Database

Browse Database

KOREA

Reported in 2021

Pillar Intermediary liability  |  Sub-pillar User identity requirement
Mandatory SIM card registration
It is reported that Korea imposes an identity requirement for SIM registration. Anyone wanting to purchase a SIM card has to provide their national ID card, or a passport in case of foreigners, to activate a new prepaid SIM card.
Coverage Telecommunications sector

KOREA

Since January 1957, last amended in December 2022

Pillar Intermediary liability  |  Sub-pillar Safe harbor for intermediaries for copyright infringement
Copyright Act (저작권법)

Act on Promotion of Information and Communications Network Utilization and Information Protection etc (정보통신망 이용촉진 및 정보보호 등에 관한 법률)
Art. 122-2 of the Copyright Act lead to the establishment of the Korean Copyright Protection Agency (KCOPA) in 2016. According to Art. 133-3, in the event that KCOPA conducts an investigation into the information and communications network of an online service provider and detects the transmission of illegal reproductions, among others, the Protection Agency, upon deliberation of the Deliberation Committee, is empowered to apply the following corrective measures:
- Issue a warning to those who reproduce or transmit illegal copies, among others.
- Proceed with the suppression or suspension of the transmission of illegal copies, among others.
- Suspend the accounts of photocopiers and transmitters that continue to repeatedly transmit illegal copies, among others.
In addition, the agency is also empowered to file a request to block access to foreign websites that are infringing copyrights, based on Art. 44-7 of the Law on the Promotion of the Use of Information and Communications Networks and Information Protection.
Coverage Internet host services

KOREA

N/A

Pillar Intermediary liability  |  Sub-pillar Safe harbor for intermediaries for any activity other than copyright infringement
Lack of intermediary liability framework in place beyond copyright infringement
A basic legal framework on intermediary liability beyond copyright infringement is absent in Korea's law and jurisprudence.
Coverage Internet intermediaries

KOREA

Since January 1957, as amended in June 2006, last amended in December 2022

Pillar Intermediary liability  |  Sub-pillar Safe harbor for intermediaries for copyright infringement
Copyright Act (저작권법)
The Copyright Act establishes a safe harbour regime for intermediaries for copyright infringements since the amendment of the law in 2006. According to Art. 102 of the law, ISPs are not liable for copyright infringement as a result of being a mere conduit for caching, hosting, and searching information. Additionally, an Internet service provider will not be held liable for a user's infringing act of reproducing or transmitting a copyrighted work if it is technically impossible for the service providers to take measures as described in the listed requirements.
Coverage Internet and Internet host services

KOREA

Since 2011

Pillar Domestic Data policies  |  Sub-pillar Requirement to perform an impact assessment (DPIA) or have a data protection officer (DPO)
Personal Information Protection Act (개인정보보호법)
Under the Personal Information Protection Act, data controllers must appoint a privacy officer who comprehensively takes charge of personal information processing (Art. 31). The requirement has been in place since its enactment in 2011.
Coverage Horizontal

KOREA

Since 2006

Pillar Domestic Data policies  |  Sub-pillar Minimum period for data retention
Enforcement Decree of Electronic Financial Transactions Act (전자금융거래법 시행령)
Enforcement Decree of Electronic Financial Transactions Act provides under Art. 12 that a subsidiary electronic financial company such as payment gateway system that records and transmit electronic transaction information must keep the records at least for three years. This affects not only payment gateway services providers but also electronic commerce firms that utilize the services. This retention period requirement has been in place since its enactment in 2006.
Coverage Payment gateway services

KOREA

Since 1994

Pillar Domestic Data policies  |  Sub-pillar Minimum period for data retention
Enforcement Decree of Protection of Communications Secrets Act (통신비밀보호법 시행령)
Per Art. 41 of Enforcement Decree of Protection of Communications Secrets Act, telecoms or internet infrastructure operators should retain for 12 months the following:
- the date of the telecommunication, the commencement time and end time of the telecommunication, the communications number of outgoing and incoming calls, the frequency of use, and the location data for 12 months (six months in case of long-distance calls and local call services); and
- the log records of users and the location data for three months.
This requirement has been place since the Act's enactment in 1994.
Coverage Telecommunications services

KOREA

Since 2009

Pillar Domestic Data policies  |  Sub-pillar Minimum period for data retention
Credit Information Use and Protection Act (신용정보법)
Under Art. 20 of Credit Information Use and Protection Act, credit information companies are required to maintain the following information for three years:
- the name and address of the customer and the entity whom the personal information was provided to or exchanged with,
- the details of the work scope requested by the customer and the data thereof, and
- the processing details of the requested work scope and the date and details of the credit information provided.
Furthermore, Art. 20-2 provides that all credit information be deleted by the date that is the earlier of five years from the termination of the financial transaction and three months from the date on which the purpose for collecting and providing personal information has been achieved.
Coverage Financial services

KOREA

N/A

Pillar Cross-border data policies  |  Sub-pillar Participation in trade agreements committing to open cross-border data flows
Lack of participation in agreements with binding commitments on data flows
Korea has not joined any agreement with binding commitments to open transfers of data across borders.
Coverage Horizontal

KOREA

Since 2011, last amended in 2020

Pillar Domestic Data policies  |  Sub-pillar Framework for data protection
Personal Information Protection Act (개인정보보호법)
The Personal Information Protection Act, which was enacted in 2011 and recently amended in 2020, provides a comprehensive framework for data protection in Korea.
Coverage Horizontal

KOREA

Since March 2015

Pillar Cross-border data policies  |  Sub-pillar Conditional flow regime
Act on the Development of Cloud Computing and Protection of Its Users (클라우드컴퓨팅 발전 및 이용자 보호에 관한 법률)
Per Art. 27 of Act on the Development of Cloud Computing and Protection of Its Users, generally, "no cloud computing service provider shall provide any user information to a third party or use user information for any purpose other than for the purpose of providing services, without the relevant user's consent." This conditional flow regime has been in place since 2015.
Coverage Clouding services

KOREA

Since 2009, as amended in July 2020

Pillar Cross-border data policies  |  Sub-pillar Conditional flow regime
Credit Information Use and Protection Act (신용정보법)
According to Art. 32 of the Credit Information Act, the credit information provider/user should obtain prior consent of the customer in writing or by other reliable means each time it provides to a third party or uses personal credit information (including any personal identifiable information) of a customer. When the credit information provider/user obtains consent to the provision (i.e. sharing) and utilisation of personal credit information, it should notify the customer of: the recipient of the information; the purpose of provision; the content of information; the duration of maintenance; and use by the recipient. Furthermore, a separate explanation to the customer is required with respect to the mandatory items of personal data that must be provided for the provision of the services and other optional items of personal data, and consent obtained. In such cases, as to the mandatory items, the credit information provider/user must explain their relevance to the service provision. Art. 32 requires the credit information provider/user to notify the customer that they may opt not to consent to the provision of any optional data that may be collected.
The Act established that financial institutions are required to obtain consent of individuals only if the use of personal information "conflict[s] with the original purpose of the collection." Thus, under this regime, a financial institution may "entrust" personal information to a third party but may not "supply" it. Supplying and entrusting are terms of art under the Act. "Supplying" means transferring personal information for the transferee's own purpose whereas "entrusting" means transferring personal information to a third party to help carry out the purpose of the original data collection.
Coverage Financial services

KOREA

Since March 2011, as amended in February 2020

Pillar Cross-border data policies  |  Sub-pillar Conditional flow regime
Personal Information Protection Act 2011 ( 개인정보 보호법 )
According to Art. 17 of the Personal Information Protection Act, in order to transfer personal data to third parties abroad, a data handler must inform the data subjects of the name of the receiving party, the purpose of transfer, the items of personal information to be transferred, the use and retention period, and the right to refuse transfer, and obtain consent unless otherwise allowed by the law. In addition, under Art. 39-12, to transfer personal information overseas, a data handler, including an information and communication service provider, must notify its data subjects (and obtain consent unless otherwise allowed by the law) the items of the personal data to be transferred; the country to which the personal information is to be transferred; the date, time, and the methods of transfer; the name of the recipient (referring to the name of a legal entity and the contact information of the person responsible for the management of information if the person is a legal entity); and the purposes of use of the data by the transferee, and how long the data will be retained and used.
Art. 22 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc (the Network Act) used to govern a conditional flow regime from 2001, but was repealed in February 2020 upon the amendment of the Personal Information Protection Act.
Coverage Horizontal

KOREA

Since June 2014

Pillar Cross-border data policies  |  Sub-pillar Conditional flow regime
Act on the Establishment, Management of Spatial Data (공간정보의 구축 및 관리 등에 관한 법률)
Art. 16 of Act on the Establishment, Management of Spatial Data provides that geographical data related to maps or photos produced for the purpose of a survey cannot be transferred abroad except with the permission of the Minister of Land, Infrastructure and Transport. This provision has been in place since 2014.
Coverage Location-based services

KOREA

Reported in 2017, last reported in 2022

Pillar Cross-border data policies  |  Sub-pillar Infrastructure requirement
Electronic Financial Transactions Act (전자금융거래법)
Under the Electronic Financial Transactions Act, payment gateway services providers do not need to register with the Financial Service Commission. Yet, despite the apparent absence of the registration regime, it is reported that Korea maintains a facilities infrastructure requirement with respect to "payment gateway" services, preventing suppliers from leveraging investments in facilities outside Korea. A payment gateway is a "financial data processing system that deals with business affairs relating to the settlement of accounts and payments by transmitting electronic financial transaction information between a financial company and an electronic financial business entity" (Art. 2(6)).
Coverage Payment gateway services