AI/IT

AI stands for 'Artificial Intelligence' and refers to artificial intelligence technology that enables computers to think and learn like people.

It includes various technologies such as machine learning, natural language processing, speech recognition, and image recognition, and it increasingly affects many industries.

AI can learn, predict, and make decisions on its own based on data.

IT stands for 'Information Technology' and refers to information technology that supports the collection, storage, transmission, and processing of information, covering technologies related to computers, software, and networks as a whole.

IT has established itself as a key element that raises corporate operational efficiency, improves the customer experience, and brings innovation to various industries.

A company that develops or operates AI-based services or systems must secure AI ethical principles, explainability, non-discrimination, and transparency.

The 2024 EU AI Act, the Korean AI Framework Act (legislative notice), and the NIST AI Risk Management Guidelines also require AI transparency, prevention of data bias, and algorithmic explainability as mandatory standards.

When developing an AI model, a company therefore needs to ① check the dataset for bias in advance, ② prepare documentation that secures AI explainability, ③ introduce an AI ethics verification process, and ④ designate an AI officer and operate an ethics committee.

When developing or operating AI, if personal information is collected, analyzed, or used, the Personal Information Protection Act, the Network Act, and the like must be complied with.

In particular, when personally identifiable information, video, or location information is collected as AI training data, failing to meet the consent requirements and de-identification requirements makes a person subject to penalty surcharges and criminal punishment.

A company therefore needs to ① conduct a privacy impact assessment of the AI training dataset, ② make the consent form for the collection and use of personal information specific, ③ take de-identification measures and review their adequacy, and ④ introduce Privacy by Design for the AI system.

If an AI service produces unintended algorithmic discrimination based on race, gender, age, or place of origin, the company may face public criticism and legal sanctions.

Companies therefore need to ① operate processes for analyzing AI decision-making outcomes and reviewing bias, ② establish criteria for checking algorithmic fairness, ③ build datasets that mitigate bias risk, and ④ conduct regular AI ethics audits.

Questions over the attribution of copyright in AI training data and generative AI content, along with infringement issues, arise frequently.

Whether AI-generated content is protected by copyright, whether others' works may be used for training without authorization, and to whom the rights in AI output belong are the main points at issue.

To guard against these risks, companies need to ① review rights and manage licenses when collecting AI training data, ② enter into agreements on the attribution of rights in AI output, ③ review in advance whether AI training data infringes copyright, and ④ clarify rights-attribution clauses within the terms of use for AI content.

If an AI system or IT service suffers hacking, ransomware, or a personal data breach, criminal punishment and liability for damages may arise under the Network Act and the Personal Information Protection Act.

Cybersecurity responses are particularly important for companies that operate AI-based SaaS services, cloud infrastructure, or smart factories.

For this purpose, companies need to ① obtain Information Security Management System (ISMS) certification, ② conduct vulnerability assessments of AI systems, ③ establish a response manual for AI security threats, and ④ build a personal data breach response scenario in preparation for incidents.

If a platform or IT company abuses a superior bargaining position over its participating vendors or content suppliers, manipulates advertising fees or search rankings, or unilaterally changes transaction terms, it may face penalty surcharges and corrective orders under the Monopoly Regulation and Fair Trade Act.

Ensuring the fairness of AI algorithm-based recommendation, advertising, and pricing systems is a particular concern.

To address this, companies should ① secure algorithmic transparency, ② use standard contracts with participating vendors, ③ review platform transactions for unfair practices in advance, and ④ operate a voluntary compliance program for fair platform trade.

Services that use artificial intelligence (AI) carry various legal risks, including the question of how the rights in 'AI output' are attributed and violations of 'AI ethics' norms.

When AI automatically provides decisions to users or is used for entering into contracts, screening loans, calculating insurance rates, or evaluating personnel, it becomes important to determine who bears legal liability when a faulty decision causes consumer harm.

Korea has not yet enacted a clear AI statute, so the question of who is responsible for an AI service is examined under existing laws such as the Personal Information Protection Act, the Monopoly Regulation and Fair Trade Act, and the Copyright Act.

Companies should review the decision-making structure of their AI algorithms, whether the data is biased, and the potential for misuse or abuse, and they should prepare terms of service and notice procedures for the AI service to limit their legal liability.

Introducing an AI ethics committee and an AI impact assessment report system is also an effective way to prevent legal disputes.

When personal data and de-identified data are collected and used to improve the performance of an AI service, the Personal Information Protection Act and the Network Act must be observed.

When personal data is used as AI training data, obligations arise such as obtaining the data subject's consent, clarifying the purpose of collection and use, prohibiting use beyond that purpose, and entering into a processing-entrustment agreement.

Companies can prevent legal disputes by building systematic data governance, including conducting a 'personal data impact assessment' on AI training data and operational data, complying with 'data pseudonymization guidelines,' and disclosing an 'AI data processing policy.'

IT services such as AI-based recommendation services, automated decision systems, and data-driven analysis services can significantly affect consumers, so they carry obligations regarding terms of service, user consent procedures, and notice of service limitations.

Companies should clearly state whether an AI recommendation or decision is merely reference information or a decision that entails legal or economic obligations, and they should give notice that the AI service may malfunction or contain errors.

Neglecting this may lead to liability for consumer compensation and damages as a violation of the Electronic Commerce Act.

Companies are therefore advised to revise the terms of use for their AI and IT services and to clearly include legal disclaimer clauses and statements of service limitations.

For text, images, audio, and video generated by AI, the legal issues are the requirement of creativity, the attribution of authorship, and whether copyright protection applies.

Under Korean law, AI is not a natural person and so is not recognized as a creator, and the rights in the output are likely to be attributed to the person or legal entity that operated the AI.

Even so, copyright infringement may occur when AI learns from a third party's work and transforms, reprocesses, or reproduces it in a similar form.

Companies must put in place procedures to review the legality of AI training data, the possibility of registering copyright in the output, whether third-party rights are infringed, and licensing.

They should also set up disclaimer clauses for AI-generated content and procedures for handling requests to delete or modify content in advance.

As AI and IT services become global, it is increasingly common to store personal data on overseas cloud servers or to share data with foreign service providers.

In such cases, several procedures must be carried out under the Personal Information Protection Act, including obtaining the data subject's consent, giving notice of the purpose of the cross-border transfer and of the recipient's information, conducting an adequacy assessment, and establishing a protective-measures plan.

Companies can control the risk by identifying the data subject to cross-border transfer, entering into a transfer agreement, conducting a cross-border transfer impact assessment, and establishing a data protection measures plan, and they should also regularly review the level of protective measures of the overseas cloud provider.

AI recommendation services, AI shopping malls, app services, and the like must observe online advertising and labeling rules.

False, exaggerated, or deceptive advertising, advertising that misuses personal data, and failure to label AI auto-recommendation services that are effectively advertising content are subject to penalty surcharges and criminal punishment as violations of the Act on Fair Labeling and Advertising.

Because AI-based advertising solutions carry out automated targeting and personalized advertising, they are more likely to mislead consumers, so the company should clearly state that the content is an advertisement and obtain user consent.

Companies should organize their advertising copy, labeling methods, transparency of the AI recommendation process, scope of targeted consumers, and explanatory materials for the AI algorithm to head off the risk of violations.

1. Legal Compliance Matters for AI Service Development and Operation

□Whether the AI service terms of use and personal data processing policy give notice of the AI automated decision function and its limitations

□Whether AI ethics norms and an AI human rights impact assessment procedure have been introduced

□Whether discrimination, bias, or distortion in the development and operation of AI algorithms is checked and whether a risk management system is in place

2. Personal Data Protection and Data Management
□Whether it has been confirmed that AI training data contains personal data and whether consent forms have been secured

□Whether procedures for de-identification, pseudonymization, and prohibition of use beyond the stated purpose are observed

□Whether a personal data processing-entrustment agreement and a system for managing entrustees are in place

3. Legal Protection of AI Output and Copyright Risk
□Whether the attribution of copyright in AI-generated content has been organized and internal guidelines have been prepared

□Whether lawful licenses have been secured for the original works the AI learns from

□Whether procedures are in place to respond to user requests to delete or modify AI content

□Whether legal disclaimer clauses regarding AI output are stated in the terms of service

4. Compliance with AI/IT Service Advertising and Labeling
□Whether AI-based recommendation, automated decision, and advertising services display and give notice of their advertising nature

□Whether advertising is checked in advance for false, exaggerated, or deceptive content and for copy that may mislead users

□Whether consent forms for the collection and use of personal data in personalized targeted advertising have been secured

5. Establishment of an AI/IT Ethical Management System
□Whether AI ethics norms and an internal AI ethics committee are operated

□Whether regular risk assessments of the social impact and the human rights and discrimination risks of the AI service are conducted

□Whether an AI ethics review report is prepared and disclosed externally

6. Information Security and Security Management

□Whether regular security vulnerability assessments of AI/IT systems and a risk response system are operated

□Whether a response manual and an emergency response team are in place for data breach incidents