KOREA
Since 2010
Pillar Technical standards applied to ICT goods and online services |
Sub-pillar Self-certification for product safety
Radio Wave Act (전파법)
The Ministry of Science, ICT & Future Planning (MSIP) is an authority that conducts EMC and wireless communication certification. KC certification is issued by Korea’s National Radio Research Agency (RRA) and requires testing at an RRA-approved laboratory. There are three mandatory certification mechanisms for imported broadcasting and communications equipment to test the safety of radio waves (Art. 58-2):
- Certain equipment must receive a certification of conformity from the Ministry of Science, ICT and Future Planning after undergoing a test by a designated third-party laboratory. Such equipment includes wireless telephone alarm automatic receiver, radar equipment for ships, telephone, and modem;
- Equipment that is not subject to this certification may come in only with a showing of confirmation that verifies the compatibility after undergoing a test either by a designated third-party testing body or self-tests. The equipment that falls in this category includes Computing devices and peripherals, broadcasting set-top boxes, measuring instruments, industrial devices, and connectors.
- Equipment that is not subject to either of these schemes must have interim conformity after passing a test showing conformity with domestic or international standards. Equipment that is newly developed but whose conformity assessment criteria have yet to be developed falls in this category.
Korea has entered into a mutual recognition arrangement with the United States, Canada, EU, Vietnam, and Chile. However, except for Canada, the import of broadcasting and communications equipment from other countries must still receive certification of conformity from the South Korean government, even if a conformity test has been conducted in the exporting countries.
- Certain equipment must receive a certification of conformity from the Ministry of Science, ICT and Future Planning after undergoing a test by a designated third-party laboratory. Such equipment includes wireless telephone alarm automatic receiver, radar equipment for ships, telephone, and modem;
- Equipment that is not subject to this certification may come in only with a showing of confirmation that verifies the compatibility after undergoing a test either by a designated third-party testing body or self-tests. The equipment that falls in this category includes Computing devices and peripherals, broadcasting set-top boxes, measuring instruments, industrial devices, and connectors.
- Equipment that is not subject to either of these schemes must have interim conformity after passing a test showing conformity with domestic or international standards. Equipment that is newly developed but whose conformity assessment criteria have yet to be developed falls in this category.
Korea has entered into a mutual recognition arrangement with the United States, Canada, EU, Vietnam, and Chile. However, except for Canada, the import of broadcasting and communications equipment from other countries must still receive certification of conformity from the South Korean government, even if a conformity test has been conducted in the exporting countries.
Coverage Broadcasting and communications equipment
Sources
- https://www.law.go.kr/%EB%B2%95%EB%A0%B9/%EC%A0%84%ED%8C%8C%EB%B2%95
- https://web.archive.org/web/20230402112620/https://rra.go.kr/ko/license/A_f_mra.do
- https://web.archive.org/web/20211026022816/https://elaw.klri.re.kr/eng_mobile/ganadaDetail.do?hseq=38783&type=abc&key=RADIO%20WAVES%20ACT¶m=R
- https://web.archive.org/web/20230327034351/https://rra.go.kr/en/cas/intro.do
- Show more...
KOREA
Since June 1961, last amended in October 2021
Since March 2001, as amended in May 2010, last amended in July 2022
Since March 2001, as amended in May 2010, last amended in July 2022
Pillar Technical standards applied to ICT goods and online services |
Sub-pillar Product screening and additional testing requirements
National Intelligence Service Korea Act (국가정보원법)
Electronic Government Act (전자정부법)
Electronic Government Act (전자정부법)
Pursuant to Art. 4 of the National Intelligence Service Korea Act and Art. 56 of the Electronic Government Act, the National Intelligence Service (NIS) imposes security verification requirements on network equipment and cyber-security software in government procurement. Generally, they may satisfy the requirement by showing that the products are certified at a Common Criteria Recognition Arrangement (CCRA) accredited lab outside of Korea. However, certain network equipment must undergo an additional security verification process. Furthermore, the Common Criteria (CC) certification may not be sufficient for two reasons. First, NIS may substitute the CC certification with other certification mechanisms that were internally developed (e.g., GS Certification). Second, NIS may reject a CC certification when it deems that the certification does not cover particular functions of the product that the government entity needs.
Coverage Network equipment and cyber-security software
Sources
- https://www.nis.go.kr:4016/AF/1_7_2_1.do
- https://www.law.go.kr/%EB%B2%95%EB%A0%B9/%EA%B5%AD%EA%B0%80%EC%A0%95%EB%B3%B4%EC%9B%90%EB%B2%95/(17646,20201215)
- https://www.law.go.kr/%EB%B2%95%EB%A0%B9/%EC%A0%84%EC%9E%90%EC%A0%95%EB%B6%80%EB%B2%95
- https://elaw.klri.re.kr/eng_mobile/viewer.do?hseq=33396&type=part&key=4
- https://elaw.klri.re.kr/eng_mobile/viewer.do?hseq=45844&type=part&key=4
- https://ustr.gov/sites/default/files/2020_National_Trade_Estimate_Report.pdf
- Show more...
KOREA
Since March 2001, as amended in May 2010, last amended in July 2022
Since August 2017
Since August 2017
Pillar Technical standards applied to ICT goods and online services |
Sub-pillar Restrictions on encryption standards
Electronic Government Act (전자정부법)
Encryption Modules Implementation Guideline (암호모듈 구현 지침)
Encryption Modules Implementation Guideline (암호모듈 구현 지침)
If software systems or hardware equipment such as virtual private networks and firewall systems deal with non-confidential yet important information and are to be used in the government, they must pass verification for appropriate encryption modules under the auspices of the National Intelligence Service (NIS). Appropriate encryption standards are developed in Korea, such as ARIA, SEED, LEA, and Hight. The suppliers need to submit the source code of their products to receive the verification test. The same encryption standards also apply to certain network equipment such as VPN and SW USB series.
Coverage Software, network equipment, and other hardware equipment
KOREA
Since December 1984, as amended in April 2015, last amended in June 2022
Pillar Intermediary liability |
Sub-pillar Monitoring requirement
Telecommunications Business Act (전기통신사업법)
The amendment of the Telecommunications Business Act by Act no. 12761 on 15 October 2014 included Art. 22-3. According to Art. 22-3, value-added telecommunication service providers, encompassing all online hosts of applications and content, must implement technical measures as outlined in the Presidential Decree to counteract the dissemination of explicit materials.
Coverage Internet hosting services
Sources
- https://www.law.go.kr/%EB%B2%95%EB%A0%B9/%EC%A0%84%EA%B8%B0%ED%86%B5%EC%8B%A0%EC%82%AC%EC%97%85%EB%B2%95
- https://elaw.klri.re.kr/eng_service/lawView.do?hseq=50189&lang=ENG
- https://web.archive.org/web/20241213213057/https://wilmap.stanford.edu/entries/telecommunications-business-act-last-amended-act-no-12761-october-15-2014-english-version
- Show more...
KOREA
Since January 2023
Pillar Cross-border data policies |
Sub-pillar Infrastructure requirement
Cloud Security Assurance Program
In January 2023, the Korean Ministry of Science and Technology Information and Communication issued a notice of implementation and adopted an amendment to the Cloud Security Assurance Program (CSAP). Under the amendment, it is reported that, to obtain CSAP certification from the Korea Internet and Security Agency (KISA), a service provider’s cloud computing infrastructure, associated data, backup systems, as well as management and operational personnel, must all be located within Korea.
Coverage Cloud-computing sector
KOREA
Since June 2014
Pillar Cross-border data policies |
Sub-pillar Conditional flow regime
Act on the Establishment, Management of Spatial Data (공간정보의 구축 및 관리 등에 관한 법률)
Art. 16 of Act on the Establishment, Management of Spatial Data provides that geographical data related to maps or photos produced for the purpose of a survey cannot be transferred abroad except with the permission of the Minister of Land, Infrastructure and Transport. This provision has been in place since 2014.
Coverage Location-based services
Sources
- https://web.archive.org/web/20241127194621/https://faolex.fao.org/docs/pdf/kor167262.pdf
- https://web.archive.org/web/20241127194740/https://www.law.go.kr/LSW/lsInfoP.do?lsiSeq=228499&ancYd=20210112&ancNo=17893&efYd=20220113&nwJoYnInfo=N&efGubun=Y&chrClsCd=010202&ancYnChk=0#0000
- https://elaw.klri.re.kr/eng_service/lawView.do?hseq=32771&lang
- Show more...
KOREA
Since March 2011, last amended in March 2023
Pillar Cross-border data policies |
Sub-pillar Conditional flow regime
Personal Information Protection Act No. 10465 (개인정보 보호법)
Art. 28-8 of the Personal Information Protection Act prohibits any transfer of personal information overseas by a personal information manager unless it is in any of the following cases: (i) where a separate consent for overseas transfer has been obtained from the data subject; (ii) where there exist special provisions in a statute, a treaty or other international conventions to which the Republic of Korea is a party; or (iii) where it is necessary to delegate the processing of, or retain, personal information in order to execute and perform a contract with a data subject, and the matters to be informed to the data subject when obtaining his/her consent to overseas transfer have been informed to the data subject or have been disclosed in the personal information manager privacy policy; (iv) where the recipient of personal information has obtained certification determined and publicly notified by the Personal Information Protection Commission (PIPC) and has implemented certain measures to protect personal information; or (v) where the PIPC has recognised that the country or the international organization to where the personal information is transferred has the personal information protection system, etc. that are substantially equal to the level of those under the Personal Information Protection Act. The personal information manager shall also take certain technical, managerial and physical protection measures.
Coverage Horizontal
KOREA
Since 2009, as amended in July 2020
Pillar Cross-border data policies |
Sub-pillar Conditional flow regime
Credit Information Use and Protection Act (신용정보법)
According to Art. 32 of the Credit Information Act, the credit information provider/user should obtain the prior consent of the customer in writing or by other reliable means each time it provides to a third party or uses personal credit information (including any personally identifiable information) of a customer. When the credit information provider/user obtains consent to the provision (i.e. sharing) and utilisation of personal credit information, it should notify the customer of: the recipient of the information; the purpose of provision; the content of information; the duration of maintenance; and use by the recipient. Furthermore, a separate explanation to the customer is required with respect to the mandatory items of personal data that must be provided for the provision of the services and other optional items of personal data, and consent must be obtained. In such cases, as to the mandatory items, the credit information provider/user must explain their relevance to the service provision. Art. 32 requires the credit information provider/user to notify the customer that they may opt not to consent to the provision of any optional data that may be collected.
The Act established that financial institutions are required to obtain consent of individuals only if the use of personal information "conflict[s] with the original purpose of the collection." Thus, under this regime, a financial institution may "entrust" personal information to a third party but may not "supply" it. Supplying and entrusting are terms of art under the Act. "Supplying" means transferring personal information for the transferee's own purpose, whereas "entrusting" means transferring personal information to a third party to help carry out the purpose of the original data collection.
The Act established that financial institutions are required to obtain consent of individuals only if the use of personal information "conflict[s] with the original purpose of the collection." Thus, under this regime, a financial institution may "entrust" personal information to a third party but may not "supply" it. Supplying and entrusting are terms of art under the Act. "Supplying" means transferring personal information for the transferee's own purpose, whereas "entrusting" means transferring personal information to a third party to help carry out the purpose of the original data collection.
Coverage Financial services
Sources
- https://web.archive.org/web/20210505220910/https://www.law.go.kr/%EB%B2%95%EB%A0%B9/%EC%8B%A0%EC%9A%A9%EC%A0%95%EB%B3%B4%EC%9D%98%20%EC%9D%B4%EC%9A%A9%20%EB%B0%8F%20%EB%B3%B4%ED%98%B8%EC%97%90%20%EA%B...
- https://web.archive.org/web/20231129015750/https://elaw.klri.re.kr/eng_mobile/viewer.do?hseq=46276&type=part&key=23
- https://web.archive.org/web/20240629185411/https://www.lexology.com/library/detail.aspx?g=0b7bb83a-0b93-4f64-b3d0-552aedbf3c07
- https://www.dataguidance.com/notes/south-korea-data-transfers
- Show more...
KOREA
Since March 2015
Pillar Cross-border data policies |
Sub-pillar Conditional flow regime
Act on the Development of Cloud Computing and Protection of Its Users (클라우드컴퓨팅 발전 및 이용자 보호에 관한 법률)
Per Art. 27 of Act on the Development of Cloud Computing and Protection of Its Users, generally, "no cloud computing service provider shall provide any user information to a third party or use user information for any purpose other than for the purpose of providing services, without the relevant user's consent." This conditional flow regime has been in place since 2015.
Coverage Clouding services
Sources
- https://web.archive.org/web/20230329123156/https://www.law.go.kr/%EB%B2%95%EB%A0%B9/%ED%81%B4%EB%9D%BC%EC%9A%B0%EB%93%9C%EC%BB%B4%ED%93%A8%ED%8C%85%20%EB%B0%9C%EC%A0%84%20%EB%B0%8F%20%EC%9D%B4%EC%9A%A...
- https://web.archive.org/web/20240527160513/https://elaw.klri.re.kr/eng_mobile/viewer.do?hseq=35630&type=part&key=43
KOREA
Since August 2005, entry into force in March 2006, as amended in January 2023
Since November 2022, entry into force in January 2023
Since November 2022, entry into force in January 2023
Pillar Cross-border data policies |
Sub-pillar Participation in trade agreements committing to open cross-border data flows
Free Trade Agreement between the Governnment of the Republic of Korea and the Government of the Republic of Singapore
Digital Partnership Agreement between the Government of the Republic of Korea and the Government of the Republic of Singapore
Digital Partnership Agreement between the Government of the Republic of Korea and the Government of the Republic of Singapore
Korea has entered into an agreement entailing binding commitments to facilitate cross-border data transfers. Art. 14.14 of the Free Trade Agreement between the Government of the Republic of Korea and the Government of the Republic of Singapore, as amended by the Digital Partnership Agreement between the two governments, stipulates that neither party shall prohibit or restrict the transfer of information by electronic means, including personal data, where such transfers are necessary for the business operations of a covered person.
Coverage Horizontal
Sources
- https://web.archive.org/web/20230726165828/https://www.fta.go.kr//webmodule/_PSD_FTA/ksdpa/1/DPA_eng.pdf
- https://web.archive.org/web/20241213123802/https://www.unilu.ch/fileadmin/fakultaeten/rf/burri/TAPED/TAPED_Burri_Vasquez_Kugler_November_2024.xlsx
- https://web.archive.org/web/20240522084207/https://www.fta.go.kr/webmodule/_PSD_FTA/sg/1/KSFTA.pdf
- Show more...
KOREA
Since March 2011, last amended in March 2023
Pillar Domestic data policies |
Sub-pillar Framework for data protection
Personal Information Protection Act No. 10465 (개인정보 보호법)
The Personal Information Protection Act, which was enacted in 2011 and recently amended in 2020, provides a comprehensive framework for data protection in Korea.
Coverage Horizontal
KOREA
Since 1994
Pillar Domestic data policies |
Sub-pillar Minimum period for data retention
Enforcement Decree of Protection of Communications Secrets Act (통신비밀보호법 시행령)
Per Art. 41 of the Enforcement Decree of Protection of Communications Secrets Act, telecoms or internet infrastructure operators should retain for 12 months the following:
- the date of the telecommunication, the commencement time and end time of the telecommunication, the communications number of outgoing and incoming calls, the frequency of use, and the location data for 12 months (six months in case of long-distance calls and local call services); and
- the log records of users and the location data for three months.
This requirement has been in place since the Act's enactment in 1994.
- the date of the telecommunication, the commencement time and end time of the telecommunication, the communications number of outgoing and incoming calls, the frequency of use, and the location data for 12 months (six months in case of long-distance calls and local call services); and
- the log records of users and the location data for three months.
This requirement has been in place since the Act's enactment in 1994.
Coverage Telecommunications services
Sources
- https://www.law.go.kr/%EB%B2%95%EB%A0%B9/%ED%86%B5%EC%8B%A0%EB%B9%84%EB%B0%80%EB%B3%B4%ED%98%B8%EB%B2%95%20%EC%8B%9C%ED%96%89%EB%A0%B9
- https://web.archive.org/web/20220305191230/https://elaw.klri.re.kr/eng_mobile/viewer.do?hseq=33283&type=part&key=43
- https://web.archive.org/web/20211024082047/https://iclg.com/practice-areas/telecoms-media-and-internet-laws-and-regulations/korea
- Show more...
KOREA
Since 2009, last amended in July 2020
Pillar Domestic data policies |
Sub-pillar Minimum period for data retention
Credit Information Use and Protection Act (신용정보법)
Under Art. 20 of the Credit Information Use and Protection Act, credit information companies are required to maintain the following information for three years:
- the name and address of the customer and the entity whom the personal information was provided to or exchanged with,
- the details of the work scope requested by the customer and the data thereof, and
- the processing details of the requested work scope and the date and details of the credit information provided.
Furthermore, Art. 20-2 provides that all credit information be deleted by the date that is the earlier of five years from the termination of the financial transaction and three months from the date on which the purpose for collecting and providing personal information has been achieved.
- the name and address of the customer and the entity whom the personal information was provided to or exchanged with,
- the details of the work scope requested by the customer and the data thereof, and
- the processing details of the requested work scope and the date and details of the credit information provided.
Furthermore, Art. 20-2 provides that all credit information be deleted by the date that is the earlier of five years from the termination of the financial transaction and three months from the date on which the purpose for collecting and providing personal information has been achieved.
Coverage Financial services
Sources
- https://www.law.go.kr/%EB%B2%95%EB%A0%B9/%EC%8B%A0%EC%9A%A9%EC%A0%95%EB%B3%B4%EC%9D%98%20%EC%9D%B4%EC%9A%A9%20%EB%B0%8F%20%EB%B3%B4%ED%98%B8%EC%97%90%20%EA%B4%80%ED%95%9C%20%EB%B2%95%EB%A5%A0
- https://web.archive.org/web/20231011202734/https://elaw.klri.re.kr/eng_mobile/viewer.do?hseq=46276&type=part&key=23
- https://web.archive.org/web/20230602054349/https://www.lexology.com/library/detail.aspx?g=f05a7920-2842-4ad7-a9e8-e5c864675dc5
- Show more...
KOREA
Since 2006
Pillar Domestic data policies |
Sub-pillar Minimum period for data retention
Enforcement Decree of Electronic Financial Transactions Act (전자금융거래법 시행령)
Enforcement Decree of the Electronic Financial Transactions Act provides under Art. 12 that a subsidiary electronic financial company, such as a payment gateway system that records and transmits electronic transaction information, must keep the records for at least three years. This affects not only payment gateway service providers but also electronic commerce firms that utilise the services. This retention period requirement has been in place since its enactment in 2006.
Coverage Payment gateway services
KOREA
Since March 2011, last amended in March 2023
Pillar Domestic data policies |
Sub-pillar Requirement to perform a Data Protection Impact Assessment (DPIA) or have a data protection officer (DPO)
Personal Information Protection Act No. 10465 (개인정보 보호법)
Under the Personal Information Protection Act, data controllers must appoint a privacy officer who comprehensively takes charge of personal information processing (Art. 31). The requirement has been in place since its enactment in 2011.
Coverage Horizontal