SOUTH KOREA: An Introduction to Technology, Media, Telecoms (TMT)

The Technology and Data Regulatory Landscape

Preface

South Korea’s regulatory landscape concerning the technology, media and telecommunications (TMT) sector can be divided into the technology sector and the data sector. Relevant regulations are primarily established through legislative measures or guidelines issued by regulatory bodies specific to each sector. In particular, guidelines often serve as de facto regulations, with regulatory agencies actively responding to and enforcing them.

Technology-related regulations

South Korea’s technology-related regulations span diverse sectors, ranging from traditional broadcasting and telecommunications to cutting-edge industries like the metaverse, AI, autonomous vehicles, IoT, and data centres.

In terms of applicable laws and regulations governing traditional telecommunications and broadcasting, South Korea has legislation such as: the Telecommunications Business Act, the Broadcasting Act, and the Internet and Multimedia Broadcasting Business Act.

Recent legislative developments

Recent legislative developments underscore South Korea’s commitment to fostering innovation and regulating emerging technologies. For instance, on 20 February 2024, the government enacted the Act on Promotion of the Metaverse Industry, which is the first law worldwide regulating the metaverse. Additionally, the Act on the Protection of Virtual Asset Users came into effect on 19 July 2024, and regulations related to fintech and digital finance are being continuously improved through ongoing amendments to the Electronic Financial Transactions Act.

Further, laws governing advanced technologies such as AI and autonomous vehicles are continuously evolving to address technological advancements and societal concerns. Regarding AI, starting with the announcement of the “National Strategy for Artificial Intelligence” in December 2019, followed by the issuance of the “Roadmap for Improving AI Law, System, and Regulation” in December 2020, and the unveiling of the “Digital Bill of Rights” in May 2023, South Korea has been vigorously engaged in shaping its AI regulatory landscape. A number of AI-related bills have been introduced in the National Assembly since 2022, and on 21 November 2024, the alternative bill that consolidates and harmonises 19 proposed bills, titled the Act on Promotion of the AI Industry and Framework for Establishing Trustworthy AI, passed the legislative subcommittee of the Science, ICT, Future Planning, Broadcasting and Communications Committee of the National Assembly, which is the initial stage of formulating the legislation. Although the details had not been disclosed at the time of writing this article, this legislation is known to be pursuing the balance between regulation of the industry and support for the development and industrial activation of AI technologies.

In the case of automobiles, the Act on the Promotion of and Support for Commercialisation of Autonomous Vehicles came into effect in May 2020 and has been continuously amended to regulate future automobiles (ie, connected and autonomous vehicles). Additionally, the Road Traffic Act, the Motor Vehicle Management Act, and other automobile-related regulations have been subject to ongoing amendments.

Regulatory bodies

In terms of regulatory oversight, various bodies are involved in technology-related matters. The key regulatory entities in technology-related matters include the Korea Communications Commission (KCC) and the Ministry of Science and ICT (MSIT). The KCC is primarily tasked with overseeing broadcasting and telecommunications regulations, ensuring fair competition and safeguarding consumer interests within these sectors. The MSIT, on the other hand, assumes a central role in shaping South Korea’s digital landscape, promoting research and development initiatives, and regulating emerging technologies.

The Personal Information Protection Commission (PIPC) serves as the primary supervisory agency responsible for overseeing all aspects of personal information processing, regardless of the specific technology or industry sector. Similarly, the Financial Services Commission (FSC), like the PIPC, regulates all entities involved in credit information processing. However, the FSC’s regulatory scope extends further to include specific industries such as digital finance, fintech, and virtual assets. The Ministry of Culture, Sports and Tourism (MCST) oversees content and intellectual property issues related to emerging broadcasting and cultural platforms like OTT. Additionally, the Ministry of Land, Infrastructure and Transport (MOLIT) and the Ministry of Trade, Industry and Energy (MOTIE) are responsible for regulations concerning future vehicles.

Moreover, not only the MSIT and the PIPC, but also various other regulatory bodies, such as the FSC and the MCST, are gearing up for the AI era. They are doing so by issuing guidelines tailored to specific industrial contexts, such as the financial sector or intellectual property sector, to facilitate the seamless integration and operation of AI technologies.

Data-related regulations

South Korea has implemented comprehensive data protection regulations to safeguard individuals’ privacy and promote responsible data management practices. These regulations encompass various laws and acts aimed at protecting personal and industrial data, with regulatory oversight provided by government bodies such as the PIPC, MSIT and KCC.

In terms of data protection and privacy, the Personal Information Protection Act (PIPA), which is regulated by the Personal Information Protection Commission (PIPC), serves as the primary personal data protection law in Korea, and in addition, the Credit Information Use and Protection Act (the “Credit Information Act”), the Framework Act on the Promotion of Data Industry and Data Utilization (the “Data Industry Act”), and the Communication Secrets Protection Act function as data protection laws.

The Personal Information Protection Act

The cornerstone of data protection regulations in South Korea is PIPA, which was initially enacted in 2011. This legislation, influenced by the GDPR although different, establishes rules for the collection, use and transfer of personal data, with a focus on enhancing transparency, accountability, and data subjects’ rights. Since its inception in 2011, PIPA has undergone several minor revisions, with comprehensive amendments in 2020 and 2023, driven by government initiatives and active support from the National Assembly.

The key features of the most recently amended PIPA (15 March 2023) are as follows:

1. the unification of data protection rules, previously divided into rules for information communications service providers (ICSPs) – a concept which is interpreted quite broadly to include providers of a wide range of services offered over telecommunications or information services networks – and rules for offline businesses;
2. revising provisions to relax criminal penalties and reinforce administrative penalties instead;
3. easing of requirements for the processing of personal data;
4. revamping of provisions relating to the mediation of disputes involving personal data;
5. the update of provisions relating to visual information processing devices;
6. the introduction of rights relating to automated decision-making;
7. new rules for cross-border transfers of personal data; and
8. the establishment of new provisions relating to the right to data portability.

The Credit Information Act

The Credit Information Act governs especially the use of credit information in the financial sector, with recent amendments incorporating provisions to regulate AI-driven automated evaluation processes. These amendments aim to ensure fairness, accuracy and transparency in credit assessment practices, reflecting the government’s efforts to adapt regulatory frameworks to technological advancements in the finance industry.

The Data Industry Act

This Act includes regulations aimed at protecting data assets and prohibiting the unauthorised use of data that infringes upon the economic interests of data producers, thereby also addressing issues related to the use of data for AI training, among other provisions.

The Act on the Promotion of Information and Communications Network Utilization and Information Protection

On a separate note, the Act on the Promotion of Information and Communications Network Utilization and Information Protection, which is regulated by the MSIT and KCC, mainly regulates matters related to securing the stability of information and communication networks, and protecting users.

Summary

As a highly advanced nation in ICT, South Korea continually advances in industries related to cutting-edge technology and data. Consequently, the country actively responds to regulatory challenges and enacts regulations related to emerging technologies. In particular, there are ongoing efforts to improve regulatory frameworks in industries such as AI, digital finance, fintech, virtual assets, automotive, and data protection to enhance industrial competitiveness while also addressing the risks associated with new technologies.

Especially noteworthy is South Korea’s preference for a rule-based approach over self-regulation, highlighting the importance of closely monitoring regulatory trends and engaging with regulatory authorities to ensure compliance with the laws and regulations.