Database

An identity verification system obliged portal sites to check the identities of all blog and discussion board users who post comments using their residence registration numbers or alternatives. For example, to post a comment on a news article, a user registration and citizen identity number verification was required. For foreigners who do not have such numbers, a copy of passport needed to be faxed and verified. In September 2012, the Constitutional Court ruled unanimously against this regulation arguing that it is unconstitutional to require people to authenticate their identity in order to post or comment on websites.

Despite the ruling, several verification requirements remain in Korea. In 2015, Korea's Constitutional Court upheld the Public Official Election Act requires Internet news sites, including news aggregators, to provide the system for users to input and verify their identities when posting articles either supporting or countering a candidate during 30 days of election campaigning. Freedom House also reports that the Game Industry Promotion Act and the Telecommunications Business Act require internet users to verify their identity.

Article 102 sets out specific conditions necessary for a safe harbor to apply to different types of Online Service Providers (OSPs). In particular, the safe harbor only applies for third party copyright infringement. The provision was amended twice in 2011, to reflect the Korea-EU- FTA and then Korea-US FTA.

It is reported that messages sent by e-mail (after submission and receipt) are considered by law enforcement authorities as “objects” rather than “means of communications”. This implies that they are subject to ordinary search and seizure requirements, rather than requiring wiretapping warrants and notification to parties within 30 days.

All personal information managers must appoint a chief privacy officer who has a multitude of legal obligations.

The Korea Communications Commission (KCC) announced on April 29 that individuals in Korea will be able to request website administrators and search engine operators remove certain digital content of personal information as early as June 2016. The KCC released the “Guidelines on the Right to Request Access Restrictions on Personal Internet Postings” which enable consumers to request that search engines and website operators restrict access and ultimately remove online information (including blogs, pictures and videos) that individual data subjects cannot delete themselves.

The personal information manager must obtain consent before starting the data collection. Consent must be given also for transferring or selling data to any entity.

The Enforcement Decree of the Networks Act Art. 16 provides that the data retention period must be not longer than one year, except in cases where a longer retention period is required in order to comply with other Korean laws or regulations and where the data subject has expressly agreed to a longer retention period.

Amendments to the 2007 Protection of Communications Secrets Act established extensive data retention requirements. These amendments require telecommunications companies and Internet Service Providers to retain access records and log files (including online transactions conducted; Web sites visited; time of access; and files downloaded, edited, read, and uploaded) for at least three months, along with date and time stamps, telephone numbers of callers and receivers and GPS location information for 12 months.

All cloud services providers providing services to public institutions must have public data centers located within the country, and must be physically separated from networks serving the general public. Although the guidelines only act as recommendations, in practice, Korean institutions generally follow them. These policies, paired with a Ministry of Science, ICT and Future Planning (MSIP) plan to spread the use of cloud services in e-government, entails an increased localisation of data used in public services.

Despite provisions in its FTAs with EU and US to allow sending financial data across borders, Korea prohibited outsourcing of data-processing activities to third parties in the financial services industry for several years and today certain restrictions still apply. Banks can therefore only process financial information related to Korean customers in-house, either in Korea or abroad and offshore outsourcing is restricted to a financial firm’s head office, branch or affiliates.

In June 2015, the Korea Financial Services Commission has proposed revisions to its outsourcing policies by eliminating its requirements for (1) prior approval for the outsourcing of IT facilities; (2) offshore outsourcing to be restricted to a financial firm’s head office, branch or affiliates (thus permitting use of third parties); and (3) use of a standardized outsourcing contract form (thus permitting customized contracts provided they include certain obligatory terms). Such revisions were implemented in July 2015. Yet, certain conditions for processing abroad still apply today.

If a user's personal information is transferred to an overseas entity, the Article 24-2 of the Network Act requires online service providers to disclose and obtain the user's consent, regarding the following: the specific information to be transferred overseas, the destination country, the date, time, and method of transmission, the name of the third party and the contact information of the person in charge of the personal information held by the third party, the third party's purpose of use of the personal information and the period of retention and use.

The Personal Information Protection Act requires companies to obtain consent from data subjects prior to exporting their personal data.

Korea imposes a prohibition to store high resolution imagery and related mapping data outside the country and justifies this restriction on security grounds. It is reported that the prohibition led to a competitive disadvantage for international online map services, since their locally-based competitors are able to provide several services (such as turn-by-turn driving/walking instructions, live traffic updates, interior building maps) that international service providers cannot.

In 2014, Korea increased fees for all visa and immigration-related applications and services. The majority of the fees were increased by 100%.

Foreign workers wishing to change workplace are only allowed to do when:
- there is a closing of business
- in case of delayed payments of wages
- in case of other “justifiable reason”