Communications policyRegulatory and institutional structure
Summarise the regulatory framework for the communications sector. Do any foreign ownership restrictions apply to communications services?
The basic regulatory framework is set out in the Telecommunications Business Act (TBA) and the Radio Waves Act (RWA). The Ministry of Science and ICT (MSIT) and the Korea Communications Commission (KCC) are the main regulatory bodies that are responsible for the administration of these regulations. The country’s data privacy laws underwent significant amendments, passed in February 2020 and effective from August 2020, as part of which relevant rules were further consolidated in the Personal Information Protection Act (PIPA), the prime data protection statute.
The requirements for entry into and withdrawal from a telecommunications business are set out in the TBA, and if any telecommunications carrier constructs a network using radio equipment, it must also comply with the requirements set out in the RWA.
Traditionally, under the TBA, there were three types of telecommunications businesses, namely:
- providers of core telecommunications services (CTS);
- special category telecommunications services (SCTS); and
- value-added telecommunications services (VATS).
However, the amendments to the TBA, which came into effect as of 25 June 2019, restructured telecommunications services into two main types, CTS and VATS, absorbing SCTS into the broadened class of CTS:
- CTS refers to services relating to the transmission of sound, images or other data in an unmodified manner either by using the service provider’s own network or by leasing a third party’s network. This includes internet connectivity, as well as mobile and landline phones and voice over internet protocols (VoIP); and
- VATS are online services using the CTS network, including internet-based services, such as cloud computing services, email, e-commerce platforms and internet search engines.
Foreign ownership restrictions under the TBA apply only to CTS providers in possession of their own networks. Generally, only up to 49 per cent of foreign ownership is permitted in such CTS providers, but such restrictions may be alleviated where the foreign investor is from a certain foreign country that has entered into a free trade agreement with South Korea.
In the mergers and acquisitions context, under the amended TBA, CTS providers, including enterprises that were formerly SCTS providers, may, depending on their annual revenue for the previous year, have to obtain prior approval from the MSIT, or at least file a report to the MSIT, if they are the subject of a merger or an acquisition.Authorisation/licensing regime
Describe the authorisation or licensing regime.
The relevant authorisation and licensing regimes are set out in the TBA.
Under the amended TBA, all CTS providers must register with the MSIT. These requirements for registration are the same as those that applied to CTS providers and SCTS providers under the previous provisions of the TBA.
In contrast to CTS providers, VATS providers are only required to submit a report to the MSIT. The reporting process usually takes a few days and is generally considered a mere formality. An exception to this exists, however, with respect to peer-to-peer service providers and text messenger service providers that use a CTS network. These businesses must register with the MSIT, even though they are, strictly speaking, VATS providers. Additionally, VATS providers with less than 100 million won in capital are exempt even from the reporting requirement.
Businesses that are not mainly engaged in telecommunications services, but engage in sales (in their own name) of goods or services that incorporate telecommunications-enabled components, such as vehicles with certain built-in telecommunications services, are not required to obtain any licences or registrations, but are required to file a report to the MSIT.
Further, there is no distinction, in the applicability of authorisation or licensing requirements under the amended TBA, between the different means of communication (fixed, mobile or satellite) or the particular technology applied (eg, 2G, 3G or 4G in the mobile communication context). However, any telecommunication business using radio waves (eg, for mobile or satellite services) must also comply with additional requirements under the RWA to be assigned particular radio frequencies.
No fees are payable concerning any authorisation or licence obtained under the TBA.Flexibility in spectrum use
Do spectrum licences generally specify the permitted use or is permitted use (fully or partly) unrestricted? Is licensed spectrum tradable or assignable?
The use of radio spectrum is regulated by the MSIT, and the relevant MSIT licence would generally specify the permitted use.
A spectrum licence may be transferred or sub-licensed from three years after the original date of issuance. The transferee or sub-licensee must satisfy all the requirements applicable to the original licence holder and obtain prior approval from the MSIT.Ex-ante regulatory obligations
Which communications markets and segments are subject to ex-ante regulation? What remedies may be imposed?
Telecommunications service providers must provide telecommunications services without unjustified discrimination. In this respect, telecommunications service providers are required to file a report to the MSIT with regards to their business status, facilities, users, etc, adding to the transparency of their businesses.
For CTS providers of a certain revenue level, there is increased regulatory oversight. They are required to produce separate accounts concerning their telecommunications business and non-telecommunications business, as well as, in relation to CTS and VATS, to distinctly set out the assets, expenses and profits of each category.
Further, CTS providers of a certain size of revenue must file a report to the MSIT in respect of their customer terms and conditions, while CTS providers surpassing certain thresholds in terms of subscriber numbers and market share must receive prior approval from the MSIT concerning their customer terms and conditions. As part of the approval process, the MSIT can require adjustment of the tariffs proposed by the CTS provider, if it deems the tariffs to be excessive, considering the cost of supply, revenue, classification of costs and revenue by service, and impact on the fair competition in the telecommunications market.Structural or functional separation
Is there a legal basis for requiring structural or functional separation between an operator’s network and service activities? Has structural or functional separation been introduced or is it being contemplated?
If the KCC determines that effective competition in a particular market is deterred by a dominant telecommunications service provider’s actions that undermine fair competition or users’ interests, the KCC may, after public consultations with the MSIT, order structural or functional separation between network and service activities of that service provider.
However, an order for structural or functional separation is an extraordinary measure that has not been used to date in South Korea.Universal service obligations and financing
Outline any universal service obligations. How is provision of these services financed?
Under the TBA, all CTS providers (except for small-sized operators) are divided into two categories. Either they provide universal services or they provide compensation for expenses arising from the provision of universal services by other service providers.
Those service providers that provide universal services must submit a report to the MSIT regarding the expenses incurred in the process of providing universal services. The MSIT arranges for such expenses to be compensated, based on the level of sales, from the proceeds received from those service providers that are required to provide compensation for other service providers’ provision of universal services.
Universal services include, among other things:
- the provision of wire phone services;
- the provision of internet services; the provision of phone services for emergency calls; and
- the reduction or exemption of service charges to disabled and low-income persons for toll call services, mobile phone services and Long Term Evolution services.
Describe the number allocation scheme and number portability regime in your jurisdiction.
The MSIT has the authority to establish and enforce rules on the allocation of phone numbers and mobile phone numbers. Under the TBA, phone numbers are provided to business operators based on the type of telecommunication service they provide (eg, 070 is allocated to VoIP business operators and 010 to mobile operators).
Also, under the TBA, operators are required to provide number portability when customers switch operators, regardless of whether the numbers are assigned geographically or non-geographically.Customer terms and conditions
Are customer terms and conditions in the communications sector subject to specific rules?
Yes. Under the TBA, the customer terms and conditions of some CTS provider must be reported to the MSIT, and CTS providers surpassing certain thresholds in terms of subscriber numbers and market share must receive prior approval from the MSIT concerning their customer terms and conditions. This approval is subject to fulfilling certain criteria, such as reasonable consideration of costs and profit and refraining from unfair discrimination against specific users.
Further, the Act on the Regulation of Terms and Conditions, which prescribes general rules regarding customer terms and conditions to prevent unfair practices, also applies to customer terms and conditions specific to the communications sector.Net neutrality
Are there limits on an internet service provider’s freedom to control or prioritise the type or source of data that it delivers? Are there any other specific regulations or guidelines on net neutrality?
In principle, the TBA prohibits telecommunications service providers from imposing unreasonable or discriminatory conditions or limitations that would amount to any control or prioritisation in the type or source of data delivered. Detailed standards for prohibited conditions and limitations are as prescribed in a Public Notice promulgated by the KCC.Platform regulation
Is there specific legislation or regulation in place, and have there been any enforcement initiatives relating to digital platforms?
Under the TBA, VATS providers must file a report with the MSIT, and this report must include a schematic diagram of the telecoms network to be used, a detailed description of user protection measures and details of technical measures in place to prevent online copyright infringement. VATS providers with less than 100 million won in capital, however, are exempt from this reporting obligation. Upon the filing of the report, a VATS provider must commence business within one year from the filing date, also implementing technical measures to protect minors as well as measures against viruses and malicious codes. The TBA authorises the MSIT to survey VATS providers in this regard and requires them to submit any documents necessary to prove compliance with these requirements.
Also, the same prohibition on control or prioritisation of data delivery equally applies to VATS providers, although the regulation, as explained above, is not yet enforceable as the KCC has not promulgated an enforcement decree.
The PIPA, together with the IT Network Act in some respects, regulates digital platforms on issues including data protection, user protection (such as protection of minors and protection from illegal content) and the security of IT networks.
There is a significant move to further regulate digital platforms, in draft legislation called the Act on Fairness in Online Platform Intermediated Transactions (Online Platform Act) and advanced by the Korea Fair Trade Commission (KFTC), the main regulator for fairness in contracting. The main thrust of the draft statute, which seems likely to pass (possibly within 2021), is to restrain practices by online platforms that are seen as one-sided or abusive vis-à-vis the vendors that use the platforms. Platforms meeting some certain threshold of scale would be subject to a variety of requirements concerning transparency of terms (eg, terms governing exclusivity, pricing conditions and standards for item display), minimum advance notice of changed terms, and other aspects. Indicative of the direction of the draft statute, it is said by the KFTC to be modelled on EU regulations governing fairness and transparency between online platforms and commercial users (small and medium-sized enterprises). In the same vein, the KCC (partly emulating the KFTC) has proposed amendments to the e-Commerce Act that would call on platform services to provide enhanced disclosures, and additional options, to consumer users, and modulate aspects of the relationship between the platform and vendors.Next-Generation-Access (NGA) networks
Are there specific regulatory obligations applicable to NGA networks? Is there a government financial scheme to promote basic broadband or NGA broadband penetration?
The Framework Act on National Informatisation authorises the MSIT, while it must refer to submissions from other government agencies, to establish a basic plan for national informatisation every five years, and each basic plan may include plans for the expansion and management of relevant infrastructure and other facilities, support for informatisation of private sectors and procurement and management of funds.Data protection
Is there a specific data protection regime applicable to the communications sector?
The data protection regime, already largely encompassed in the PIPA, has been further consolidated in that primary statute as a result of amendments, to it and to the IT Network Act, which came into effect on 5 August 2020. Data privacy provisions in the IT Network Act were, essentially, taken and transplanted into the PIPA. However, certain IT Network Act provisions related to data protection, and applicable to the communications sector, remain in place, such as restrictions on marketing communications done online.
Is there specific legislation or regulation in place concerning cybersecurity or network security in your jurisdiction?
The PIPA requires IT service providers (data controllers) and, if applicable, their data processors to take technical and managerial measures to ensure the protection of personal data.
Such measures include requirements to:
- establish and implement an internal personal data management policy;
- prevent unauthorised access to personal data by controlling access authority and implementing technical measures to control access, such as firewalls or intrusion protection systems;
- encrypt personal data;
- implement logs of access to personal data systems and provide measures for preventing fabrication and alteration of such logs;
- utilise security programmes, such as antivirus software;
- store personal data in a safe area; and
- minimise the number of personnel processing users’ personal information to the extent possible.
Is there specific legislation or regulation in place, and have there been any enforcement initiatives in your jurisdiction, addressing the legal challenges raised by big data?
Under the amended PIPA, South Korea has adopted major amendments to its data regulatory framework that will, to a large extent, free up the use of pseudonymised data and ease the way for expansion of big data-driven services. (Allied with these changes under the main data privacy statute, amendments to the Credit Information Protection Act introduce similar types of latitude for use, including aggregation, of pseudonymised data in the financial sector in particular.) Several guidelines have followed, particularly in the third quarter of 2020, to supplement the standards and requisites for use of pseudonymised data, including technical and administrative parameters, and including for the financial sector and areas such as life sciences.
Under the current PIPA, personal information, defined as ‘information regarding an individual’, can include information that identifies or enables identification of an individual (thus, identifiable information) but also information that, while not by itself identifiable, enables identification when combined with other information. The amended PIPA takes this further, lending clarity to the concept of information being identifiable when combined with other information, and further defining the separate case of ‘pseudonymised information’.
Pseudonymised information means information that is unidentifiable without using (or combining it with) additional information, to restore it to its original state. The amended PIPA allows pseudonymised information to be used – without the need of the individuals’ consent – to generate statistical information, or for scientific research or public recordkeeping. The statute will also allow the compilation of pseudonymised information (sourced from different data controllers) by specialised institutions, designated for such purposes by PIPC and other central government agencies. This will thereby allow pseudonymised information to be used, even in the absence of consent, to analyse big data to generate statistical information, scientific research or public record-keeping.
On the other hand, the amended PIPA has not specially defined ‘anonymised information’; that is, information from which an individual cannot be identified, ‘taking into reasonable consideration the time, expense and technology’ involved. While the definition of anonymised information does not seem to present a clear boundary from pseudonymised information, for the time being, it appears that information that is classified as anonymised information could be used in big data analysis without being subject to restrictions under the amended PIPA.Data localisation
Are there any laws or regulations that require data to be stored locally in the jurisdiction?
Financial institutions (along with electronic financial enterprises) are prohibited from storing personal credit information on offshore cloud servers. The Financial Services Commission, the primary financial regulatory, recently amended the existing Regulation on Supervision of Electronic Financial Transactions to permit the usage of cloud services, but the new framework is confined to cloud storage and services located in South Korea.Key trends and expected changes
Summarise the key emerging trends and hot topics in communications regulation in your jurisdiction.
Regulators are moving to stiffen monitoring and regulation of foreign online service providers. The PIPC has been actively inspecting data privacy policies and related practices of offshore services, showing considerable alacrity in the role of prime data-privacy regulator role since assuming it in August 2020. In November 2020, the PIPC also imposed on Facebook some US$6 million in fines for data privacy violations, the largest ever such fines, and referred the case for possible criminal prosecution.
In the telecommunications sector, the TBA has been newly fitted with an extraterritorial jurisdiction clause, expressly extending TBA provisions to offshore service providers if their services impact users in South Korea. The amendment is noteworthy in potentially justifying expanded enforcement, although the TBA was already interpreted by regulators as encompassing foreign service providers depending on their local effects. Foreign online services that meet certain thresholds of scale or local usage (prescribed in the Presidential Decree of PIPA) are also required to designate a local data protection representative.
Separately, regulation of digital platforms seems likely to be bolstered soon by the Online Platform Act, currently in review at the National Assembly, and may also see the adoption of similar changes in a proposed amendment of the e-Commerce Act. Administration of the Online Platform Act, if passed, would be mainly with the KFTC, the fair competition regulator, but enhanced monitoring and enforcement could end up partly with the KCC, the chief agency for e-Commerce Act purposes.
There has been key progress towards a General Data Protection Regulation (GDPR) adequacy decision for South Korea. The working draft of the GDPR adequacy decision was announced in April 2021, and the final decision is expected to come in late 2021.
At the intersection of data protection and artificial intelligence (AI), amid controversy over personal data processing using AI technology, the PIPC is seeing to introduce new guidelines significantly limiting such data processing. Understandably, given the stakes, service providers have been at some pains, including in liaison with regulators, to try to narrow or moderate the impending draft guidelines.
Last, the TBA was amended in June 2020, with effect from December 2020, to require content providers and other VATS providers, meeting certain thresholds of scale, to implement measures to better ensure ‘convenient and stable provision of services’ to users. These are to include measures to secure stability, handle user grievances and provide reasonable payment methods for users, and prepare corresponding internal guidelines.
Law stated dateCorrect on
Give the date on which the information above is accurate.
31 May 2020