In Korea, discussions on the regulation of distributed ledger technology (DLT), blockchain and cryptocurrency have been mainly engaged in the financial sector. DLT is practically used as the same term as blockchain – the Bank of Korea (BoK) deems blockchain identical to DLT, and the Financial Services Commission (FSC) and the Financial Supervisory Services (FSS) consider blockchains as:
'distributed digital ledgers where transaction data is shared among all participants, which is contrary to conventional methods where the data is stored and preserved in a centralised server'.
The Korea Financial Telecommunications and Clearing Institute (KFTC) considers blockchain technology as:
'a technology which secures massive computing capability by collecting computing resources from distributed networks and uses the same to process and verify all tasks without a centralised server'.
Smart contracts were first introduced by a computer scientist named Nick Sazbo in 1994. They refer to a sort of computer programming code which automatically executes, verifies and performs certain contracts. Smart contracts have become popular since ethereum adopted the smart contract concept in its blockchain platform. In particular, smart contracts utilising blockchain technology cannot be forged or falsified due to mutual monitoring between network participants, and therefore, could establish a system where contracts are executed, managed and performed safely from forgery or falsification on a peer-to-peer (P2P) basis without a third-party intermediary (eg financial institution, notary or lawyer). As contracts are drafted with computer commands, they are performed automatically without additional costs when certain terms are met. As shown in the foregoing, smart contracts utilising blockchain allow safe execution and performance of contracts based on trusts established at small costs.
Korea does not have particular laws or regulations covering DLT, blockchain or smart contracts. The industry feels the need for separate legislation such as a framework act on development of the blockchain industry or an act on smart contracts. For your information, there are active efforts to legislate separate laws on cryptocurrency which utilises the blockchain technology. The National Assembly bills has proposed bills for the amendment of the Electronic Financial Transactions Act, for a special act on virtual currency and for an act on cryptocurrency transactions.
Although Korea does not have particular regulations covering DLT, blockchains or smart contracts, due to the unique nature of these technologies, certain uses of these technologies may partially conflict with Korean privacy regulations, especially when processing personal information recorded in the blockchain. Furthermore, smart contracts partially conflict with Korean contract regulations. Therefore, in order for these technologies to be actively utilised, such potential conflicts must be addressed and resolved first through legislation.
Conflict with privacy regulations
Korean privacy regulations are very complex. The applicable laws include the Personal Information Protection Act (PIPA), the Act on Promotion of Information and Communications Network Utilisation and Information Protection (the Network Act), which is designed to protect information of online users, and the Credit Information Use and Protection Act (the Credit Information Act), which is designed to protect personal credit information. Conflicts between blockchain technology and these privacy regulations are as follows:
- Firstly, privacy regulations define personal information as: 'information relating to a living individual that makes it possible to identify the individual by, among others, his/her full name, resident registration number and image (including information which, if not by itself, makes it possible to identify any specific individual if combined with other information)'. As such, a question may arise whether the information recorded in blockchains for various services utilising the technology is deemed personal information. For example, some cryptocurrencies require only public keys (ie cryptocurrency wallet addresses, and not identification information such as full names, telephone numbers or emails). In this case, only the transaction counterparty and the exchange would be able to identify the individual. Therefore, in this case, it may be debatable whether such cryptocurrency wallet addresses can be deemed personal information identifying the individual.
- Secondly, blockchains are divided into (i) public blockchains where random individuals may participate and (ii) private blockchains where only certain organisations or institutions may participate. There is no centralised information controller in public blockchains because all network participants share information via distributed ledgers. In this case, it is uncertain who the personal information controller (to which privacy regulations apply) is.
- Thirdly, in private blockchains, only participating organisations or institutions may be the personal information controller. While specific applicable laws may differ by the nature of the relevant personal information, the PIPA, the Network Act and the Credit Information Act consistently provide that the personal information controller must as a rule obtain consent from data subjects in advance of collecting, using or transferring his or her personal information. As the blockchain technology presupposes that information is shared among network participants, the personal information controller may have to obtain data subjects' consent to transfer of personal information to a third party. Applicable laws provide that the controller has to specify the recipient when asking for such consent. There could be a controversy on whether the controller has to obtain a new consent in case there is any new network participants after such consent already has been obtained. This issue can be resolved only if the personal information controller is able to obtain a comprehensive consent to transfer of information to third parties without specifying the recipient.
- Fourthly, the PIPA prevails over other applicable laws with regard to the process of resident registration numbers. Pursuant to the Act, the processing (including collecting, using and transferring) of resident registration numbers is forbidden even with the data subjects' consent unless it is legally required or permitted as an exception. Even if there is a legal ground to process resident registration numbers in individual cases, since the numbers are shared among network participants when recorded on blockchains, it should be examined if there is a legal ground to transfer the numbers to third parties as well. In addition, as there is an ongoing criminal lawsuit in Korea involving sharing of hashed resident registration numbers, there still could be risks even if the numbers are transferred after being hashed.
- Finally, privacy regulations provide that personal information shall be destroyed without delay when it is no longer needed because its retention period has expired or its purpose has been achieved, and when destroying such information, electronic files shall be permanently destroyed so that it cannot be restored. However, due to the integrity and irreversibility of blockchain where data is stored in connection with blocks, how to destroy personal information could become an issue. In this regard, technical solutions to address such issue are being discussed and developed, such as encryption of personal information into keys followed by destruction of such keys.
Conflict with contract regulations
In a smart contract, when a party writes and publishes a program (ie code), it could be deemed a declaration of intention to offer, and when the counterparty performs the terms, it could be deemed a declaration of intention to accept, and accordingly, the contract is automatically executed and performed. In this case, the following questions may arise with regard to the interpretation and application of the Civil Act.
Under the Civil Act, legal acts contrary to social order or unfair juristic acts shall be null and void. However, with smart contracts, contracts which became null and void on such a basis may still be automatically performed. This could complicate certain legal procedures such as claim for return of undue profit.
A smart contract is drafted using codes in which the contractual parties' intention is reflected (a proposal). If, however, such parties' intention is incorrectly reflected in the codes, there may certain complications in terms of withdrawal or revocation of such smart contract. If the proposal is deemed the declaration of intention, it may be withdrawn before the counterparty performs the terms, and may be voidable on the ground of mistake after the terms are performed. However, the Civil Act allows the revocation of a declaration of intention only when there is no gross negligence on the declarant's part and the counterparty was not acting in good faith. In the case of a smart contract, however, it is debatable how to determine such gross negligence or good faith based on the interpretation of the codes used in such smart contract.
Various consumer protection laws introduce a system where consumers may withdraw their offer. However, it is questionable whether such system would work properly in smart contracts as well. As smart contracts are automatically performed when the terms are met, there could be controversies on whether consumers can withdraw their offer, and even if they can, whether it is actually possible to retrieve the benefits already paid.
Utilising DLT, blockchain or smart contracts in Korea
Some Korean financial organisations have utilised private blockchains. For example, in November 2017, the Korea Financial Investment Association introduced an authentication service based on blockchain. Eleven securities companies have participated in such authentication service.
As for smart contracts, a life insurance company has introduced an automatic medical expense insurance claim service based on blockchain technology in conjunction with some hospitals and clinics. When customers receive treatment in a hospital or clinic, if they meet certain conditions for insurance proceeds, a claim for insurance proceeds, along with a copy of the medical records, is automatically filed through blockchain-based certification even when the customers do not file it themselves.
In order for DLT, blockchain and smart contracts to be actively utilised in Korea, the above legal issues should be first resolved through legislation or guidelines from regulatory authorities. To this end, there should be sufficient discussions on how to regulate the blockchain technology based on full understanding of it.
|About the author|
Joon Young Kim
Joon Young Kim is an attorney at Kim & Chang. His practice focuses on insurance, e-finance and fintech, non-bank financial companies, corporate governance, M&A and foreign direct investment.
Mr. Kim regularly advises financial industry clients including insurance, e-finance and fintech, and non-bank financial companies on regulatory, governance, and corporate law issues. He has also successfully advised clients in disputes and litigation, as well as in responding to inquiries or investigations from relevant government regulators. Mr. Kim has extensive experience in corporate governance, mergers and acquisitions, and foreign direct investment matters, particularly for clients in the financial industry. He also regularly advises on legal issues relating to the latest innovations and technology such as blockchain technology, cryptocurrency and cloud computing.
|About the author|
Seung Jae Yoo
Seung Jae Yoo is a foreign attorney within the finance department at Kim & Chang. He has extensive experience in cross-border M&A, capital markets and other projects.
Throughout his career, Mr. Yoo has been actively involved in many high-profile transactions in Korea or relating to Korean businesses including banking, automobiles, heavy industry & shipbuilding and other sectors.
He represents corporate clients and both foreign and domestic financial institutions on various mergers and acquisitions, capital markets and other projects.
|About the author|
Bomi Chen is an attorney at Kim & Chang, who specialises in finance. She primarily provides legal advice on finance IT, electronic financial transaction, personal/financial information protection, credit card regulation and project financing. Ms. Chen's clients include Korean and global financial companies, Korean and global IT service providers.
She majored in electrical engineering. Since joining the firm in 2014, she has advised clients on various legal and technical regulations related to electronic financial transaction and privacy. And she has taken various IT security compliance projects for financial companies.
© 2021 Euromoney Institutional Investor PLC. For help please see our FAQs.