In Korea, there are no laws or regulations that are generally applicable to the metaverse. However, various laws may apply depending on the specific activities and interactions taking place in the metaverse.

Laws Applying to Platform Businesses

Transactions in the metaverse

The Act on the Consumer Protection in Electronic Commerce Transactions (the “E-Commerce Act”) applies when goods or services are traded electronically. Thus, if goods or services are traded in the metaverse, the E-Commerce Act will apply.

Under the E-Commerce Act, a business operator who is engaged in or conducts electronic commerce is referred to as an “Online Seller”, and a business operator that intermediates an online order between the parties to a transaction by providing an online platform is referred to as a “Platform Operator.” In this context, the metaverse operators who sell goods or services directly to users will be considered Online Sellers, and those who provide the metaverse platform for users to sell goods or services to other users will be considered the Platform Operators under the E-Commerce Act.

Please refer to 2.1 Key Challenges for the obligations of the Online Seller and the Platform Operator under the E-Commerce Act.

Obligation of the metaverse operator

There are no established obligations or liabilities specific to metaverse operators. However, several laws that apply to the operators of online platforms would apply to metaverse operators.

The Telecommunications Business Act (TBA) requires the operators of value-added telecommunications businesses (as which metaverse operators are likely to be categorised) to delete or otherwise prevent the distribution of certain illegal content, such as child pornography, etc. Failure to comply with this obligation may result in penalty surcharges of up to 3% of annual revenue imposed by the Korea Communications Commission.

In general, the Copyright Act prohibits copyright infringement, such as unauthorised copying and transmission of copyrighted works. However, online service providers can be protected from liability for the copyright infringement of their users if they satisfy certain statutory conditions under Article 102 of the Copyright Act. As metaverse operators are likely to be considered online service providers, the same limitation of liability would apply to metaverse operators as well.

In addition, other laws, such as the Act on the Promotion of Information and Communications Network Utilization and Information Protection (the “Network Act”), would also apply to metaverse operators to take certain actions against illegal content on the internet. Please refer to 2.1 Key Challenges for more details.

Intellectual Property

Trade marks

Under the Trademark Act, trade mark infringement occurs when an unauthorised person uses a registered trade mark within the range of protection (ie, the designated goods) and as a trade mark (ie, to show the origin of the goods).

However, there is no established principle on how trade marks will work on virtual goods. As the trade mark is registered for certain designated goods in principle, the validity of a trade mark on virtual goods is still in question. The Korean jurisprudence is to evaluate primarily in relation to the possibility of confusion, while taking into account various factors such as the quality, shape, and purpose of the goods. However, what constitutes trade mark infringement in the metaverse is still unclear under Korean law.

Copyright

Under the Copyright Act, any expression of human creativity may enjoy copyright protection. In a recent case, the Court ruled that creating a virtual golf course for virtual golf games based on a real-life goal course constitutes an infringement of the architectural copyright. This case shows how a virtual recreation of the real world on the metaverse could trigger risks of copyright infringement.

Publicity right

The publicity right (ie, the right to use one’s image for profit) is protected under the Unfair Competition Prevention and Trade Secret Protection Act. To be more specific, unauthorised commercial use of an individual’s name, likeness, voice and other recognisable characteristics is prohibited as an act of unfair competition. It is expected that the publicity right will be recognised as a new type of property right by the introduction of relevant laws.

Data Protection

Under the Personal Information Protection Act (PIPA), data controllers are, in principle, required to obtain prior consent from data subjects to collect and process their personal information. If the metaverse operators collect and process the personal information of their users, it should comply with the PIPA. Please refer to 2.1 Key Challenges for the PIPA’s requirements for the processing of personal information. 

The digital economy in Korea is regulated by various laws and regulations concerning electronic commercial transactions, financial transactions (payment), and consumer protection in the digital space.

Electronic Commercial Transactions

The E-Commerce Act stipulates the obligations of business operators to protect consumers in e-commerce. To sell goods or services by providing information on the sale of goods or services online and to receive a consumer's order by means of telecommunications, a business operator must register with the Fair Trade Commission or the relevant local government as an Online Seller.

Online Sellers are subject to certain obligations to protect the customers. For instance, when placing an indication or advertisement for its goods or services, an Online Seller must disclose the following information:

• trade name and the name of its representative;
• address;
• telephone number;
• email address; and
• the business registration number.

Moreover, the Online Seller shall inform or notify its customers about the specific terms of the transaction before concluding a contract, and upon the conclusion of a contract, the Online Seller shall provide a document that includes such information before supplying the goods or services.

Meanwhile, Platform Operators must notify beforehand that it is not a party to electronic transactions so that the customers can easily recognise such fact.

Electronic Financial Transactions

The Electronic Financial Transactions Act (EFTA) regulates “electronic financial transactions” which enable users to utilise financial products and services provided by a financial company or an electronic financial business entity through electronic means in a non-facing and automated manner.

Depending on the specifics of the business, the EFTA requires different types of licences to provide electronic financial transaction services in Korea. To issue and manage electronic currencies, permission from the Financial Services Commission (FSC) is required. For other types of electronic financial services, including electronic funds transfers, electronic debit payment means, electronic prepayment means, and electronic payment settlement agencies, registration with the FSC is required.

Moreover, an electronic financial transaction service provider is subject to certain security measures to ensure the secure handling of electronic financial transactions. To be more specific, the specific security measures for human resources and physical facility capability as well as financial soundness for conducting electronic transactions, etc, are outlined in the FSC’s Regulation on Supervision of Electronic Financial Transactions (the “E-Transaction Regulation”).

User Protection

Content regulation

The laws to regulate illegal content in the digital space, such as the Network Act, the TBA and the Copyright Act, will apply to business providers and require them to take certain actions against illegal content.

Under the Network Act, when information violates a person’s privacy or defames someone, the victim may request the online service provider to delete the information or publish a correction statement, and the online service provider must comply with such request without delay. If there is any media product harmful to children in violation of labelling regulations or any advertisements for such content, the online service provider shall delete such content without delay. Also, circulation of “unlawful information (such as obscene content, defamatory content, criminal content, etc)” through an online network is prohibited, and the Korea Communications Commission may order an online service provider to reject, suspend or restrict management of unlawful information.

Additionally, the TBA regulates the circulation of “illegally filmed material”, which includes pictures taken without permission, deepfake images, and child sexual exploitation material. Where an online platform realises that any “illegal filmed material” is circulated on its platform, it should, without delay, take necessary measures to block the circulation of such material (ie, deleting the information, blocking access, etc).

The Copyright Act also states that any person who claims that their copyright or other rights are infringed due to reproduction or interactive transmission of works, etc, through the services provided by an online service provider may demand the online service provider to suspend the reproduction or interactive transmission of the works, and the online service provider shall take necessary actions without delay.

Personal information

When business operators who are data controllers collect the personal information of their customers, they should prepare a privacy policy in accordance with the PIPA and disclose the privacy policy on their websites. Also, the business operators are required to obtain explicit and separate consent from the data subjects for the collection and use, third party provision, and overseas transfer of personal information in accordance with the form and manner stipulated in the PIPA.

Please note that in addition to ordinary provisions, the PIPA has special provisions for online service providers. The online service providers are companies that engage in e-commerce or operate a company website to provide information about their products. For example, an online service provider meeting a certain threshold must regularly (at least once a year) notify their users of how their personal information has been used.

Terms and conditions

The Act on the Regulation of Terms and Conditions regulates the terms and conditions, a contract prepared in advance by the business operators to enter into with multiple users. Under this law, a business operator shall prepare the terms and conditions in Korean and disclose important terms and conditions in a manner easily recognisable and understood by customers. Also, the Act specifies the types of “unfair clauses” that are unreasonably unfavourable to consumers and states that these unfair clauses shall be deemed null and void, and thus unenforceable.

General Laws and Regulations

The Cloud Computing Act

In Korea, there are currently no laws or regulations that directly regulate the cloud computing industry. However, the Act on the Development of Cloud Computing and Protection of its Users (the “Cloud Computing Act”) aims to promote cloud computing industry by setting forth the general principles and the government’s responsibilities to promote the development and use of cloud computing.

The Cloud Computing Act defines the term “cloud computing” as an information processing system that makes it possible to flexibly use integrated and shared resources for information and communications, such as devices for information and communications, information and communications systems, and software, through information and communications networks in accordance with changes in users' requirements or demands.

The Act further states that electronic computer systems (including equipment, facilities, etc) that are subject to authorisation, permission, registration, designation, or any similar action under other laws shall be deemed to include cloud computing services unless the relevant laws expressly prohibit the use of cloud computing services, or the cloud computing services cannot meet the technical and physical requirements of such relevant laws.

Criteria for information protection of cloud computing services

Under the Clouding Computing Act, cloud computing providers must endeavour to enhance the quality and performance of cloud computing services and the level of information protection.

Under this law, the Minister of Science and ICT has the power to determine and publicly notify the standards for the quality and performance of cloud computing services, and the standards for the protection of information (including managerial, physical, and technical measures for information protection) (the “Criteria for Information Protection of Cloud Computing Services”), and to recommend cloud computing service providers to comply with the Criteria for Information Protection of Cloud Computing Services.

Personal information

If personal information is stored or processed by cloud computing services, the PIPA will apply to cloud computing service providers. In most cases, cloud computing service providers will be considered third-party data processors as they tend to carry out the outsourced data processing tasks (including storage) on behalf of data controllers who collected personal information for their purpose in the first place.

Under the PIPA, when personal information is transferred from a data controller (outsourcer) to a third-party data processor (outsourcee) for the benefit and business purpose of the data controller, and such transfer is consistent with the original purposes of the collection and use of personal information, it is considered the “outsourcing” of personal information processing. For the outsourcing, the third-party data processor must use the received personal information only to perform the work outsourced by the data controller, and the data controller will not be released from its obligation to monitor, supervise, and train the third-party data processor regarding the protection of the transferred personal information.

While consent from data subjects is not required for the outsourcing of personal information processing, the data controller is required to enter into a written contract with the third-party data processor (typically in the form of a data processing agreement) that includes the following terms and conditions:

• prohibiting personal information processing outside the scope and purpose of outsourcing;
• technical and managerial measures to protect personal information; and
• other matters regarding the safeguarding of personal information as prescribed by the Enforcement Decree of the PIPA.

Additionally, the data controller must disclose the following information on the privacy policy posted on its website at all times: the details of processing outsourced, and the information about the third-party data processor.

In case of overseas outsourcing of data processing (including storage), the data controller can be exempted from the consent requirement only if the following information must be disclosed in the third-party data processor’s online privacy policy, or notified to users via electronic mail, or other similar means as prescribed under the relevant Presidential Decree:

• items of personal information transferred;
• the country to which such personal information is being transferred, along with the date and method of such transfer;
• the name of the recipient (if the recipient is an entity, the name of the entity and the contact information of the person responsible for the management of personal information for that entity);
• the purpose for which the recipient makes use of the transferred personal information;
• the period during which the transferred personal information will be used/retained by the recipient; and
• the fact that the user has the right to refuse consent and any possible disadvantages resulting from such refusal.

Industry-Specific Laws and Regulations

Financial companies

There are special regulations for the use of a cloud service by a financial company, specifically in the FSC’s E-Transaction Regulation.

According to the E-Transaction Regulation, when a financial company intends to implement a cloud service, it must evaluate the importance of the tasks to be carried out by the cloud service, and the soundness and security of the cloud computing service provider. Based on these evaluations, the financial company must establish and implement a business continuity plan and necessary security measures.

A financial company must also report the use of cloud services to the Financial Supervisory Service (FSS) within three months from the execution of a new service contract with a cloud computing service, or the date of any significant changes with the service provider or the cloud computing services.

Medical institutions

According to the Medical Service Act, medical personnel and medical institutions may keep medical records in the form of an electronic document with a digital signature (the “Electronic Medical Records”).

For the management and retention of Electronic Medical Records, the Enforcement Rule of the Medical Service Act and the Standards for Facilities and Equipment Necessary for Management and Preservation of Electronic Medical Records set forth specific requirements and standards for equipment and retention facilities.

When Electronic Medical Records are stored on cloud servers located outside of a medical institution, the cloud service provider of such servers must implement the equipment that enables real-time monitoring of the servers (and spare equipment to be used in an emergency), install monitoring equipment such as closed-circuit television, etc, and set up disaster prevention facilities. However, please note that since Electronic Medical Records must be stored in Korea at all times, they cannot be stored on servers located overseas.

General Laws and Regulations

The Act on the Promotion of Data Industry and the Activation of Data Use (the “Data Industry Act”) provides the basic legal principles in relation to the derivation of economic value from data and the development of the data industry. Also, the Act on the Promotion of the Provision and Use of Public Data states that certain public data must be disclosed to the public and become freely accessible, while other public data must not be disclosed to the public and become accessible only if the user files an application to the competent public institution.

In Korea, there are no statutory laws specifically regulating the use of AI. Instead, guidelines on relevant issues have been published by various governmental agencies, such as the FSC’s Guidelines for Artificial Intelligence in the Financial Sector, the Personal Information Protection Commission’s Artificial Intelligence Personal Information Self-Checklist, the Korea Communications Commission’s Basic Principles for User Protection in AI-Based Media Recommendation Services, and the Ministry of Science and ICT’s (MISCT) Ethical Standards for Artificial Intelligence. These guidelines set out the basic principles for activities involving particular issues in using AI in each respective field.

In addition to these guidelines, the existing laws and regulations governing personal information, intellectual property, credit information, and liability and insurance, will apply.

Specific Application of Laws and Regulation

Personal information

The PIPA will apply if an AI processes personal information or if personal information is used for machine learning. Under the PIPA, different types of personal information are regulated differently.

Personal information under the real name

Personal information under the real name refers to the information that identifies a particular individual or may be easily combined with other information to identify a particular individual. If an AI processes personal information under the real name, the general principles of the PIPA will apply. This means that the data controller must explicitly obtain the consent of each data subject if it wishes to collect and use the personal information, or provide such information to a third party, unless there are any other legal grounds upon which the absence of such consent could be justified, such as when special provisions exist in other laws or it is inevitable to observe legal obligations.

Pseudonymised information

Pseudonymised information refers to personal information that is pseudonymised and thereby becomes incapable of identifying a particular individual without the use of or combination with additional information for restoration to the original state. A data controller may process pseudonymised information without the consent of data subjects for statistical purposes, scientific research purposes, and archiving purposes in the public interest. Under the PIPA, “processing” includes the collection, use, and provision of information, which means that for pseudonymised information, the data controller may carry out these activities without the data subject’s consent, as long as the purposes of processing are limited to the above.

Anonymised information

Anonymised information refers to information that no longer identifies a certain individual even when combined with other information, reasonably considering time, cost, technology, and other factors. Since anonymised information cannot identify an individual, such information is not considered personal information; therefore, the PIPA does not apply. This means the data controller may process anonymised information without any limitations as to the purpose of processing.

Expected amendment of the PIPA

The amendment bill of the PIPA, which is scheduled to be passed by the legislature in early 2023, introduces provisions on the data subject’s right to object to or request clarification regarding a decision based on the processing of personal information by a fully automated system, including AI technology, when such decision significantly affects the rights or obligations of the data subject.

Intellectual property

Protection of data and databases

Data used for machine learning and processed by AI, as well as the processed results, generally exist in the form of a “database”. A “database” means a compilation of systematically arranged or composed data, such that the data may be individually accessed or retrieved. Under the Copyright Act, a database is recognised as a copyrightable object; thus, producers of a database hold the rights to reproduce, distribute, broadcast, or interactively transmit the whole or considerable parts of the relevant database.

The Unfair Competition Prevention and Trade Secret Protection Act (the “Unfair Competition Prevention Act”) regulates the unfair use of “data” as an “act of unfair competition”, such as the acquisition of data by theft, deceit, unauthorised access, or other illegal means by a person without access authority, or use and disclosure of such acquired data. The term “data” in this context refers to technical or business information that is provided to a specific person or a specific number of people in the course of business, electronically accumulated and managed in a significant volume, and not managed as confidential. Such act of unfair competition is subject to criminal penalties.

Crawling

AI often uses “crawling” to collect big data necessary for machine learning. Crawling is an act of extracting data from a web page as it is, so it basically accompanies reproduction of data, which may be interpreted as an act that infringes upon the database producers’ right to reproduce, or as an unfair use of data that is an act of unfair competition.

Although the relevant legal principles have not yet been clearly established, there was a recent Supreme Court case which found that crawling was not considered an infringement of the database producer’s rights under the Copyright Act. The Court reasoned that an infringement of the right to reproduce is less likely to be found if the information is already known or has already been made public and does not require significant cost or effort to collect. Also, the Court stated that a violation of a database producer’s rights must be judged by considering factors such as the volume of reproduced data in comparison to the volume of the entire database, and whether the database producer has made a significant investment in human or physical resources in the production of the database.

Liability and insurance

In Korea, whether the Product Liability Act applies to the damages caused by AI is still widely debated. If the Product Liability Act applies, the manufacturer of the AI would be liable for the damages to the life, body or property of a person caused by a defect of an AI. However, the manufacturer would be exempted from such liability in some circumstances, such as when the defect could not be identified with the scientific and technical knowledge available at the time the product was supplied by the manufacturer.

The Compulsory Motor Vehicle Liability Security Act states that if an insurance company compensates for losses or damages that result from the death or injury of any third party or the damage of the property of a third party caused by a defect in an autonomous driving motor vehicle, the insurance company may seek indemnity from any person who is legally liable to such losses or damages for the relevant amount. Also, under the Act, the manufacturer of an autonomous driving motor vehicle should attach a recording device that records autonomous driving information, and the owner of such vehicle should retain the recorded information for at least six months. The insurance company may request access to the recorded information and its analysis results.

Regulation in Relation to the Internet of Things and Machine-to-Machine Communications

No laws or regulations specifically regulate the IoT or machine-to-machine communications (M2M). However, if the IoT or the M2M falls under the definition of an existing term or meets requirements under the existing laws, such existing laws will apply.

The IoT or M2M service operators would likely correspond to the “Facilities-Based Telecommunications Business” under the TBA and would be required to register with the MSICT to conduct business in Korea. To register, the IoT or M2M service operator should meet the requirements for both financial and technical eligibility and have a user protection plan, in addition to the business plan, including details of major business facilities and network configuration.

Moreover, any IoT or M2M devices that utilise radio waves such as Bluetooth or Wi-Fi would be subject to the conformity assessment requirement in accordance with the Radio Waves Act (RWA). Under the RWA, anyone who intends to manufacture, sell, distribute or import broadcasting and communications equipment or products that cause electromagnetic interference or are affected by electromagnetic waves (hereinafter referred to collectively as “broadcasting and communications equipment”) shall, with regard to the relevant equipment, receive a conformity assessment. The assessment standards include technology requirements, human exposure levels, and electromagnetic compatibility. The National Radio Research Agency (NRRA), a government agency under the MSICT conducts the conformity assessment under the RWA.

Under the RWA, a party or product is deemed to have received the conformity assessment if the party or product has received or completed one of the following.

• Conformity Certification ‒ required for:
1. equipment likely to cause harm to the spectrum environment and to the broadcasting and communications networks, etc; and
2. equipment that causes significant electromagnetic interference or which is affected by electromagnetic waves to the extent that its normal function may be compromised.
• Conformity Registration ‒ required for any broadcasting and communications equipment, etc, which is not subject to the conformity certification obligation.
• Interim Certification ‒ in case there is no established conformity assessment standards or conducting the assessment is impracticable, according to the NRRA, an Interim Certification is applicable to only a few exceptional cases; therefore, such certification has not been issued frequently.

The specific requirement for certification/registration varies based on the type of product.

Communication Secrecy and Data Protection

No specific laws or regulations govern communication secrecy in relation to the IoT or M2M.

If the IoT or M2M collects personal information, the PIPA will govern such collection of personal information through the IoT or M2M. The applicable laws may differ according to the types of personal information. For instance, the Act on the Protection and Use of Location Information would apply to the collection of personal location information, and the Credit Information Use and Protection Act would apply to the collection of credit information. Under the Act on the Protection and Use of Location Information, a business operator that intends to engage in location information business or location-based service business would be required to register with or report to the Korea Communications Commission.

Moreover, as stipulated in the Protection of Communications Secrets Act (PCSA), no person or entity shall censor any mail, wiretap any telecommunications, provide communication confirmation data, or record or listen to any conversation between others that is not made public, except as provided in the Act, the Criminal Procedure Act or the Military Court Act.

General Laws and Regulations

Korea’s major audio-visual media services include terrestrial broadcasting (ie, television broadcasting, radio broadcasting, and mobile multimedia broadcasting), cable television (CATV) broadcasting, satellite broadcasting, and internet multimedia broadcasting (IPTV) services. The audio-visual media service industry, including the requirements for entry into the industry is regulated by law, including the Broadcasting Act and the Internet Multimedia Broadcast Services Act (the “IPTV Act”).

The Korea Communications Commission (KCC) and the MSICT are in charge of the authorisation of media services in Korea. The KCC issues licences to terrestrial broadcasting businesses, which are subject to stronger public interest considerations, whereas the MSICT issues licences to more commercial broadcasting businesses, such as CATV broadcasting, satellite broadcasting, and IPTV broadcasting businesses.

On the other hand, video-sharing platform services are currently not subject to licensing requirements under the TBA. A video-sharing platform service provider can commence its business after reporting to the MSICT as a value-added telecommunications business without obtaining a license. Additionally, video-sharing platform service providers whose total capital amount is at most 100 million KRW are exempted from the reporting requirement.

Under the Broadcasting Act, a country, a local government, or a person who is not a corporate entity, as well as those who violated an applicable regulatory requirement, such as the restrictions on ownership and foreign capital investment, are prohibited from operating a broadcasting business (eg, terrestrial broadcasting business, CATV broadcasting business, and satellite broadcasting business entity). The restriction on ownership prohibits a person from obtaining ownership of a terrestrial broadcasting business entity exceeding 40%. The restriction on foreign capital investment prohibits foreign investment in a terrestrial broadcasting business and a foreign investment exceeding 49% in CATV broadcasting or satellite broadcasting businesses.

Under the IPTV Act, a country, a local government, or a business corporation of which over 49% of the shares are held by a newspaper publisher, a news agency, or a foreigner is prohibited from operating an IPTV service business.

On the other hand, the TBA does not specify the grounds for disqualification of OTT service providers that are value-added telecommunications business entities.

Approval/Authorisation Procedure and Fees, etc

General approval/authorisation procedure

The KCC and the MSICT adopted a system under which they establish a basic authorisation plan for broadcasters within its jurisdiction in order to authorise or deny terrestrial broadcasting, general CATV broadcasting, satellite broadcasting, and IPTV broadcasting services through various steps, including notice of application, receipt of applications, receipt of viewers’ opinions, and evaluation by the review committee.

For the authorisation of a terrestrial broadcasting business, which uses radio frequency for transmission, the KCC is also required to request and take into account a technical review of the establishment radio station under the Radio Wave Act from the MSICT as part of the evaluation.

Those who intend to conduct CATV broadcasting business must obtain authorisation from the MSICT by securing facilities and technologies that satisfy the standards prescribed by Presidential Decree of the Broadcasting Act.

Satellite broadcasting service providers must obtain broadcasting station authorisation from the MSICT as prescribed by the Radio Waves Act. IPTV broadcasting service providers must also be authorised by the MSICT as prescribed by the IPTV Act.

The authorisation for a terrestrial broadcasting business is valid for five years. On the other hand, the validity period of authorisation for CATV broadcasting, satellite broadcasting, and IPTV broadcasting is seven years. However, these validity periods may be shortened by the KCC and MSICT by two years or less if the KCC or MSICT determines such adjustment is necessary for the protection of the viewers’ interest, an undertaking of public responsibility, and the establishment of fairness and public interest.

Fee

When applying for authorisation for terrestrial broadcasting and satellite broadcasting, a fee, ranging from KRW75,000 (less than 100Watt) to KRW590,000 (exceeding 100kW), based on the size of the transmitters determined by the antenna power must be paid (the Radio Act, Article 95(1) (Annex 12)). There is a fee of KRW200,000 for the application for the CATV broadcasting authorisation (The Enforcement Decree of the Broadcasting Act, Article 671). On the other hand, there is no application fee required for IPTV business authorisation or reporting fee for value-added telecommunications businesses.

Telecommunication Business Under the Local Telecommunications Rules

Telecommunications business, regulated by the TBA, is subcategorised into the following two groups: facilities-based telecommunications business and value-added telecommunications business. Under the TBA, facilities-based telecommunications business (FBT) means a business that provides telecommunications services for transmitting or receiving voice, data, images, etc, without any change in the form or details thereof, and services for leasing telecommunications line equipment to enable transmission or reception of voice, data, images, etc, such as telephone services or internet services.

Value-added communication business means a value-added telecommunications service provider other than facilities-based telecommunications service providers.

Requirements for Licence/Approval/Authorisation

FBT

Pursuant to the TBA, an FBT must register with the MSICT upon satisfying the below requirements in relation to financial capability, technical capability, and plans for protecting users.

However, businesses deploying a telecommunications service in order to primarily engage in a business other than telecommunications will not be required to obtain a telecommunications registration but will be subject to an obligation to file a relatively simple report. Such enterprises will be deemed to “make ancillary use of core telecom services” where:

• even if the use of the telecommunications service were eliminated from the product or service offered, the business is still capable of supplying the product or service; and
• the telecommunications service at issue includes communication with a machine or other objects, without the possibility of voice reception/transmission (except in case of emergency).

There are certain minimum capital requirements and minimum technical staff requirements for each FBT type.

• For large-scale wired business, the minimum capital is KRW5 billion, and it is necessary to have three engineers specialising in several designated categories of telecom, broadcast and radio communications (“telecom engineers”) and two technicians specialising in several categories of telecom, broadcast and radio communications (“telecom technicians”).
• For small-scale wired business, the minimum capital is KRW500 million, and it is necessary to have one telecom engineer and one telecom technician.
• For switched resale business, the minimum capital is KRW3 billion, and it is necessary to have three telecom engineers and two telecom technicians.
• For switchless resale business, the minimum capital is KRW300 million, and it is necessary to have one telecom engineer or technician.
• For mandatory wholesale service resale businesses that only provide the services of transmission and reception of data with things, the minimum capital is KRW300 million, and it is necessary to have:
1. three telecom engineers and two telecom technicians when exchange equipment is installed; and
2. one telecom engineer or telecom technician when exchange equipment is not installed.
• For in-premises telecommunications business, the minimum capital is KRW300 million, and it is necessary to have one telecom engineer and one telecom technician.

Value-added telecommunications business

Pursuant to the TBA, a person who intends to operate a value-added telecommunications business must properly report to the MSICT, and those who intend to operate a special value-added telecommunications service business must register their business with the MSICT. “Special value-added telecommunications service” means:

• value-added telecommunications services provided by a special online service provider (“P2P operator”) who mainly enables interactive transmission of works and other subjects using computers between other persons; and
• value-added telecommunications services through which text messages are sent by directly or indirectly connecting a text-message system to telecommunications equipment of a telecommunications business operator (“ISMS operator”).

Different minimum capital requirements and requirements for personnel and facilities apply in relation to P2P operators and ISMS operators.

• For P2P operators, the minimum capital is KRW300 million and the following requirements for personnel and facilities apply:
1. the operator must designate and announce a copyright protection manager, youth protection manager, and information protection manager who have executive-level or department head-level or higher authorities, and concurrent positions are allowed;
2. the operator must appoint at least two employees dedicated to monitoring the distribution of illegal information, harmful information, and illegal works 24 hours a day, and must secure one additional employee per 4,000 upload or sharing accounts per day; and
3. the operator must be equipped with electronic computer systems and various computer programs necessary to provide special value-added telecommunications services smoothly and to implement a technical measures implementation plan pursuant to Article 22(2)(1-2) of the TBA.
• For ISMS operators, the minimum capital is KRW50 million and the following requirements for personnel and facilities apply:
1. the operator must appoint at least one dedicated employee in charge of preventing false subscriptions, registering and managing outgoing numbers, verifying and providing the transmission path of text messages with falsely marked telephone numbers, and suspending the provision of telecommunication services to the relevant line by the person who transmitted such messages; and
2. the operator must be equipped with electronic computer systems and various computer programs necessary to provide special value-added telecommunications services smoothly and to implement a technical measures implementation plan pursuant to Article 22(2)(1) of the TBA.

The TBA requires those value-added telecommunications business operators that do not have a local business address or a branch office in Korea, of which (i) the average number of domestic users per day in the three months immediately before the end of the previous year is more than 1 million, and (ii) the average daily domestic traffic generation for the three months immediately prior to the end of the previous year accounts for more than 1% of the total nation-wide daily traffic generation for the same time frame, to designate in writing a person who has an address or office in Korea (“domestic agent”) as an agent responsible for user protection and compliance of the data submission orders.

Technology Agreements

Technology agreements are required to abide by the general contract laws.

Although there are no specific laws or regulations that apply to technology agreements in general, the Software Promotion Act (SPA) provides general principles related to the execution of software agreements. The SPA stipulates that the parties to a contract for software project (including a subcontract and a re-subcontract) shall enter into the contract fairly on an arms-length basis by mutual agreement and perform the obligations under the contract in good faith. The parties to a contract for a software project shall, when entering into the contract, clearly set forth the material terms of the contract, including the purpose and scope of the contract, the contract period and the fees, etc, in the contract, and affix their signatures (including digital signatures) thereto or exchange and keep the signed and sealed copies of the contract. If any terms of a contract for a software project are notably unconscionable to either party and fall under any of the following cases, such terms shall be null and void:

• if either party does not accept any modification of the contract amount or the contract period caused by changes to the assigned tasks or changes in economic conditions after the conclusion of the contract without good cause, or transfers the relevant burden to the other party;
• if either party transfers responsibility to the other party for any matters that are difficult to predict at the time of signing the contract, in light of all related circumstances including the terms and conditions of the contract;
• if the specific terms and conditions of the contract are not determined or, in the event of a disagreement between the parties, the terms or conditions of the contract are determined at the sole discretion of either party, which thereby prejudices the legal interests of the other party;
• if either party’s liability for damages resulting from its non-performance of the contract is excessively reduced or augmented, which thereby prejudices the legal interests of the other party; and
• if the rights of the other party acknowledged by the Civil Act and other applicable statutes or regulations are excluded or restricted without good cause.

The MSICT provides standard contract forms for software projects including those for information system development and establishment of businesses, information system maintenance businesses, and the employment of software employees.

Moreover, there is a list of technologies that are subject to export control under the Korean law, the violation of which may even expose a foreign company to criminal sanctions. Under the Foreign Trade Act, any person/entity that intends to export “strategic item” designated by the Ministry of Trade, Industry, and Energy (MTIE) must obtain export permission from the MTIE or the relevant administrative agency. Even if an export good does not fall under the ambit of “strategic item”, any person who intends to export goods that are highly likely to be appropriated for manufacturing, developing, using, or storing weapons of mass destruction or missiles as carriers of such weapons must obtain “situational permission” from the MTIE or the relevant administrative agency.

Finally, the Act on Prevention of Divulgence and Protection of Industrial Technology prevents the export of “National Core Technology”, a technology designated by the MTIE that could have a material adverse effect on national security and the development of the national economy if divulged. If an entity that possesses national core technology intends to export the national core technology, it has to obtain approval from or report to the MTIE.

Data Localisation Requirements

There are no general data localisation requirements, but as discussed in 3.1 Highly Regulated Industries and Data Protection, technology agreements in certain industries may be subject to the specific laws and regulations.

Electronic Signatures and Certification Service 

The Electronic Signature Act (ESA) stipulates the basic legal framework for electronic signatures. Prior to the amendment in 2020, the ESA classified electronic signatures into:

• certified electronic signatures; and
• uncertified electronic signatures.

Certified electronic signatures had to be certified by public key certification, a system licensed by an authorised entity designated by the MSICT. However, the amended ESA abolished the public key certificate system and allowed various other electronic signature methods.

The amended ESA stipulates that the effect of the electronic signature will not be denied due to its electronic form. Where an electronic signature is selected as a means of writing a signature, signature and seal, or name and seal under the provisions of any statute or an agreement between parties concerned, the electronic signature will have the same effect as a hand-written signature, signature and seal, or name and seal.

The MSICT establishes the operational standards for electronic signature certification services and publicly notifies the standards in consideration of internationally recognised standards. A certification service provider has to undergo an assessment by the assessment body and then obtain accreditation for its compliance with the operational standards from the accreditation agency designated by the MSICT. According to the ESA, a certification service provider has to be a national agency, local government or legal person.

The ESA also recognises and accepts international assessment standards. The ESA stipulates that the MSICT may publicly notify internationally-accepted assessments standards and recognise compliance with the operating standards. A certification service provider is deemed to have obtained an assessment of an assessment body if it has obtained an internationally-accepted assessment. In this case, the certification service provider may apply to the accreditation agency for an accreditation of compliance with the operating standards without separate assessment by a domestic assessment body.

A certification service provider must protect the personal information of the users in relation to the storage and distribution of their electronic documents, as prescribed by the relevant statutes. If a certification service provider inflicts a loss on a user in relation to the storage of electronic documents, it must compensate the user for such loss, unless it proves that the loss was not caused by intentional or negligent conduct. A certification service provider is required under the law to be insured to compensate users for such loss.

Electronic Documents

The Framework Act on Electronic Documents (FAED) specifically regulates electronic documents. The FAED stipulates that an electronic document is not denied legal effect as a document solely because it is in an electronic form. All documents would in principle be allowed to be executed in an electronic form using an electronic signature except the following documents, which are required to be executed only by wet ink signature and cannot be executed by digital signature.

• Guaranty Agreement ‒ The Civil Act prohibits a declaration of intent to provide a guaranty in an electronic form, and thus, the provision of a guaranty by digital signature does not have any effect. However, if an “institutional guaranty” provided by an institution is engaged in the provision of a guaranty agreement, the execution of the guaranty agreement in an electronic form is allowed. The term “institution” means a specific financial institution making a guaranty agreement as its own business, such as the credit guarantee fund or the construction guarantee co-operative.
• Will by holographic (handwritten) document ‒ To execute a will by holographic document, the testator must write the content of the will, date, and the testator’s domicile and full name in their own handwriting and must affix seal to it.
• Documents required to be submitted to the government offices that are required by such government offices to be affixed with the registered seal and accompanied by a certificate of the registered seal ‒ documents that are specifically required by the government offices to be submitted in such a manner cannot be submitted in an electronic form or with an electronic signature. 

In addition, the documents that are specifically required to confirm “the actual identity of the signer” may be conditionally allowed to be executed in an electronic form using an electronic signature. In that case, the electronic signature for such documents would be considered effective only if the specific requirement is met. Examples of the foregoing include the signature of the agency transactions agreement and the signature of written documents for subcontracting transactions.

An entity specialised in the storage of electronic documents may be designated as a certified electronic document centre by the MSICT. A certified electronic document centre ensures safety and accuracy in the storage of electronic documents. Documents kept in the certified electronic document centre will be presumed as unmodified by the law. Additionally, a certified electronic document centre must protect the personal information of the users in relation to the storage and distribution of their electronic documents, as prescribed by the relevant statutes. Similar to a certification service provider’s duty described under the heading Electronic Signatures and Certification Service, if a certified electronic document centre inflicts a loss on a user in relation to the storage of electronic documents, it must compensate the user for such loss, unless it proves that the loss was not caused by intentional or negligent conduct. A certified electronic document centre is required under the law to be insured to compensate users for such loss.

Digital Identity

Although there are no specific laws or regulations that apply to digital identity, the government expressed its support for promoting a digital identification system. On 27 January 2022, the Ministry of the Interior and Safety and the Korean National Police Agency jointly launched the mobile driver’s licence, which has a legal effect identical to the plastic licence card. The government aims to expand the types of mobile IDs and launch mobile IDs for the national honoree, the disabled, foreigners, and teenagers.