This country-specific Q&A provides an overview to technology, media and telecom laws and regulations that may occur in South Korea.
This Q&A is part of the global guide to TMT. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/practice-areas/tmt-3rd-edition/
What is the regulatory regime for technology?
The Telecommunications Business Act (“TBA”) regulates various aspects of the telecommunications and information services that are provided over a telecommunications network.
The Radio Waves Act regulates, among others, the use and management of radio spectrum, the establishment and operation of radio stations, and the management of related broadcasting and telecommunications transmission equipment.
The Broadcasting Act regulates the broadcasting business (i.e., terrestrial broadcasting, cable TV services, satellite broadcasting, and broadcasting content programming services), while the Internet Multimedia Broadcast Services Act regulates IPTV services (provided over broadband networks). Currently, the Korean National Assembly is deliberating on the possible enactment of a new law merging all existing broadcasting services-related laws -- i.e., (i) the Broadcasting Act, (ii) the Internet Multimedia Broadcast Services Act, and (iii) the Special Act on Assistance in Development of Regional Broadcasting. Once the law is enacted, the name of the new law will be the “Integrated Broadcasting Act.”
The Act on Promotion of Information and Communications Network Utilisation and Information Protection (“Network Act”) regulates, among other things, the use of personal information carried over telecommunications networks.
Are communications networks or services regulated?
Yes. Under the current TBA, which was amended in 2018, telecommunications services are divided into two categories: (i) basic telecommunications services, and (ii) value-added telecommunications services.
Basic telecommunications services are telecommunications services for (i) transmitting or receiving voice, data, and images without any change in the form or details thereof, and (ii) leasing telecommunications facilities (e.g., private lines) for the use of transmission or reception of voice, data, and images. Some of the basic telecommunications services include landline and mobile phone services, fax services, and broadband services.
Value-added telecommunications services are any telecommunications services other than basic telecommunications services, and include all information/data services provided over any telecommunications (including broadband) networks.
If so, what activities are covered and what licences or authorisations are required?
(1) Basic telecommunications services
General rule: Anyone who wishes to engage in the basic telecommunications business (i.e., provision of basic telecommunications services over a telecommunications network) must “register” with the Minister of Science and ICT (“MSICT”).
Exception: Anyone who provides basic telecommunications services as an ancillary service to their main products or services and charges a fee to users of the said basic telecommunications services must “report” to the MSICT, including cases where the fee is included in the user’s payment for the main products or services. Examples of cases where reporting to the MSICT is required include those in which a business operator engaged in a non-telecommunications-related business (e.g., sale of automobiles or TVs) sells its main goods or services, which include an ancillary communications function (e.g., telematics services in the case of automobiles).
(2) Value-added telecommunications services
General rule: Anyone who wishes to engage in the value-added telecommunications business (i.e., provision of various information/data services over a telecommunications network such as a broadband network) must “report” to the MSICT.
Exception: Anyone who wishes to engage in certain value-added telecommunications business by providing the following special types of value-added telecommunications services must “register” with the MSICT: (i) value-added telecommunications services provided by a special online service provider (i.e., an online service which enables the interactive transmission of copy-righted works between different persons by using computers); and (ii) value-added telecommunications services through which text messages are sent by directly or indirectly connecting a text message transmission system to the telecommunications equipment and facilities of a telecommunications business operator.
Is there any specific regulator for the provisions of communications-related services?
Yes. The MSICT and the Korea Communications Commission (“KCC”) are responsible for enforcing the TBA and the Network Act. While the MSICT is responsible for administering the registration and requirements relating to basic and value-added telecommunications service providers and the licensing requirements applicable to wireless services providers and cable TV/IPTV operators, the KCC is responsible for regulating the service businesses of these basic and value-added telecommunications service providers and administering the licensing requirements applicable to terrestrial broadcasting services providers in Korea.
Are they independent of the government control?
Yes and no. While the KCC can be viewed as an independent regulatory body (which includes several independently-minded Commissioners with no government career background), the MSICT is a part of the executive branch of the Korean Government and could be subject to government control.
Are platform providers (social media, content sharing, information search engines) regulated?
Currently, platform providers are subject to limited regulation only. Under the TBA, platform providers are classified as value-added telecommunications business operators, and thus must either report to or register with the MSICT depending on the nature of the services they provide (see 1.2(2) above for more details). However, these reporting and registration requirements applicable to value-added telecommunications service providers are not often enforced strictly by the MSICT since the online service market is evolving rapidly almost on a daily basis.
Also, platform providers qualify as telecommunications business operators or “information and communications service providers” (i.e., persons who provide information/data services over a telecommunications network) for the purposes of the Network Act. So, for example, platform providers’ protection of their customer/user information would be subject to the relevant requirements of the Network Act.
If so, does the reach of the regulator extend outside your jurisdiction?
Under the recently-amended TBA, the reach of the regulator will extend outside Korea if the regulator finds that the business activity in question affected the Korean market or Korean users.
Meanwhile, the KCC has actively enforced the Network Act against foreign companies that process the personal information of Koreans outside of Korea. As a case in point, in January 2014, the KCC imposed an administrative fine of KRW 212 million and issued a corrective order (to destroy any personal information collected illegally) against Google Inc. (headquartered in the United States) for collecting personal information without consent in connection with the operation of its Street View services. At that time, the KCC expressed its position that the KCC will continue to monitor foreign companies’ compliance with the requirements of the Network Act regarding protection of the personal information of Korean customers and enforce the requirements rigorously with respect to the companies.
Does a telecoms operator need to be domiciled in the country?
While there is no explicit law or regulation that prescribes such a rule, in practice, a foreign company needs to establish a subsidiary in Korea to register as a basic telecommunications service provider. On the other hand, neither a local subsidiary nor local branch office would be required for a foreign company to file a value-added telecommunications business report with the MSICT to provide its value-added telecommunications services in Korea.
Are there any restrictions on foreign ownership of telecoms operators?
Yes. A foreign government or a foreign corporation may not own more than 49% of voting shares of a basic telecommunications service provider that provides various basic telecommunications services by establishing and operating its own telecommunications networks (“Facilities-based Telecommunications Service Provider”). In this connection, the 49% foreign ownership limit will count all of the voting shares owned by all of the foreign shareholders of the subject Facilities-based Telecommunications Service Provider.
In addition, for the purposes of administering the 49% foreign ownership restriction, if a Korean company’s largest shareholder is a foreign corporation or foreign government, and the foreign corporation or foreign government holds 15% or more of the total voting shares of the Korean company, the Korean company is deemed to be a foreign corporation.
However, with respect to the foreign companies from those countries that have entered into a Free Trade Agreement with Korea (e.g., the United States and the EU (and its member states)), these companies may own more than 49% of voting shares of a Facilities-based Telecommunications Service Provider through their subsidiaries in Korea (provided this permissible indirect ownership rule may not apply to KT or SK Telecom).
Are there any regulations covering interconnection between operators?
Korea has a set of complex rules regulating interconnection arrangements between and among basic telecommunications services providers -- specifically, Facilities-based Telecommunications Service Providers -- a telecoms operator receives an interconnection request from another telecoms operator, it may allow for interconnection by entering into an interconnection agreement with the said operator. However, basic telecommunications business operators such as those described in 5 below are obliged to comply with any interconnection requests made by other telecoms operators. The MSICT sets forth specific standards regarding the scope, conditions, procedure, method of interconnection, and calculation of interconnection charges.
If so are these different for operators with market power?
A basic telecommunications business operator who possesses equipment and facilities that are essential for other telecommunications business operators to provide telecommunications services must enter into an interconnection agreement with a telecommunications business operator who makes a request for interconnection. Basic telecommunications business operators who are subject to such obligation include those who possess essential equipment and facilities installed at service entrances and whose annual revenue from 2 years ago generated from its basic telecommunications business is at least KRW 1 trillion.
What are the principal consumer protection regulations that apply specifically to telecoms services?
Under the TBA, a “user” is defined as “a person who enters into a contract for the use of telecommunications services with a telecommunications business operator in order to receive telecommunications services.” Various user protection provisions such as the following are included in the TBA.
A basic telecommunications business operator that meets certain criteria in terms of their size must report to the MSICT their terms and conditions of use for each type of service they intend to provide, or obtain approval from the MSICT of such terms and conditions.
If a basic telecommunications business operator executes an agreement with a user for the provision/use of telecommunications services, it must send a copy of the relevant contract to the user in writing or through an information and communications network.
Certain telecommunications business operators who wish to execute a contract with a user must first verify the identity of the user through Korea’s illegal subscription prevention system, and provide the following services to the user: identity theft protection service (i.e., a service that alerts the user of the fact that a service usage contract has been executed in his/her name), subscription status look-up service (i.e., a service that allows an individual to look up whether he/she has entered into a telecommunications service contract under his/her name), and subscription restriction service (i.e., a service that prohibits others from entering into a telecommunications service contract under anyone else’s name other than his/her own).
No telecommunications business operator may engage in any acts which undermine or are at risk of undermining fair competition or users’ interests, or allow another telecommunications business operator or third party to commit such acts, including the following: calculating telecommunications service charges by unfairly itemising the expenses or revenues, providing telecommunications services in a manner different from the terms and conditions of use or in a manner which substantially undermines the users’ interests, failing to explain or notify users of important matters, such as service charges, terms and conditions of a contract, and discount of service charges, or explaining/notifying them to users in falsehood.
A telecommunications business operator must compensate a user for any losses he/she suffers, if (1) the telecommunications business operator has caused such losses in the course of providing telecommunications services (e.g., interruption of services), or (2) the losses are caused by an event or incident which served as the grounds for the user’s filing of a complaint and the handling of the complaint was delayed by the telecommunications business operator.
For your information, the Network Act also includes a number of user protection provisions (e.g., protection of juveniles and children, protection of users’ rights with respect to the use of information and communications networks, user’s right to request deletion of his/her personal information, implementation of temporary measures, measures for verifying the user’s identity). However, since these apply not just to telecom services but information and communications services in general, further details are omitted here.
What legal protections are offered in relation to the creators of computer software?
Legal protection is offered to computer software that meets certain requirements under the Patent Act and Copyright Act.
Under the Patent Act, if a computer program which is stored on a medium for the purpose of solving a certain task by being combined with hardware qualifies as an invention, it can be protected as a patent. However, a computer program that is not stored on a medium is not afforded the legal protections of a patent.
Under the Copyright Act, an idea itself is not legally protected. However, because the Copyright Act protects the expression of ideas, a computer program can be protected as a copyright if it qualifies as a creative external representation.
Do you recognise specific intellectual property rights in respect of data/databases?
Intellectual property rights are recognised for databases that meet certain requirements under the Copyright Act and Unfair Competition Prevention and Trade Secret Promotion Act.
Under the Copyright Act, a database is defined as “a compilation whose materials are systematically arranged or composed, so that they may be individually accessed or retrieved,” while a database producer means “someone who has made a substantial investment in human or material resources for producing a database, or for the renewal, verification or supplementation of the database’s materials.” A database producer has the right to reproduce, distribute, broadcast, or interactively transmit the entire database or considerable parts of it.
Under the Unfair Competition Prevention and Trade Secret Promotion Act, a trade secret is defined as “information, including a production method, sale method, useful technical or business information for business activities, that is not known publicly, is the subject of reasonable efforts to maintain its secrecy, and has independent economic value.” If data/databases qualify as trade secrets under the above definition, the person who has the rights to the subject data/databases may seek an injunction against anyone who tries to infringe upon his/her rights with respect to the data/databases or request compensation for any damages he/she suffers as a result of the infringement.
What key protections exist for personal data?
The Personal Information Protection Act (“PIPA”) is Korea’s comprehensive general law on personal data protection. In addition, there are a set of special laws regulating the processing of personal data in specific industries. For example, most notably, the Network Act regulates the processing of users’ personal data by information and communications service providers, while the Utilisation and Protection of Credit Information Act governs the processing of personal credit information by financial institutions and credit companies. The Act on the Protection and Use of Location Information regulates the processing of location information.
Are there restrictions on the transfer of personal data overseas?
Under the PIPA, personal data may not be transferred to a third party located overseas without notifying the data subject of certain information required by law and obtaining the data subject’s consent. Also, no cross-border data transfer agreement may include provisions that violate the PIPA.
Under the Network Act, when acquiring a data subject’s (i.e., user’s) consent for the transfer of personal data overseas, the data subject must first be notified of the following matters: (i) items of personal information to be transferred, (ii) countries to which the personal information will be transferred, along with the date, time, and method of transfer, (iii) name(s) of the third-party recipients and the contact information of each recipient’s privacy officer, and (iv) the third-party recipient’s purpose of use of the personal information and retention/use period. However, consent is not required if the overseas transfer is necessary to perform a contract entered into with the user for the provision of information and communications service and to promote the user’s convenience.
What is the maximum fine that can be applied for breach of data protection laws?
Under the Network Act, a penalty surcharge of up to 3% of the revenue generated from the act constituting the breach in question can be applied. Under the PIPA, a fine of up to KRW 100,000,000 can be applied.
What additional protections have been implemented, over and above the GDPR requirements?
Both the PIPA and Network Act provide for criminal sanctions in the event of a breach of any of their data protection provisions (including cases where personal information is leaked as a result of a hacking incident).
Resident registration numbers cannot be processed unless specifically required or permitted under an applicable law.
Are there any regulatory guidelines or legal restrictions applicable to cloud-based services?
The Act on the Development of Cloud Computing and Protection of Its Users (“Cloud Computing Act”) is Korea’s general law applicable to cloud-based services.
If electronic computer systems, equipment, and/or facilities are expressly required under another statute for some type of authorisation, licensing, permission, registration, or any similar action, the relevant electronic computer systems, equipment, and/or facilities are to be viewed as including cloud computing services. As such, in principle, the use of cloud computing services is permitted.
However, such provision does not apply if (i) the use of cloud computing services is explicitly prohibited under the relevant statute, or (ii) the relevant statute requires the installation of physical partitions between lines or facilities, thereby effectively restricting the use of cloud computing services.
The Korean regulator’s position is that the use of cloud computing services qualifies as the outsourcing of the processing of personal information. Therefore, (while there may be some difference in interpretation if the Korean regulator’s position is followed) using cloud-based services to process personal information will require compliance with the regulations on the outsourcing of the processing of personal information.
Are there specific requirements for the validity of an electronic signature?
Under the Electronic Signature Act (“ESA”), there are two types of electronic signatures: (1) a certified electronic signature and (2) a non-certified electronic signature.
A certified electronic signature is one that is based on a public key certificate (i.e., a certificate that is issued by a licensed certification authority) and satisfies the following requirements: (a) the key for creating the electronic signature must be held and known only by the subscriber, (b) the subscriber must control/manage the key at the time of signing, (c) it must be possible to determine whether there has been any change to the electronic signature since the electronic signature was provided, and (d) it must be possible to determine whether there has been any change to the electronic document since the electronic signature was provided. A non-certified signature is any electronic signature other than a certified electronic signature.
The legal effect of a certified electronic signature and a non-certified electronic signature is different under the ESA, although both are considered valid.
A non-certified electronic signature, as long as it was provided by the signor, will have the effect of a signor’s signature, signature and seal, or name and seal (collectively, “Signature or Seal”) as agreed between the contracting parties.
That said, if a person’s Signature or Seal must be affixed to a document under another applicable law or regulation, such requirement is deemed to have been satisfied only if a certified electronic signature is placed on an electronic document.
In the event of an outsourcing of IT services, would any employees, assets or third party contracts transfer automatically to the outsourcing supplier?
In the event of an outsourcing of IT services, no employees, assets or third party contracts transfer automatically to the outsourcing supplier.
For your information, in the event that the processing of personal information is outsourced to a third-party service provider (i.e., outsourcing supplier), the outsourcing supplier will be deemed to be an employee of the original data handler who outsourced the processing if damages are incurred from the outsourced supplier’s violation of the PIPA and/or Network Act in the course of its processing of the personal information.
If a software program which purports to be a form of A.I. malfunctions, who is liable?
There has been much discussion on this topic, but there is currently no specific law or regulation that is applicable. Depending on the specific facts of the case, the developer or distributor of the software program may be subject to general tort liability under the Civil Act and/or product liability under the Product Liability Act. In any event, the program developer/distributor’s liability will be determined on a case-by-case basis after considering the developer/distributor’s level of intentionality/negligence and the unlawfulness of the act.
What key laws exist in terms of: (a) obligations as to the maintenance of cybersecurity; (b) and the criminality of hacking/DDOS attacks?
a) What key laws exist in terms of:obligations as to the maintenance of cybersecurity; and
Under the Network Act, all information and communications service providers must implement certain technical and managerial measures stipulated by law in order to ensure the secure processing of personal information and prevent the loss, theft, leakage, forgery, alteration, or damage of the personal information. The detailed standards of such required measures are set forth in Article 15 of the Enforcement Decree of the Network Act and the Network Act’s implementing regulation called “Standards of Technical and Managerial Security Measures.”
Also, information and communications service providers (excluding small business owners) must designate a chief information security officer (“CISO”) for handling cybersecurity matters and report the designation of the CISO to the MSICT.
b) The criminality of hacking/DDOS attacks?
Hacking: Under the Network Act, no one may intrude on an information and communications network without the right authorisation or access rights, or by going beyond the permitted scope of access. Failure to comply with such prohibition may result in imprisonment of up to 5 years or a fine of up to KRW 50,000,000.
DDOS attack: Under the Network Act, no one shall cause trouble to an information and communications network in order to purposefully interfere with the stable operation of the information and communications network by sending large amounts of signals or data, thereby letting the network process an illegitimate order. Failure to comply with such prohibition may result in imprisonment of up to 5 years or a fine of up to KRW 50,000,000.
What technology development will create the most legal change in your jurisdiction?
Self-driving cars and AI will create the most legal change, since the secure operation of self-driving cars and the seamless implementation of AI technology require fundamental changes to be made to the existing legal system, which is centered on people and the protection of their rights/interests.
For example, the use of AI raises the questions of whether AI itself will be entitled to certain rights and thus be subject to civil and/or criminal liability, who will be responsible in the event AI malfunctions, whether intellectual property rights will be granted to works created by AI, the use and security of big data in connection with AI, and how to protect personal information.
Meanwhile, legalising self-driving cars would require legislators to consider issues of who the driver of the car will be (i.e., a person or something else), how legal responsibility will be divided between manufacturers, system administrators, and consumers/purchasers, and how victims will be compensated in the event of an accident. In sum, various issues relating to civil/criminal liability and insurance would need to be discussed.
Which current legal provision/regime creates the greatest impediment to economic development/ commerce?
The current data protection and privacy laws and regulations such as the PIPA and Network Act are heavily focused on the protection personal information and thus impose stringent requirements on the processing of personal information. In principle, personal information may only be collected and used if the data subject’s consent is obtained, so services utilising big data are not yet considered commercially profitable in Korea.
Do you believe your legal system specifically encourages or hinders digital services?
Korea’s current legal system hinders digital services. There are a number of bills that have been proposed which, if adopted, would encourage the development of new technology and digital services. However, as of now, Korea’s regulatory regime remains largely “positive regulation-based”, meaning that only those acts which are specifically permitted by law may be performed.
To what extent is your legal system ready to deal with the legal issues associated with artificial intelligence?
The Intelligent Robots Development and Distribution Promotion Act and Brain Research Promotion Act were enacted to promote R&D and investment in certain areas, but there are no current laws or regulations that specifically concern the overall use and development of AI technology across various sectors. Research on legal issues associated with AI (e.g., whether AI has a legal personality and thus may be subject to penalties, product liability, user protection, intellectual property rights associated with the outputs produced by AI, licenses/permits for use, strict liability, registration system, documentary proof of AI usage records) is on-going, and a bill for a new law called the Framework Act on Intelligence Information Society has been proposed to the National Assembly.
Meanwhile, because the value of AI depends on the availability and quality of data, a bill for amending the current data (i.e., personal information) protection laws to better accommodate the changes brought about by the arrival of the AI era has been proposed to the National Assembly.