All questions

Intellectual property and data protection

i Intellectual property

In Korea, innovations and inventions can be protected by IP rights such as patents, utility models, designs, copyrights, and trade secrets. Korean law explicitly provides for the protection of patents under the Patent Act, utility models under the Utility Model Act, designs under the Design Protection Act, copyrights including copyrights in computer software under the Copyright Act and trade secrets under the Unfair Competition Prevention Act (UCPA).

Under the Patent Act, fintech inventions relating to software or business methods are generally patentable if they meet the statutory requirements such as subject matter, novelty, and inventiveness. If an invention is not sufficiently creative or inventive to meet the standards of patentability, protection may be available under the Utility Model Act. The basic difference between a utility model and a patent is that a utility model requires a lower technical content. However, fintech inventions that are mainly software or business methods may not be eligible for utility models.

Graphical user interfaces of fintech software may be protected by design registrations under the Design Protection Act. For example, images represented on a display portion of a product such as a display panel can be registered and protected as a design. Copyright protection is also possible upon creation of an original computer program without any formality. Although a copyright registration is not a prerequisite for copyright protection or enforcement, it provides certain advantageous statutory presumptions in enforcing the copyright. The source code of fintech software may be protected as a trade secret under the UCPA. The UCPA defines a 'trade secret' to mean information of a technical or managerial nature that:

  1. is useful for business activities;
  2. is generally unknown to the public;
  3. possesses independent economic value; and
  4. whose secrecy is maintained through reasonable effort.

Ownership of IP rights such as patents, utility models, and designs initially belong to the person who created such rights. Such person may transfer his or her IP ownership right to another party through an agreement. However, transfer of an IP right, other than through inheritance or other general succession, is not effective in Korea against third parties unless it is recorded at the Korean Intellectual Property Office.

In the context of an employer-employee relationship, there are two ways for the employer to obtain ownership rights to in-service inventions of its employees. First, the employer may enter into a pre-invention assignment agreement with an employee with a provision that the employee agrees to assign any and all future in-service inventions to the employer. Second, the employer may adopt an employment rule such as an invention remuneration policy that expressly provides for employee-inventors to assign any and all future in-service inventions to the employer and the employer to provide remuneration to such employee-inventors. In either case, if the employer chooses to acquire the ownership right to an in-service invention pursuant to the agreement or employment rule, the employee is entitled to reasonable compensation from the employer.

Ownership of copyright initially belongs to the actual author or authors of a given work. In the context of an employer-employee or work-for-hire relationship, however, an employing legal entity, organisation, or person may be deemed to be the author of a work with ownership of copyright in the work. Under the Copyright Act, such employer is deemed to have copyright ownership of a work if:

  1. the work is created by an employee within the scope of employment and made public (computer program works do not need to be made public), subject to the employer's supervision; and
  2. there is no separate or particular contract or employment regulation providing that the status of the author of, or ownership of copyright in, the work-for-hire should belong to the employee.

For IP rights such as patents, utility models, and designs, the party enforcing an IP right should own the registered rights in Korea. For copyrights, works by foreigners, such as the source code of fintech software, are entitled to protection under treaties to which Korea has acceded. However, the Copyright Act provides exceptions to favourable treatment of foreigners' copyrights under such treaties. In particular, the Copyright Act provides that even if the copyright protection period for foreigners' copyrights may be in force and entitled to protection under the Copyright Act, if the copyright protection period granted in the country of their origin has already expired, Korea will not recognise the copyright protection period.

IP rights including patents, utility models, and designs are a type of property right and thus, owners of IP rights may exploit or monetise them for their benefit. For example, an IP owner may assign or sell his or her IP right to another person or entity and receive payment in return. An IP right may also be pledged as collateral for a loan or investment from another person or entity. Further, an IP right may be licensed through an exclusive or non-exclusive agreement for royalties or may be licensed to another party in a cross-licence agreement. If an IP right is jointly owned, a joint owner may license the IP right only with the consent of all the other joint owners, but each owner may still freely practise the jointly owned IP.

IP-related licences may be subject to governmental review under certain circumstances. For example, under the Fair Trade Law, the Fair Trade Commission has released the Guidelines on the Unfair Exercise of IP Rights (the IP Guidelines), for examining licence agreements. If a provision of a licence agreement violates one of the standards set forth in the IP Guidelines, a court may find such provision to be null and void as being contrary to Korean public policy. As for licence terms, there are no statutory or regulatory restrictions on a maximum royalty rate or payment terms. Further, Korean courts have not issued a ruling on a maximum royalty rate. Thus, the parties may agree on royalty rates and payment terms based on the facts in individual cases.

ii Personal data

In Korea, the protection and regulation of personal data is primarily governed by the Personal Information Protection Act (PIPA). The PIPA is the overarching personal data protection law in Korea that may apply to fintech businesses operating in Korea. The PIPA prescribes detailed measures for each of the stages involved in the processing of personal data such as collection and use, provision to a third party, outsourcing and destruction. The PIPA must be followed by all personal information processing entities, which are defined as all persons, organisations, corporations and governmental agencies that process personal data for business purposes. Under the PIPA, data subjects must be informed of, and provide their consent to the following matters before their personal data is collected or used:

  1. the purpose of the collection and use;
  2. the items of personal information that will be collected;
  3. the duration of the possession and use of the personal information; and
  4. disclosure that the data subject has a right to refuse to give consent and the negative consequences or disadvantages that may result from such refusal.

In addition, there are various sector-specific privacy laws such as the Act on the Promotion of IT Network Use and Information Protection (the Network Act) and the Use and Protection of Credit Information Act (the Credit Information Act) that complements the PIPA. The Network Act regulates the processing of personal information in the context of services provided by online service providers (e.g., personal information collected through a website). The Credit Information Act regulates and protects financial transaction information and credit information of individuals and entities. Both the Network Act and the Credit Information Act can apply to fintech businesses operating in Korea.

The Ministry of the Interior and Safety is responsible for enforcing the PIPA. The Korean Communications Commission and the Ministry of Science and ICT are responsible for enforcing the Network Act. The FSC and the FSS are responsible for enforcing the Credit Information Act. Each of these regulatory agencies can make requests for information and conduct inspections at the premises of data controllers to ensure they are compliant with the respective privacy laws. In addition, once a violation of a relevant privacy law is confirmed, each of these respective regulatory agencies can impose administrative penalties, such as corrective orders and fines, and, as necessary, refer the case for criminal prosecution. Criminal sanctions can be imposed following an investigation by the police or prosecutor's office, either on its own initiative or upon a referral by the relevant regulatory authority.

As for the applicability of these laws to overseas entities, the PIPA applies to all personal information processing entities regardless of whether they are located overseas. In addition, sector-specific privacy laws such as the Network Act would apply to overseas online service providers collecting personal information in Korea. Further, the Credit Information Act would also apply to overseas entities handling financial transaction information and credit information of individuals or entities in Korea. Although the PIPA, the Credit Information Act, and the Network Act do not specifically address their jurisdictional scope for overseas entities, the Korean regulatory authorities have measures to ensure compliance by overseas entities with these laws.

iii Cybersecurity

The main statutes in the context of cybersecurity that apply to fintech businesses are the PIPA and the Network Act. The PIPA and the Network Act prescribe detailed technical security and administrative requirements for cyber security such as:

  1. the establishment and implementation of an internal management plan for the secure processing of personal information;
  2. installation and operation of an access restriction system for preventing illegal access to and leakage of personal information; and
  3. the application of encryption technology to enable secure storage and transfer of personal information.

Further, the EFTA criminalises certain types of cyber activities that may apply to fintech businesses operating in Korea. The EFTA criminalises cyber activities that:

  1. intrude on electronic financial infrastructures without proper access rights or by surpassing the scope of permitted access rights or altering, destroying, concealing or leaking data that is saved in such infrastructures; and
  2. destroy data, or deploy a computer virus, logic bomb or programme such as an email bomb for the purpose of disrupting the safe operation of electronic financial infrastructures.