Experiments with Cyberlaws in Korea

Chan-Mo CHUNG <cmchung@sunnet.kisdi.re.kr>
Korea Information Society Development Institute
Korea

Abstract

Korea is one of the pioneering countries that enacted the Electronic Commerce Act, the Digital Signature Act, and other cyberlaws. This paper reviews these acts.

Contents

Introduction

Although the Korean domestic electronic commerce market is still in the initial stage, it is rapidly expanding. The National Computerization Agency of Korea forecasted that the size of the e-commerce market would increase from $60 million in 1998 to $3,150 million in 2002.[1]

With the rapid expansion of e-commerce, nations began to review the methodology, practices, and rules applicable in conventional transactions and to adjust their legal settings to create an environment more conducive to e-commerce. The Government of Korea enacted in February 1999 the Electronic Commerce Act, the Digital Signature Act, and the Act on the Promotion and Protection of the Information Infrastructure with a view to promoting e-commerce and lending digital transactions legal predictability and stability.

These acts entered into force on July 1, 1999. Some provisions have been criticized for their ambiguity, overreach, redundancy, and remaining loopholes. These cyberlaws, however, have laid down the legal foundation for enabling secure electronic transactions in the public and private sectors.

Electronic Commerce Act

Principles

Coverage

Article 3 of the Electronic Commerce Act states that this law shall apply to all transactions using electronic messages. This signifies that the law covers not only private activities but also public activities. In order to emphasize this point, some would prefer the term "electronic transactions" to the term "electronic commerce." However, "electronic transactions" is defined as meaning transactions using an electronic message that deal with the whole or part of trading of goods or services.[2] This in fact excludes the administrative activities and the exercise of public authority from the coverage of the act, leaving only government activities of a commercial nature. Therefore, it does not seem to matter which term is used.

Functional equivalence

Except for cases for which other laws specifically provide otherwise, electronic documents have the same level of legal effect as written paper documents and digital signatures are as valid as signatures written down on paper documents.[3] However, note that the digital signature being regarded as a valid signature or seal as prescribed by the relevant laws is only a digital signature certified by an accredited certification authority.[4] This law does not mention the effect of a digital signature certified by a nonaccredited certification authority. The validity of the signatures falling in the latter category should be also recognized when (1) a method is used to identify a person and to indicate that person's approval of the information contained in the data message, and (2) that method is as reliable as was appropriate for the purpose for which the data message was generated or communicated, in the light of all the circumstances, including any relevant agreement. Until there is a revision for clarification, which I think is necessary, the court is to rule in this direction.

Technology neutrality

Definitions of "electronic message" and "digital signature" in the Electronic Commerce Act[5] are articulated in a technologically neutral way so that various means of electronic communication and authentication can be covered. However, as mentioned before, the recognition of the validity of digital signatures is limited to those certified by the accredited certification authority.[6] This, combined with the following definition in the Digital Signature Act, further confines the scope of the legal recognition of the validity of digital signatures to those using a specific cryptographic technology:

Article 2 [Definitions]

2. "Digital signature" means information, which is unique to a electronic message, created by a private key using an asymmetric cryptography so that the identity of a person generating the electronic message and the possible alteration of the electronic message can be verified.

Party autonomy

Article 4 of the Electronic Commerce Act [Variation by Agreement] recognizes that the provisions concerning time and place of dispatch and receipt of information, attribution, and acknowledgement of receipt may be varied by an agreement between the originator and the addressee unless the law provides otherwise.

Other provisions of the Electronic Commerce Act

Article 7 states that an electronic message shall not be denied admissibility as evidence in court or any other legal proceedings on the ground that it is in an electronic form. Where the law requires that certain documents or records be retained, that requirement is met by retaining electronic messages, provided that the following conditions are satisfied:[7]

  1. The information contained therein is accessible.
  2. The electronic message is retained in the format in which it was generated, sent, or received, or in a format that can be demonstrated to represent accurately the information generated, sent, or received.
  3. Information that enables the identification of the origin and destination of an electronic message and the date and time when it was sent or received is retained.

The parties to electronic transactions must obtain explicit consent of the data subject before collecting personal information on him or her in matters related to e-commerce and shall not use the collected information for purposes other than conducting electronic transactions.[8]

The provisions mentioned up to now closely follow the guidance of the 1996 UNCITRAL Model Law on Electronic Commerce except for some departure from the principle of technology neutrality as to the digital signature technology. The Korean law includes other provisions concerning the promotion of electronic commerce and consumer protection.

In order to protect consumer rights, the Electronic Commerce Act requires service providers to make available enough information for users.[9] The guidelines for damage payment in Article 12(2) of the Consumer Protection Act apply to electronic commerce as well.[10]

While the electronic traders may in principle use cryptography to ensure the security and reliability of electronic commerce, the government has inserted a provision under which it may restrict the use of encryption technology and take necessary measures to gain access to the original encoded information or encryption technology when it is deemed necessary for national security, etc.[11]

In order to support the private initiatives in building infrastructures necessary for e-commerce, the Electronic Commerce Act stipulates that the government shall organize a Policy Review Committee on E-commerce and establish a Korea Institute for E-commerce.[12] The latter will carry out research activities on e-commerce and study dispute settlements with a view to developing redress mechanisms and helping fair trade practices take firm root.

The Digital Signature Act

Overview

The Digital Signature Act is divided into six chapters: General Provisions (Chapter One), Accredited Certification Authorities (Chapter Two), Certificate (Chapter Three), Achievement of Security and Reliability of Certification Practice (Chapter Four), Supplementary Provisions (Chapter Five), and Penal Provisions (Chapter Six).

Chapter One defines "digital signature" as information created by a private key using an asymmetric cryptography technology and recognizes the legal validity of digital signatures.[13]

With a view to laying out the legal settings for the secure use of digital signatures, Chapter Two introduces the accredited certification authorities system and stipulates standards to be met by the authorities in order to deliver appropriate and consistent certification services.[14]

Chapter Three stipulates the information that a certificate must contain and details of the procedures for the issuance, suspension, and revocation of a certificate.[15]

In order to achieve safety of digital signatures and easy settlement of disputes, Chapter Four requires the certification authorities to maintain a secure and reliable certification system and secure management of the private key and certificate-related records. The act prohibits the fraudulent use of other people's private keys and the receiving of a certificate in the name of another person.[16] It also has data protection provisions[17], which will be discussed later in detail.

The Korea Information Security Agency is responsible for creating a secure environment for digital signatures and managing the certification authorities.[18]

The Digital Signature Act includes provisions on mutual recognition with foreign certification authorities with a view to promoting e-commerce through global harmonization.[19]

Comments

Coverage of the Digital Signature Act is not necessarily the same as that of the Electronic Commerce Act. That is, while the administrative activities and the exercise of public authority are excluded from the scope of the Electronic Commerce Act, they are not excluded from the scope of the Digital Signature Act.

The Digital Signature Act of Korea adopted a technology-specific approach dealing mainly with the asymmetric (public-key) cryptography. Although this is a practical approach following the first generation of digital signature laws,[20] it is an aberration from the more recent technology-neutral approach adopted by EC Directive[21] and UNCITRAL Draft Uniform Rules.[22] There is growing criticism on this point.

As to the legal effect of digital signatures, Article 3 of the act stipulates that a digital signature created by a private key that corresponds to a public key listed in the certificate issued by the accredited certification authority shall be considered a signature or signature-seal required by the law. It shall be rebuttably presumed that such digital signature is the signature or signature-seal of a person to whom a respective electronic message correlates and that the respective electronic message has not been altered after digitally signed. However, it is not clear whether the authentication authority can notarize the digitally signed documents.

Unlike the Electronic Commerce Act, the Digital Signature Act does not stipulate the principle of party autonomy. This is because the provisions in which party autonomy plays a role (i.e., presumption of signing and original) are stipulated in a highly simplified manner in just one article. Other provisions of the act are of a regulatory nature concerning accredited certification authority and certificates. Despite the lack of explicit mentioning of party autonomy, the parties are free to use other forms of electronic signatures.

The act does not have provisions concerning limitations in reliance on electronic signatures and certificates.[23]

Online Data Protection

Privacy provisions in the Act on the Promotion and Protection of the Information Infrastructure

The followings are the data protection provisions of the 1999 Act on the Promotion and Protection of the Information Infrastructure (hereafter, the 1999 Act), which were drafted under the influence of the 1980 Organization for Economic Cooperation and Development privacy guidelines and the German Online Service Data Protection Act (Teledienstedatenschutzgesetz [TDDSG]) of 1997.[24]

  1. The processor should obtain as little amount of personal data as required for the provision of the services (Art. 16(1)).
  2. Unless data processing is necessary for the execution of a contract and billing for the service provided, consent of data subject for data processing is required (Art. 16(2)).
  3. Personal data file should be deleted when the processor has already obtained the purpose of data processing (Art. 17(3)).
  4. Technical measures should be taken to safeguard the security of data processing (Art. 16(4)).
  5. The purpose of data processing and the party to whom the data is transferred should be notified to the data subject (Art. 16(3)).
  6. Data subject has the right to access any personal data about him/her and the right to request correction of any incorrect data (Art. 18(2)).
  7. The processor cannot use incorrect data challenged by the data subject without correction (Art. 18(4)).
  8. The processor should designate a controller of personal data (Art. 17(4)).

These provisions apply to the telecommunications business operators and others who provide data or facilitate the provision of data over the telecommunications networks ("the processor"). Data filing in electronic commerce among other information and communication services is the area that the provisions intend to address. Article 19(3) of the 1999 Act also prohibits unsolicited spam mail. Various data collecting practices of Web sites necessitated some data protection principles in this growing area of new business. The legal vacuum as to the protection of personal data in the private sector, for instance, spurred on the early adoption of those provisions as an alternative to a general law covering the private sector.[25] The privacy provisions of the 1999 Act entered into force on January 1, 2000.

The 1999 Act does not establish an enforcement body. The Ministry of Information and Communication is supposed to review the implementation of the data protection provisions of the act.

Criminal and administrative penalties shall be imposed for breaches of the principles of data protection:

Privacy provisions in the Electronic Commerce Act and the Digital Signature Act

Article 13 of the Electronic Commerce Act provides:

(1) The following persons (hereinafter referred to as the "electronic traders") shall indicate the purpose of data collection to the data subject whose personal information the electronic traders may collect in conducting electronic commerce or related services:

  1. the electronic trading partners;
  2. the certification authority; or
  3. the provider of services with respect to usage of telecommunications facilities or information systems.

(2) Except as specifically provided in any other law, the electronic traders shall not use nor provide any third party with the personal information collected through electronic commerce beyond the purpose of collection without prior consent of the data subject. However, this does not apply where the electronic traders provide the entrusted deliverer with necessary information for the purpose of delivery of goods or services concerned.

(3) The electronic traders shall take security measures to prevent improper access, use or leakage of data that they process, transfer or store.

(4) The electronic traders shall respond without delay to demands by the data subject for access to relevant information, and promptly take necessary measures where the data subject requests the revision or deletion of erroneous data providing substantial evidence.

The Electronic Commerce Act does not have any provision concerning the enforcement of this article.

The Digital Signature Act stipulates the obligation of an accredited certification authority to protect personal data in Article 24 as follows:

(1) An accredited certification authority shall collect personal information to the minimum extent that is necessary in carrying out the certification practice, and shall not collect personal information without the respective person's consent.

(2) No accredited certification authority shall use or disclose collected personal information for any purpose other than certification practice. If, however, other law specifically prescribes otherwise or the respective person consents, the foregoing may not be applied.

(3) When a subscriber requests an access to, or a correction of error in, his or her personal information, an accredited certification authority shall take necessary actions without delay.

(4) Any person who is, or was, engaged in the certification practice shall not disclose, or provide for a third party, other person's personal information obtained ex officio.

Any person shall be subject to imprisonment of up to one year or a fine of up to 10 million won:

Any person shall be subject to an administrative fine of up to 5 million won:

Some problems

Major overhauling of the data protection laws has been called for in Korea:[30] adoption of a single act covering the public sector and private, and the transformation of privacy rights from a passive "right to be let alone" to an active "right to control the usage of one's personal information." This request for a structural and philosophical revision of the existing data protection laws has not produced tangible results but has led to a comparatively early start in online data protection.

Did haste make waste, though? We can easily notice that the online data protection provisions of the three laws are overlapping, the 1999 Act with the largest scope and the Digital Signature Act with the narrowest scope. This redundancy shows, firstly, the lack of enough interaction among the drafters of the three online laws, and secondly, the intention of relevant ministries to keep hold of their respective realm (i.e., policing information privacy in each area).

Another point that should be noted is the lack of an independent regulator. None of the Korean laws related to personal data protection introduce an independent data commissioner. This may reflect the drafters' intention not to create a new bureaucratic body or the ministries' desire not to give up even a fraction of their influence. The efficacy of the online data protection provisions, therefore, depends on the data subjects' recognition and willingness to exercise their rights to protect privacy despite the time-consuming court procedure. However, considering Korea's tradition of lack of data protection, it would be advisable to appoint an independent data protection commissioner in order to bring the data protection laws from the programmatic level down to the pragmatic level. The commissioner might promote voluntary privacy compliance by the data holders, support data subjects' exercise of their rights, review the state of data protection, and lay down the implementing guidelines for each specific case.

Conclusion

The greatest significance of the Electronic Commerce Act and the Digital Signature Act is that they provide a stable legal platform for the merchants and buyers so that they can use digital media in commerce with confidence.

As a result of the implementation of the Electronic Commerce Act and the Digital Signature Act, related businesses are expected to grow. The accredited certification authorities will be designated following the adoption of the Digital Signature Act. It is likely that the Korea Financial Telecommunications & Clearing Institute and the Korea Securities Computer will be selected as the accredited certification authorities in finance and securities service, respectively.  In addition, the Korea Information Certificate Authority, a consortium of 22 private companies, was recently founded. These three accredited certification authorities were expected to start providing certification services in the first half of 2000.

Since nonaccredited organizations can carry out certification services under the Digital Signature Act, a number of small and medium-sized nonaccredited certification authorities will coexist as the demand for certification services increases in the future.

In order to make the information society humane as well as efficient and convenient, efforts to protect individuals' rights should be pursued. Online data protection is just one example of these efforts.

References

[1] National Computerization Agency, Analysis of Success Factors of B-to-C E-Commerce and Development Strategies, 1999.

[2] Paragraph 4 of Article 2.

[3] Articles 5 and 6.

[4] Article 6. Article 3 [Legal Effect of Digital Signature] of the Digital Signature Act also provides:

(1) A digital signature created by a private key that corresponds to a public key listed in the certificate issued by the accredited certification authority in accordance with Article 15 shall be considered as signature or signature-seal required by the law.

(2) With respect to the digital signature pursuant to paragraph 1 hereof, it shall be presumed that such digital signature is the signature or signature-seal of a person to whom a respective electronic message correlates and that the respective electronic message has not been altered after digitally signed.

[5] Article 2 [Definitions]:

1. "Electronic message" shall mean information generated, sent, received or stored by electronic means using electronic data processing devices including computers;

[...]

5. "Digital signature" shall mean a seal affixed in a digital form which is to identify the originator of an electronic message, and to indicate that the electronic message was generated by the originator;

[6] Article 6 [Validity of Digital Signatures]

(1) A digital signature certified by the accredited certification authority pursuant to Article 16 shall be deemed as a valid signature or seal as prescribed by the relevant laws, except as provided otherwise.

(2) An electronic message with a digital signature affixed in accordance with paragraph (1) shall be presumed to have been unchanged after the originator affixed the signature.

[7] Article 8. Certain parts of message required only for the dispatch or receipt thereof may not be deemed as electronic message.

[8] Article 13.

[9] Article 30.

[10] Article 31.

[11] Article 18.

[12] Articles 21 and 22.

[13] Articles 2 and 3.

[14] Articles 4 to 14.

[15] Articles 15 to 18.

[16] Articles 19 to 23.

[17] Article 24.

[18] Article 25.

[19] Article 27.

[20] Germany's Digital Signature Law 1997 (Chapter 3 of the Information and Communications Services Act [Gesetz zur Regelung der Rahmenbedingungen für Informations und Kommunikationsdienste (IuKDG)], Illinois' [USA] Electronic Commerce Security Act, Singapore's Electronic Transactions Act 1998).

[21] Directive of the European Parliament and of the Council on a Community framework for electronic signatures, as adopted on 30 November 1999 (PE-CONS 3625/99).

[22] Draft Uniform Rules on Electronic Signatures (A/CN.9/WG.IV/WG.84, 8 December 1999).

[23] See Articles 11 and 12 of the UNCITRAL Draft Uniform Rules on Electronic Signatures.

[24] The act was adopted as Chapter 2 of the Information and Communications Services Act.

[25] Academics proposed to adopt a general privacy law covering the private sector. See Chung Chan-Mo, "International Developments in Data Protection and Some Proposals for Korean Legislation," Korean Journal of Information Society, Fall 1997.

[26] Sentence 2 of Article 32.

[27] Sentence 3 of Article 32.

[28] Sentence 8 of Article 34(1).

[29] Sentence 9 of Article 34(1).

[30] Chung Chan-Mo, "International Developments"; Kim Il-Hwan, "A Study on the Data Protection Act," Public Law 26(2): June 1998; Lee In-Ho, "Trends in the Korean Data Protection Legislation," Road to the Information Society, November 1999.