Act on Information and Communications Network Utilization and Information Protection

South Korea's Act on Promotion of Information and Communications Network Utilization and Information Protection (Network Act), substantially amended in 2020, is a foundational cybersecurity and data protection law. The Act regulates information and communications service providers (ICSPs), requiring them to implement technical and managerial security measures to protect user information. Key provisions include: mandatory security measures for ICSPs handling personal information; breach notification to users and the Korea Internet & Security Agency (KISA) within 24 hours; prohibition on collecting sensitive information without explicit consent; requirements for data minimization and purpose limitation; and obligations for cross-border data transfers. The 2020 amendments strengthened enforcement by increasing fines to up to 3% of annual revenue for major violations and introduced the concept of "data fiduciary" obligations. The Act is enforced by the Korea Communications Commission (KCC) and the Ministry of Science and ICT (MSIT), with KISA providing technical support and guidance.