According to Art. 9 of the Notice of Import Customs Clearance for Express Goods, as amended in 2016 to increase the value of the de minimis rule, the de minimis threshold, meaning the minimum value of goods below which customs do not charge duties, is USD 150, which is below the 200 USD threshold recommended by the International Chamber of Commerce (ICC). This threshold applies to goods for personal consumption and samples not exceeding USD 150, with an exception for trade with the U.S. and Puerto Rico, where the threshold is USD 200 as per the Korea-US FTA, allowing these goods to be exempt from taxes and duties collected by customs.

According to Art. 4 of the Domain Name Management Rules set forth by the Korea Internet & Security Agency (KISA), domain name registrants must have a postal address of their place of residence in Korea. In addition, it is reported that a Copy of Company registration in Korea with proof of company address in both English and Korean languages is required for registration and that a Korean-based administrative contact is mandatory.

A basic legal framework on intermediary liability beyond copyright infringement is absent in Korea's law and jurisprudence.

Art. 12-3 of the Game Industry Promotion Act stipulates that a business entity engaged in the provision of game products, limited to persons who make such products accessible to the public through an information and communications network, is required to verify the real names and ages of users and to conduct self‑authentication procedures when users register as members.

It is reported that Korea imposes an identity requirement for SIM registration. Anyone wanting to purchase a SIM card has to provide their national ID card or a passport in case of foreigners to activate a new prepaid SIM card.

The amendment of the Telecommunications Business Act by Act No. 12761 on 15 October 2014 included Art. 22-3. According to Art. 22-3, value-added telecommunication service providers, encompassing all online hosts of applications and content, must implement technical measures as outlined in the Presidential Decree to counteract the dissemination of explicit materials.

It is reported that, in February 2025, Korea’s data protection authority blocked downloads of the application developed by the Chinese artificial intelligence firm DeepSeek. The application is said to have become accessible again two months later, following changes to the company’s privacy practices. It is also reported that, in February 2025, multiple Korean ministries blocked access to DeepSeek within their own organisations due to security concerns.

Under Art. 13 of the Act on the Promotion of Newspapers, a person who is not a national of Korea shall not be qualified as a publisher or editor of an online newspaper or as a news article layout manager of an online news service. This requirement has been in place since 2009.

Per Art. 5 of the Location Information Use and Protection Act, any person who intends to engage in location information business shall obtain permission from the Korea Communications Commission. According to Art. 18 of the Act, even if permitted to do such business, location information providers or location-based service providers cannot collect location information of individuals without individuals' consent. It is reported that, although a supplier may export location information once acquiring a permit, Korea has never approved such a permit despite numerous applications by foreign suppliers over the past decade.

The licensing requirements for Internet multimedia broadcasting are prescribed in Arts. 4 and 18 of the Internet Multimedia Broadcasting Business Act. The term “Internet multimedia broadcasting” refers to a form of broadcasting that provides a variety of content, including data, images, voice, audio signals and electronic commerce services, as well as real-time broadcast programmes, to users through television receivers. This service is delivered by means of a bidirectional Internet protocol operating over a broadband integrated services digital network, which ensures consistency in the quality of service.

Art. 28-8 of the Personal Information Protection Act prohibits any transfer of personal information overseas by a personal information manager unless it is in any of the following cases: (i) where a separate consent for overseas transfer has been obtained from the data subject; (ii) where there exist special provisions in a statute, a treaty or other international conventions to which the Republic of Korea is a party; or (iii) where it is necessary to delegate the processing of, or retain, personal information in order to execute and perform a contract with a data subject, and the matters to be informed to the data subject when obtaining his/her consent to overseas transfer have been informed to the data subject or have been disclosed in the personal information manager privacy policy; (iv) where the recipient of personal information has obtained certification determined and publicly notified by the Personal Information Protection Commission (PIPC) and has implemented certain measures to protect personal information; or (v) where the PIPC has recognised that the country or the international organization to where the personal information is transferred has the personal information protection system, etc. that are substantially equal to the level of those under the Personal Information Protection Act. The personal information manager shall also take certain technical, managerial and physical protection measures.

Korea has undertaken binding commitments to facilitate cross-border data transfers. Art. 14.14 of the Free Trade Agreement between the Government of the Republic of Korea and the Government of the Republic of Singapore, as amended by the Digital Partnership Agreement of January 2023, establishes that neither party shall prohibit or restrict the transfer of information by electronic means, including personal data, where such transfers are necessary for the business operations of a covered person. In addition, in May 2024, Korea formally acceded to the Digital Economy Partnership Agreement (DEPA) between Singapore, Chile, and New Zealand, which includes a commitment to enable cross-border data flows under Art. 4.3(2).

The Personal Information Protection Act provides a comprehensive framework for data protection in Korea.

Per Art. 41 of the Enforcement Decree of Protection of Communications Secrets Act, telecoms or internet infrastructure operators should retain for 12 months the following:
- the date of the telecommunication, the commencement time and end time of the telecommunication, the communications number of outgoing and incoming calls, the frequency of use, and the location data for 12 months (six months in case of long-distance calls and local call services); and
- the log records of users and the location data for three months.
This requirement has been in place since the Act's enactment in 1994.

Under the Personal Information Protection Act, data controllers must appoint a privacy officer who comprehensively takes charge of personal information processing (Art. 31). The requirement has been in place since its enactment in 2011.