdensome for foreign cloud service providers (eg, guarantees of inspection and access rights for supervisory authorities in the cloud service agreement, limiting of the physical location for critical information processing to Korea and prohibition of wireless network use for cloud systems processing critical information).

Regulations on Healthcare Sector Customers

For healthcare institutions, amendments to the Medical Service Act in August 2016 allow for off-site storage of electronic medical records. However, due to additional requirements related to these amendments, such as local server location requirements and (physical or logical) network separation requirements, it is difficult in practice for foreign cloud service providers without local data centres to provide cloud services to the healthcare sector.

In Korea, the processing of personal data collected online is generally governed by the Network Act. Additionally, the Personal Information Protection Act (PIPA) may apply in the absence of special provisions in the Network Act. When processing personal credit information, the Credit Information Act may also apply.

In principle, neither the Network Act nor PIPA restricts the use of cloud services. However, if any personal information is processed by a cloud service provider, the customer will be deemed to have delegated the processing of personal data to the cloud service provider, and therefore, the customer as a delegator and the cloud service provider as a delegate must comply with the Network Act and PIPA’s requirements for delegation of personal data processing, including:

  • users’ prior consent for delegation separate from the consent for the collection and use of personal data;
  • disclosure of certain items in the customer’s privacy policy for the delegation; and
  • execution of a delegation agreement between the customer and the cloud service provider.

Currently, there are no Korean laws that directly apply to blockchain technology. Therefore, the most relevant issue relates to how legal risks and liabilities under existing laws apply to new services using blockchain technology or blockchain businesses. However, since existing laws were not established with blockchain technology in mind, it is unclear how Korean laws will apply to the blockchain industry, and the legal risks and liabilities that relate to blockchain technology in Korea remain uncertain.

As blockchain is a new business area to which no particular law expressly or directly applies, the government’s position on issues in this industry weighs more heavily compared with other business areas. However, the Korean government holds different positions on blockchain technology and on cryptocurrency.

The Korean government has emphasised its favourable view on the introduction of services utilising blockchain technology on numerous occasions, specifically highlighting the innovative nature of blockchain technology in many different industries. The Korean government has also expressed its interest in fostering, promoting and investing in blockchain technology as part of its strategic and economic plans for Korea to be a leader in the fourth Industrial Revolution.

In contrast to this position on blockchain technology, the Korean government generally holds a negative view on cryptocurrency, especially initial coin offerings (ICOs), despite industry views suggesting that blockchain technology and cryptocurrency are inseparable, particularly in public blockchains. The Korean government and relevant agencies have also been known to oppose new businesses that relate to cryptocurrency.

Currently, there are no Korean laws that expressly regulate cryptocurrency, nor are there any clear court decisions on the application of current regulations to cryptocurrency. Nevertheless, the Korean government has expressed its opinion that ICOs are prohibited in Korea despite the absence of any legal basis therefor. For instance, on 4 September 2017, the FSC issued a press release banning ICOs that violate the Financial Investment Services and Capital Markets Act, the main securities law in Korea. The financial regulators’ initial position was to penalise ICOs where tokens were offered in the form of a securities issuance (ie, where the token is classified as a security). Thereafter, on 29 September 2017, the financial regulators announced through another press release that any type of ICO, including those in the form of securities, would be prohibited.

Therefore, for blockchain business models, particularly those that are related to cryptocurrency, it would be advisable to conduct careful legal analysis on the risks and liabilities and continue to monitor the position of the government and relevant agencies on these issues. Furthermore, risks and liabilities under current laws may still apply to the blockchain business not related to cryptocurrency. Thus, thorough review on whether the blockchain business violates existing laws would be necessary.

In Korea, there have not been any intellectual property-related regulations that were newly enacted to directly address or otherwise apply to blockchain technology.

To launch a new service in Korea using blockchain technology, it is necessary to check whether there are any pending or published patents for blockchain technology that apply to the new service. The main technological theories and principles for blockchain technology have already been made public through academic articles and publications. Therefore, because basic blockchain principle itself does not satisfy the novelty requirement or the inventive steps requirement, it cannot be protected as a patent. However, as of 3 January 2019, there were 33,373 published and registered patents that relate to specific blockchain technology and services. Given this number of relevant patents, it will be necessary to review whether the blockchain technology used in a newly launched service will infringe on any published or registered patents. Forgoing this process may lead to civil action (eg, suspension of the service and claim for compensation based on the profits obtained from the operation of the service), or criminal action (eg, imprisonment of up to seven years or criminal fine of up to KRW100 million for patent infringement). If the aforementioned issues are raised, such claims can be disputed by proving that the blockchain technology that applies to the new service does not infringe on the existing patent, or by proving that the existing patent should be invalidated because it does not satisfy the novelty and inventive steps requirements.

The next issue to consider is whether the relevant technology should be registered as a patent or protected as a trade secret. To protect the technology through patent registration, it is necessary to prove that the relevant technology meets the novelty and inventive step requirements as a patent (as mentioned above). In addition, one can consider registering a patent for the service using the blockchain technology (and not the blockchain technology itself) and establishing an intellectual property right through that channel. On the other hand, when protecting the technology as a trade secret, it will be necessary to take actions to protect the trade secret such as collecting a confidentiality agreement from employees to prevent the leakage of trade secrets and building a system to continually monitor such leakage so that immediate action can be taken in response to a breach.

Korea has various data privacy laws that will apply to blockchain technology:

  • the Personal Information Protection Act that generally governs personal information issues;
  • the Act on Promotion of Information and Communications Network Utilisation and Information Protection that governs personal information processed in online services; and
  • the Credit Information Use and Protection Act that governs personal credit information related to financial transactions and an individual’s credit information.

Whether encrypted data recorded on blockchain would constitute 'personal information' and whether each node on public blockchains would be deemed as personal information processor are still up to debate as there is no clear statue or established interpretation on such issues. For Korean privacy law to be applicable on any given case, however, the relevant encrypted data must be considered personal information and the applicable personal information processor must be identifiable. Therefore, these three laws may be applied individually or collectively depending on what kind of information is stored in the blockchain and how the blockchain service is provided.

Where Korean privacy law is applicable, the laws relating to personal information all provide specific regulations for each step of the processing of such information, generally comprised of:

  • (i) collection and use of personal information;
  • (ii) provision of personal information;
  • (iii) delegation of processing of personal information; and
  • (iv) destruction of personal information.

For steps (i) through (iii), key regulations involve an obligation to obtain consent from the information subject. For step (iv), the main regulations involve an obligation to destroy the concerned personal information after the expiration of the consent period. Considering the features of blockchain technology, the key issues in introducing blockchain as related to these laws may be step (ii), which includes an obligation to obtain consent from the principal of personal information for provision of personal information, and step (iv), which includes an obligation to destroy personal information when the concerned individual cancels his or her membership for the service.

Under Korean privacy laws, when a service provider provides a third party with personal information obtained from a principal, it should obtain consent from the information subject by disclosing the recipient of the personal information and the purpose thereof. However, when information is recorded in a blockchain, it is shared with all nodes that exist in the blockchain network and also new nodes that will participate in the network in the future. In other words, information that is recorded in the blockchain network is provided not only to the blockchain network operator, but also to any individual who is participating or will participate in the network. Because the applicable law requires a service provider to obtain consent from the information subject by disclosing the recipient of the personal information, in theory, consent would need to be obtained only after disclosing all owners of nodes that exist in the blockchain network, and all owners who will participate in the blockchain network.  Therefore, when introducing public blockchains to services that fall under the scope of personal information laws, it is important to review in advance relevant personal information issues as described above and organise the services in a way that does not violate such related laws.

In addition, there is also an issue related to the destruction of personal information. Under personal information laws, personal information of those individuals who have cancelled their membership should be destroyed after a certain given period. However, in blockchain technology, information that is already recorded cannot generally be deleted from the blockchain network, making it difficult to destroy the personal information of those who have withdrawn their membership. That being said, because current personal information laws did not contemplate the difficulties in destroying personal information in the case of blockchain technology when they were legislated, an obligation to destroy personal information under personal information-related laws could be flexibly interpreted. Therefore, it is important to organise the services in a way that does not violate regulations on personal information to the extent possible and explore practically feasible ways to avoid violations of regulations on personal information by consulting with relevant authorities.

In Korea, the legal discussion on new technologies such as big data, machine learning and artificial intelligence is mostly focused on the application of the personal data regulations with respect to big data and the subject of legal liability with respect to artificial intelligence and machine learning.

Big data is currently used in various aspects of FinTech (eg, product development, prevention of misconduct, marketing and credit rating), and as such, financial companies have been increasingly using customer data for analysis and processing as big data, subjecting themselves to the regulations under the Credit Information Use and Protection Act (the 'Credit Information Act'), the Personal Information Protection Act (the PIPA), the Electronic Financial Transactions Act (the EFTA), Regulation on Business Delegation of Financial Institutions, and Regulation on Outsourcing of Data Processing of Financial Companies, among others.

Given the volume, big data is more likely to include personal information, especially as it can be combined with other data in the process of drawing out useful data for marketing or other purposes through big data analysis and application, in which case PIPA and/or the Credit Information Act are applicable. As such, the service provider should be careful to not use or transfer any personal information for purposes different from what the data subjects initially consented to, and in the case it does, the service provider must obtain separate consent from the data subject. In addition, the EFTA may be applicable in case processing and/or analysis of big data involve data transmitted through electronic means.

Given the above regulations, there have been concerns that the regulations were substantially constraining the application and use of big data. To address these concerns, the government ministries jointly announced the 'De-identification Guidelines' on 30 June 2016, which detail 'de-identification measures' required to enable safe utilisation of big data within the legal frame of the current laws and regulations of personal data protection. Under the De-identification Guidelines, data processed with de-identification measures will not be viewed as personal information, and thus, service providers may use such data for business purposes without obtaining consent from the data subject. However, service providers must take certain administrative and technical protective measures, and certain restrictions will still apply to the use of de-identified data (eg, if the de-identified data is re-identified during its use, service providers must immediately cease any processing of such data and destroy it).

Even after the De-identification Guidelines were announced, there were concerns that the above measures would not substantially help the service providers. In response, the Korean government and the National Assembly are currently making efforts to promote legislations where:

  • the concept of 'data under fictitious name' and 'anonymous data' are introduced in PIPA;
  • utilisation of 'data under fictitious name' for purposes of statistics, scientific research and public interest is permitted; and
  • 'anonymous data' is excluded from the applicable scope of PIPA.

Artificial intelligence (AI) and machine learning are also widely used in the industries and most of the legal issues revolve around who should be held liable. While the discussions are mostly on how to interpret and apply the relevant laws and regulations to devices operated by AI and machine learning, the basis of such uncertainty stems from the issue of whether it is reasonable and justifiable to hold a certain individual responsible for machines operated by AI and machine learning.

Taking self-driving vehicles as an example, the Guarantee of Automobile Accident Compensation Act states that the operator of a motor vehicle is liable for damages caused by any operation of the vehicle and shall be obligated to subscribe to liability insurance, while the Motor Vehicle Management Act defines 'self-driving vehicles' as “a motor vehicle that can self-operate without any operation by its driver or passengers” and views the 'operator' as having control and interest of operation of a vehicle. Under the foregoing regulations, it is unclear who should be viewed as having control and interest of the self-driving vehicle, and there are even discussions on whether the manufacturer should be viewed as the 'operator'. There are similar discussions with respect to self-driving vehicles on the Project Liability Act and the Act on Special Cases Concerning the Settlement of Traffic Accidents.

See 3.2 Machine Learning, above.

The Internet of things (IoT) refers to the technology or environment in which sensors are attached to objects to exchange data on the Internet in real time (ie, various data must be first generated and collected through sensors). Since IoT services are mainly used in areas closely related to the daily lives of individuals such as household appliances, information collected for IoT services is highly likely to include personal information, and the collection and use of such information may be subject to the data protection regulations under the Personal Information Protection Act (PIPA). IoT services also involve applying wireless communication technologies (eg, Bluetooth, near field communication, and network for communications between objects), which means the Telecommunications Business Act (the TBA) may apply in connection to the regulation of communication licences and the Radio Waves Act (the RWA) may apply in connection to the use of radio waves.

Data Protection Regulations

Under PIPA, individual service providers collecting or using personal information of users with IoT devices as intermediaries must obtain prior consent from users and notify them of the purpose of each collected or used personal information, and the retention period.

There may also be potential security issues due to the incomplete security technologies for IoT. Thus, it would be prudent for IoT service providers to take technical and administrative measures to protect the personal information collected through IoT devices, which may include access/authority control, data encryption and a destruction policy.

Nevertheless, concerns remain that strict data protection regulations may undermine the revitalisation efforts of the industry and interests of users. To mitigate such point, there have been discussions to formulate data protection regulations befitting the IoT industry and, accordingly, more regulatory changes may come in the future.

Wireless Communication Regulations

The TBA classifies telecommunications businesses into different categories of telecommunications businesses, which are each subject to approval by (common telecommunications business), registration with (special-category telecommunications business), or report (value-added telecommunications business) to the Minister of Science and ICT, depending on the type of business. Accordingly, an IoT service provider may engage in any one of the business types regulated by the TBA and will need to obtain the appropriate licence. Note that a recent amendment to the TBA will come into effect on 12 June 2019, which would streamline and simplify such regulatory requirements, and IoT service providers in general are likely to benefit from more relaxed regulations.

The RWA allocates usable frequency ranges based on the use of frequency. The frequency ranges currently allocated for IoT and used by IoT service providers are 317.9875-318.1375 MHz, 319.1375-320.9875 MHz, 322-328.6 MHz, 898-900 MHz, 924.05625-924.45625 MHz and 938-940 MHz. Nevertheless, the Ministry of Science and ICT recently announced its 'Third Radio Waves Promotion Plan (2019-2023)', which plans to promote hyper-connected wireless infrastructure that may be used in 5G mobile telecommunications, IoT, etc. It is expected that the supply for IoT frequency is likely to increase further with the growth of the IoT industry.

As a general rule, IT service agreements, like other forms of commercial contracts, are regulated by the Monopoly Regulations and Fair Trade Act (the MRFTA). The Korea Fair Trade Commission (the KFTC), which is the competition authority that enforces the MRFTA, has been actively investigating and imposing administrative fines on foreign IT companies for non-compliance with the MRFTA, and, therefore, it is important to note some of the regulations which could be applied to IT service agreements with a Korean entity. The following is a general summary of notable regulations under the MRFTA:

  • Abuse of Superior Bargaining Position: A business having a superior bargaining position is prohibited from unfairly abusing its power over the counter-party to exploit economic gains. The KFTC Guideline on Review of Unfair Trade Practice Criteria further specifies the types of abuse of superior bargaining position as:
    1. coercion to purchase;
    2. demanding economic benefit;
    3. coercion to meet sales targets;
    4. conferral of disadvantages; and
    5. business interference.

It is important to note that the terms in the IT service agreements can constitute a violation of the abuse of superior bargaining position.

  • Unfair Customer Solicitation: A business is prohibited from soliciting the competitor’s customers by, among others, offering unfair benefits (eg, sweepstakes or discounts) or using fraudulent means (eg, false advertisement).
  • Discriminatory Treatment: A business is prohibited from unfairly discriminating against a counterparty through, among others, differentiated pricing or trading terms.
  • Resale Price Maintenance: A business entity is restricted from setting resale price for distributors or retailers and compelling compliance with the fixed resale price.

Furthermore, under Korean law, a boilerplate contract prepared in advance to govern the relationship between a company and multiple counterparties is viewed as a 'standardised contract' regulated under the Standardised Contract Regulations Act (the SCRA), which strictly restricts provisions that are unfavourable to customers (eg, provisions that are found unfair and violate the principle of good faith, or unreasonable or unfair to customers). Provisions that violate the SCRA can be deemed null and void by the courts, and the KFTC may issue a corrective recommendation or order to delete or revise such provisions.

Other than the general regulations on contracts, the following regulations could also be taken into consideration in executing IT service agreements:

  • For collection and use of personal information, the Act on Promotion of Information and Telecommunications Network Utilisation and Information Protection (the 'Network Act') and the Personal Information Protection Act stipulate certain requirements and procedures for obtaining users’ consent, including in the case of transferring the users’ personal information to a third party. Therefore, a business entity should obtain separate consent from users in order to collect their personal information from a transactional party.
  • In relation to the restrictions on data storage location, a recent amendment proposal to the Network Act requires telecommunications service providers with a certain number of daily users on average to have local servers in Korea to guarantee users’ stable use of the relevant telecommunications service. The proposal is currently pending at the National Assembly.

Domestic regulations for data protection in the private sector can be classified into the following four categories by their functions:

  • laws for the safe use of data in response to cyber threats;
  • laws to prevent societal harm from infringement of information and telecommunications network and data theft, forgery or alteration;
  • laws on technical development for establishing an environment of data protection and promotion of the relevant industry; and
  • laws for personal data protection.

Note that 'personal information' is not only subject to and protected by laws regarding general data protection but also laws specific for the protection of personal information.

The main regulation related to data security is the Act on Promotion of Information and Telecommunications Network Utilisation and Information Protection (the 'Network Act') which is applied to online service providers (OSPs). The Network Act aims to provide an environment in which users can safely utilise information and the telecommunications network. Some of the common legal obligations borne by OSPs under the Network Act are as follows:

  • OSPs must take protective measures to secure the stability of information and telecommunications network and credibility of the data. When OSPs intend to provide information and telecommunications network service, they must consider matters related to data protection in its service plan or design.
  • If an OSP satisfies certain thresholds related to annual revenue or average daily users, the relevant OSP must designate a chief information security officer, whose designation must be reported to the Minister of Science and ICT.
  • OSPs satisfying the aforementioned thresholds or providing certain services such as cloud service must establish and operate a comprehensive data protection management system that includes managerial/technical/physical protective measures, and obtain a licence from the Ministry of Science and ICT (MSIT).

In addition, more stringent regulations are applied to sectors where there is heightened importance on data protection (eg, finance or healthcare).

Privacy-related Regulations

The Network Act governs the collection, use and transfer of personal information of online service users conducted by OSPs. For issues not addressed by the Network Act, the Personal Information Protection Act (the PIPA), which generally governs processing of personal information, will apply.

The term 'personal information' is defined under the Network Act as information pertaining to a living individual that contains information identifying such person such as name, address or similar in a form of an image (including information that does not, by itself, make it possible to identify a specific person, but that enables the identification of such person when easily combined with other information).

Principles Relating to the Protection of Personal Information

Key regulation on personal information under the Network Act can be summarised as disclosure/consent requirements and other mandatory measures. Failure to perform these legal obligations may result in both administrative and criminal penalties.

Disclosure/consent requirements

OSPs that process personal information must notify certain matters to users and obtain express consent prior to the collection, use, delegation and transfer of their personal information. PIPA defines 'process' as “collect, create, link, interlock, record, store, retain, refine, edit, search, print, correct, restore, use, provide, disclose, destroy and other similar act”. Both the Network Act and PIPA have strict rules that require separate consent from or disclosure to the data subject for each of the collection, third-party provision and delegation of personal information processing.

If any transfer is made to an overseas entity, the OSP must disclose, before obtaining the user’s consent, some specific matters including destination country, date/time/method of transmission and the name/contact information of the third party.

Other mandatory measures

With respect to processing of personal information, OSPs are also required to:

  • disclose the details of personal information processing in the privacy policy;
  • designate a chief privacy officer responsible for protection of personal information;
  • take technical and administrative measures for the safe management of personal information;
  • destroy personal information upon the expiration of the retention period or the personal information no longer being necessary (ie, achieved purpose for collection/use);
  • notify the users and report any data leakages to the government; and
  • (only for foreign OSPs satisfying certain thresholds) appoint an agent for submission of information following the government’s request for information or investigation in Korea.

Under the Korean Constitution, individuals (including employees) have a general right to privacy. However, such right may be waived by consent of the relevant individual. Therefore, in order to monitor/limit any employee’s use of computer resources, the consent of the relevant employee under the Personal Information Protection Act (PIPA) and/or the Act on Promotion of Information and Telecommunications Network Utilisation and Information Protection ('Network Act').

Under the Enforcement Decree of PIPA, consent can be obtained through letter, phone call, website, e-mail or using a method equivalent to any of the methods described above. Korea is an opt-in jurisdiction and, therefore, the employer must obtain explicit consent from the employees. There is no required minimum retention period of the consent; however, evidentiary support of the consent should be kept for the duration of the retention period.

In connection with the monitoring activity itself, the employer needs to notify the employee of such activity. Although neither PIPA nor the Network Act specify what information needs to be provided to the employee, it is generally understood that the employer must notify at least the purpose, persons subject to the monitoring, criteria, specific acts and subject to consent. To the extent personal information is collected in the process of monitoring, the employer must obtain the consent of the employee after notifying the employee of:

  • the purpose of collection/use;
  • the type of personal information;
  • the retention period; and
  • his or her right to refuse and any disadvantages resulting from any refusal as required under PIPA and Network Act.

If there is any change to the underlying information that is the subject of notification (eg, an additional purpose for the collection and use is added), the employer should notify such change and obtain consent again.

Furthermore, the Act on Promotion of Employee Participation and Co-operation requires any 'installation of monitoring equipment' to be discussed with the joint labour-management committee (although there are no restrictions on the procedures or timing).

Monitoring of any premises, property or resources of employer is not prohibited or restricted as long as the relevant legal requirements in relation to the privacy of employees are satisfied. Wiretapping (including intercepting e-mails, etc, during transmission) is also prohibited under the Communication Privacy Protection Act unless there is a warrant issued by the court. These restrictions also apply to communications that employees may send through Internet sites. However, it is questionable whether such requirement can be satisfied by obtaining consent from one party to such communication (eg, employee).

Classification of Telecommunication Service

The main law regulating the telecommunications and service industry in Korea is the Telecommunications Business Act (TBA). The TBA defines 'telecommunications service' as a “service to advocate a third party’s communications through telecommunications equipment and facilities or a service that provides telecommunications equipment and facilities for a third party’s communications”, and 'key service' as telecommunication service that sends or receives electronic signals of voice, data and video, etc, without changing the content and forms. The TBA classifies telecommunications service into the following three categories and applies different regulations for each:

  • Facilities-based telecommunications service: Business installing telecom circuit facilities and providing key services (including telephony, LTE, 2G/3G, circuit lease, data transmission, Internet access, VoIP connected to PSTN) through such facilities.
  • Specific telecommunications service: Business providing key services through telecommunications line facilities (ie, networks) of licensed FSPs such as mobile virtual network operators (MVNOs), or telecommunications services within a particular premise (including several premises within one area) by installing or using telecommunications line facilities within such premises.
  • Value-added telecommunications service: Business providing telecommunication service other than key services.

Various telecommunications services are interpreted as constituting value-added telecommunication service due to the broad definition of the term. Central Radio Management Service, an authority in charge of various telecommunications services provider reports, also takes the position that various services such as PC communications, e-mail, search, game, shopping, Internet portal, online shopping mall, SNS and other exchange of electronic documents, data search, data processing, credit card inquiry, data service for video-on-demand (VOD) and others are all included in the types of value-added services.

Telecommunication service providers providing the three types of services as stated above are respectively called facilities-based service providers (FSPs), specific service providers (SSPs) and value-added service providers (VSPs). The following offers a brief summary based on the details of the method of service and delivery is as described in the table below.

  • Use of owned telecom circuit facilities: 'key service' – FSPs; 'value-added telecommunications service' – FSPs are entitled to engage without additional VSP licence.
  • Use of telecom circuit facilities owned by other carriers (ie, FSPs): 'key service' – SSPs; 'value-added telecommunications service' – VSPs.

Licensing Requirements

The TBA prescribes licensing requirements together with general user protection obligations, and any person or entity that intends to engage in a telecommunication business is required to comply with one or more of the following requirements (depending on the type of business):

  • FSP: To be an FSP, one must obtain an FSP licence from the Ministry of Science and ICT (MSIT), whereby factors including capacity to provide the service, financial/technical capacity, and quality of user protection plan are reviewed by the MSIT. Note that there is a 49% maximum foreign ownership ceiling applicable to FSPs (although Free Trade Agreements that Korea has executed may afford exceptions) and any M&A transaction involving an FSP is subject to approval by MSIT.
  • SSP: To be an SSP, one must satisfy paid-in capital requirements defined by the Enforcement Decree of the TBA, as well as a defined technical capacity, and must also prepare a user protection plan, among others, to register with MSIT.
  • VSP: To be a VSP, one must file and register with the MSIT. A business entity with paid-in capital of KRW100 million or less is exempt from this requirement, except certain 'Special Types of VSPs' (eg, P2P and web hard-drive businesses) must fulfil certain requirements (such as technical measures, human resources, physical facilities) and register with MSIT.

Changes to Classification and Regulation of Telecommunication Service Providers

The classification system of telecommunication service providers and the relevant licence/permit system are expected to undergo changes following the enforcement of the amendment to the TBA on 25 June 2019, when the classification of SSP will no longer exist and the requirements for FSPs will be relaxed. Furthermore, the ceiling on foreign shareholding applied to FSPs and restrictions applied to M&A activities thereby will be relaxed and amended so that only FSPs above a certain standard will be subject to such restrictions (but specific details will be determined by the Enforcement Decree to be enacted in the future).

In consideration of the public interest of broadcasting, the Broadcasting Act of Korea (the 'Broadcasting Act') categorises the broadcasting business into the following four categories and applies different regulation and licences for each:

  • terrestrial broadcasting business;
  • CATV broadcasting business;
  • satellite broadcasting business; and
  • programme providing business.

To engage in the foregoing businesses, a service provider is required to obtain applicable licences from the Minister of Science and ICT or the Korea Communications Commission (the KCC), as well as comply with various regulations under the Broadcasting Act on merger, spin-off, change in largest shareholder and separate shareholding ceiling on the major shareholders. The Broadcasting Act also prohibits certain acts that may harm and undermine fair competition between service providers or interest of viewers, and any violation may lead to, among others, corrective orders and administrative fines. In particular, advertising is strictly regulated given the impact of broadcasting as opposed to other types of media (eg, the Broadcasting Act categorises the types of advertisement and regulates the scope, time, frequency or method therefore).

In general, the Broadcasting Act has a complex regulatory system involving different ministries and approval requirements for each relevant service provider. As such, service providers should take care of the applicable regulations when commencing broadcasting business in Korea or acquiring Korean broadcasting service providers.

Unlike broadcasting where the service types are categorised, the Broadcasting Act does not provide a specific definition for over-the-top (OTT) services (ie, broadcasting services over the open Internet that commence based on online value-added telecommunications services, such as YouTube channels and Netflix). Therefore, the regulations under the Broadcasting Act are not applicable to OTT services.

However, an amendment to the Broadcasting Act was proposed in August 2018, which provides a definition of OTT service providers and classifies them as 'value-added paid broadcasting service providers', granting them broadcasting service provider status. Under the proposed amendment, value-added paid broadcasting service providers must obtain approval from the Minister of Science and ICT, and shall be subject to certain reporting obligations, the deliberation regulation of the Korea Communications Standards Commission, the evaluation of competition status of the communications market and other prohibitions applicable to broadcasting service providers under the Broadcasting Act.

In addition to the above proposal, another amendment to the Internet Multimedia Broadcast Services Act has been proposed, which defines and classifies OTT service providers as 'Internet multimedia broadcast content providers' and imposes certain registration and reporting duties.

At the moment, given the two proposed amendments, it is difficult to predict how OTT will be regulated or the extent of regulation (eg, whether the regulation will be limited to live streaming services or include VOD services). It is likely such legislations were proposed as an effort to close the regulatory gap and impose certain level of regulation on domestic service providers or user interest providers. As such, regulations on OTT services are expected to be strengthened further in the future.

Article 28(1) of the Act on Promotion of Information and Telecommunications Network Utilisation and Information Protection (the 'Network Act') provides that a telecommunications service provider and the entity that is provided with personal information from a telecommunications service provider must take technical and administrative protective measures (eg, encryption of data) to safely store and transfer personal information. 

The Korea Communications Commission (KCC) issued a specified guideline on the use of encryption technology in the Guidelines for Technical and Administrative Measures for the Protection of Personal Information (the 'Guideline'), which sets out the standard for encryption of personal information. Among the specific obligations set forth therein are as follows:

  • passwords should be stored in one-way encrypted format to avoid decryption;
  • telecommunications service providers should encrypt and store certain information through a safe encryption algorithm (eg, ID, passport, driver’s licence, foreign national registration, credit card, account numbers and biometric information); and
  • telecommunications service providers should encrypt users’ personal information and verification information through measures including installation of a secure server when sending and receiving such information through telecommunications network. The secure server should have the function to either:
    1. encrypt the transmitting information by installation of Secure SocketLayer certificate in web servers; or
    2. encrypt transmitting information by installing encryption application program in web servers.

The KCC’s Manual on the Guideline published in December 2017 (the 'Manual') further stipulates the encryption standard stated in the Network Act and the Presidential Decree thereof as follows:

  • 'One-way encrypted format' refers to storage as a result of hash function of password input by user and recommended safe encryption algorithm by the relevant research institute should be utilised in the encryption procedure in the case of password encryption.
  • Additional measures such as salting should be adopted in order to counter password decryption attempting malware such as Brute Force, Rainbow Table attack, etc.
  • In case of the encryption of ID, passport, foreign national registration, account numbers and biological information, the recommended encryption algorithm should be utilised in the encryption and storage process.
  • Telecommunications service providers when storing users’ personal information in the company PC, mobile device and ancillary storage unit should utilise encryption software with safe encryption algorithm and lay out specific encryption functions and software to be used for each case of storage.

Given the rapid pace in which encryption and technology in general are developing, it is possible that the Korean regulations will evolve as well, so it would be advisable for companies to seek updated guidance going forward.

Kim & Chang

39, Sajik-ro 8-gil
Seoul 03170

+82 2-3703-1114

+82 2-737-9091/9092
Author Business Card

Law and Practice


Kim & Chang has a TMT practice recognised as leading the sector in South Korea. The firm represents leading technology, telecommunications, internet and media companies, both Korean and multinational, and its practice consists of more than 100 members including attorneys, advisers, other professionals and support staff possessing expertise and experience in TMT. Prior to joining Kim & Chang, many of its members gained valuable skills and knowledge working in a variety of capacities, including high-ranking official positions in the government and senior executive positions for companies in the telecommunications sector. The practice members often serve as advisers to legislators, regulators and policy-makers, enabling the firm to keep pace with the rapid developments and constant changes that are characteristic of the TMT sector. The practice regularly provides alerts and updates to bring breaking developments to clients and other interested colleagues in areas of interest to them.

Compare law and practice by selecting locations and topic(s)


Select Topic(s)

loading ...

Please select at least one chapter and one topic to use the compare functionality.