Subscribe to regular updates:
A close-up of the Republic of Korea's regulatory approach to data governance, content moderation, competition and more.
This is the sixth issue of the “DPA Digital Digest” series based on the Digital Policy Alert database. This series provides concise summaries of each G20 nation’s recent policy changes in data governance, content moderation, competition and further domestic focal points.
Tommaso Giardini, Maria Buza
25 Apr 2023
The Republic of Korea (“Korea”)’s economy regularly tops rankings on innovation and ICT development. It leads the G20 nations in terms of Internet availability. The number of Korean wireless communication service subscribers surpasses its population size. The government pursues a “Digital Republic of Korea” with focus on Artificial Intelligence, 5/6G communication, quantum computing, metaverse and cybersecurity. A continuously successful digital transformation is estimated to create KRW 281 trillion (approx. USD 211 billion) in annual economic value by 2030.
But what do Korea’s domestic digital policies stand for? The sixth DPA Digital Digest provides a succinct overview of the latest policy and enforcement developments in major policy areas and Korea-specific focal points.
Discover the details of Korea’s approach below and stay informed on our dedicated page:
Remain up-to-date on new and upcoming policy developments with our free notification service: https://digitalpolicyalert.org/subscription
Data protection policy developmentsThe Personal Information Protection Act (PIPA) is the main privacy law in Korea. Originally enacted in 2011 and repeatedly amended since then, PIPA is widely ranked among the strictest privacy laws with a strong emphasis on data subject consent. In March 2024, an amendment will add the right to data portability and enable data subjects to request information on and refuse automated decision-making. Currently, several PIPA amendments are under deliberation, including the prohibition of dark patterns to collect personal information, the protection of biometric data, the regulation of artificial intelligence and the protection of deceased persons’ data.
Since January 2023, the amended Cloud Computing Act prohibits cloud computing service providers from disclosing user information to third parties without consent. Furthermore, it empowers the Ministry of Science and ICT to evaluate compliance with the cloud computing standards and provide security certification.
Data localisation developmentsSince January 2023, cloud service providers must locate cloud computing systems in Korea to receive certification from the Korea Internet & Security Agency. Certification is required to provide services to the public sector. The localisation obligation extends to associated data, backup systems and personnel.
From September 2023, the amended PIPA allows cross-border data transfers if either 1) the recipient country has a level of data protection similar to Korea’s, 2) the recipient country has an international data transfer agreement with Korea, 3) the transfer fulfils a contract with the data subject that discloses storage details, or 4) the recipient organisation is certified by the Personal Information Protection Committee (PIPC).
On the international level, in May 2022, Korea’s domestic launch spearheaded the Global Cross-Border Privacy Rules System. The international mechanism enables data transfers through voluntary data protection certification for companies. The PIPC provides such certification for the Asia Pacific region. In addition, Korea has received adequacy decisions from the European Union and the United Kingdom.
Enforcement developmentsEstablishing what is appropriate user consent is a central enforcement theme for the PIPC. In February 2023, the PIPC fined Meta for requiring users to consent to the collection of behavioural data to access its services Facebook and Instagram. In the same month, the PIPC fined Kakao for obliging users to consent to the third-party transfer of their information to use its ride-hailing service. Previously, in September 2022, the PIPC fined Google and Meta for collecting and processing personal information without explicit consent.
In April 2023, the Korean Supreme Court ordered Google to disclose its third-party personal information sharing practices, including with foreign intelligence services. In March 2023, the PIPC fined Samsung, iMarket and Kara Solution for insufficient cybersecurity in view of data leaks.
Content moderation developmentsKorea’s 2002 Telecommunications Business Act (TBA) was one of the earliest laws worldwide to address online content moderation. Online service providers must delete illegal content upon discovery. The Act was amended in 2020 to address gender abuse content, following the “Nth Room” online sexual abuse case. The amendment obliges online intermediaries to prevent the circulation of illegally filmed materials, threatening violaters with fines of up to 3 years of imprisonment.
The 2016 Network Act requires telecommunications service providers to delete or block access to illegal information upon request by an affected person, the police or government agencies. Providers must immediately hide the content for 30 days and, if no revision or appeal is made, delete it. Online intermediaries are encouraged to proactively monitor and remove content to avoid liability. Since 2021, an amendment to prevent digital sex crimes requires providers to report on measures to prevent the distribution of illegally filmed materials depicting sexually exploitative materials. In addition, providers must appoint a local person responsible for the prevention of such content. In April 2022, an amendment requiring internet service providers to immediately suspend the operations of websites that purposely infringe individual rights was proposed.
In August 2021, the government postponed a proposal to amend the Act on Press Arbitration and Remedies. The amendment would have subjected internet news services reporting “false or manipulated” content to punitive damages and court takedown orders without additional oversight, but has not advanced since.
Enforcement developmentsThe Korea Communications Standards Commission (KCSC) oversees online content. The KCSC does not provide public, official sources on specific blockings. In 2022, it reported 192,621 website blockings and 19,378 online content removals.
Competition policy developmentsSince 2021, the amended Telecommunications Business Act prohibits app store providers’ practice of forcing their in-app purchasing system onto app developers. The Act further bars app store providers from restricting app developers in offering their applications on other stores, and from “unfairly” deleting or delaying customer reviews. Subsequently, the Korean Communication Commission (KCC) issued an enforcement decree and guidelines outlining its criteria to judge app store operators’ unilateral conduct.
Since 2020, two bills to bolster online platform competition, namely the Act on Fair Intermediate Transactions on Online Platforms and the Act on Online Platform User Protection, have been proposed but subsequently stalled. In the meantime, the Korean government established the “Platform Policy Council” to support the self-regulation efforts of private platform providers. In January 2023, the KFTC issued guidelines on the factors it considers in investigations, including tipping effects, multi-side characteristics and bundling.
Enforcement developmentsThe Korean Communications Commission (KCC) enforces app market rules. The KCC currently investigates whether Google, Apple and One Store complicate developers’ use of third-party payment options. The investigation follows a KCC inquiry and statement condemning Google’s prevention of outlinking, including the removal of apps linking to outside websites for payment.
The Korean Fair Trade Commission (KFTC) enforces competition rules for foreign and domestic online platforms with a particular focus on self-preferencing practices. In April 2023, the KFTC fined Google KRW 42 billion (approx. USD 32 million) for providing favourable promotion to gaming apps released exclusively on the Google Play Store. In 2021, the KFTC fined Google KRW 207 billion (approx. USD 156 million) for abusive fragmentation agreements with smartphone producers, which restricted the customisation of the Android OS. In February 2023, the KFTC fined ride-hailing provider Kakao KRW 25.7 billion (approx. USD 19.3 million) for using manipulative algorithms to give preferential treatment to its affiliated drivers. In October 2020, the KFTC similarly fined e-commerce platform Naver KRW 26.7 billion (approx. USD 20.1 million) because its ranking algorithm favoured its own shopping and video services. In August 2021, the KFTC fined e-commerce platform Coupang KRW 3.3 billion (approx. USD 2.5 million) for forcing suppliers to sell goods for lower prices on its marketplace and coercing suppliers to buy advertisements on its site.
Regarding mergers, the KFTC is currently investigating the Microsoft/Activision Blizzard acquisition. In 2021, the KFTC approved the merger between OTT providers Tving and Seezn. In 2020, the KFTC approved Delivery Hero's acquisition of Woowa Brothers under the condition that Delivery Hero divest all its shares in Delivery Hero Korea.
Further digital policy focal points
International digital trade
Korea is an active negotiator in international digital trade. Korea is a signatory of the Regional Comprehensive Economic Partnership, joined the launch of the Indo-Pacific Economic Framework for Prosperity in 2022 and notified its intention to join the Digital Economy Partnership Agreement in 2021. Bilaterally, Korea has engaged in multi-faceted digital partnerships with the European Union, covering data transfers, cybersecurity, competition and interoperability, as well as Singapore, covering data transfers, data localisation, consumer protection and artificial intelligence (on which the countries signed a Memorandum of Understanding). In addition, Korea is modernising its Free Trade Agreement with the United Kingdom to include digital trade and has announced a Digital Economy Agreement with the United Arab Emirates.
Telecommunication network usage fees
The 2020 amendment of the Telecommunications Business Act introduced quality of service requirements for large information and communications network providers (CNP) and value-added telecommunications service providers (VSP). The requirements apply to providers that account for more than 1% of Korean internet traffic and reach an average daily user base of 1 million over three months. The amendment requires such providers to ensure the stability of service and process user demands, regardless of traffic. As a consequence, CNPs and VSPs may be forced to negotiate fees with internet service providers. The government is still deliberating proposals to mandate network usage fees, following a ruling that fees don’t undermine net neutrality. Finally, foreign telecommunications service providers must appoint local representatives (“domestic agents”).
In February 2023, the Science, ICT, Broadcasting and Communications Committee of the Korean Assembly passed the Act Fostering the AI Industry and Establishing a Foundation for Trustworthy AI (AI Act). The Act establishes a comprehensive regulatory regime to both foster the AI industry and protect users. To foster the AI industry, the Act establishes a Basic Plan for AI and an AI Committee to guide AI development without governmental pre-approval. To increase trust, the Act establishes ethical principles for AI and requirements for "high-risk AI", determined through criteria including direct human connection and safety. In the same month, the government introduced the Artificial Intelligence Responsibility Act, establishing basic principles for the development and use of AI. It includes technical standards and requirements regarding user notification and opt-out.
In May 2021, the Personal Information Protection Committee adopted the AI Personal Information Protection Self-Checklist. The guidance outlines legitimacy, safety, transparency, participation, responsibility and fairness as principles of personal information protection in AI.
In 2020, the Ministry of Trade, Industry, and Energy revised the Foreign Investment Promotion Act. The revision rendered 2,990 technologies in 33 sectors, including technology and artificial intelligence, eligible for cash incentives.
In February 2023, the Financial Services Commission (FSC) announced amendments to the Telecommunications Fraud Damage Reimbursement Act. The amendments expand legal relief for phishing schemes to cryptocurrencies and mobile payments, including the freezing of fraudulent accounts on crypto exchanges. In January 2023, the Ministry of Justice announced its aim to create a Virtual Currency Tracking System to detect cryptocurrency money laundering. In October 2022, Korea introduced the Digital Asset Market Fairness Regulation Bill. The Bill prohibits unfair trade practices related to digital assets, including price manipulation. The FSC would oversee digital asset markets and receive regular reporting from operators.