On December 26, 2024, the “Framework Act on the Development of Artificial Intelligence and the Establishment of Foundation for Reliability” (the “AI Act”) passed the plenary session of the National Assembly. The AI Act is expected to take effect around January 2026.
The AI Act that passed the legislature’s final review is almost identical to its previous draft reviewed by the Science, ICT, Broadcasting, and Communications Committee of the National Assembly (“SIBCC”), which passed the SIBCC review on November 26, 2024 (“SIBCC Bill”) (please see our previous newsletter on the SIBCC Bill, Link). Key changes from the SIBCC Bill can be summarized as follows.
|
1.
|
The final version of the AI Act specified situations under which the Minister of the Ministry of Science and ICT (“MSIT”) can conduct fact-finding investigations for potential violation of the Act (Article 40 of the AI Act).
The SIBCC Bill provided authority to the Minister of the MSIT to initiate investigations in cases where (i) the MSIT learns of any actual or potential violation of the AI Act, or (ii) the MSIT receives a report or civil complaint of such a violation. The final version of the AI Act that passed the National Assembly articulated such situations with more details.
|
-
Violation of duty to label content created using generative AI (Article 31, Paragraph (2))
-
Violation of duty to provide notice to viewers or to label “deepfakes” (Article 31, Paragraph (3))
-
Violation of duty to secure safety when the cumulative compute usage in the AI system training surpasses a designated threshold and/or duty to report on measures taken by the service provider to secure such safety (Articles 32, Paragraphs (1) and (2)); and
-
Violation of duty to secure safety and reliability for high-impact AI (Article 34, Paragraph (1))
Upon finding of any violation listed above, Minister of the MSIT may issue an order to suspend or correct the action in violation against the violator (Article 40, Paragraph (3)).
|
2.
|
In the final version of the AI Act, the agency in charge of carrying out government projects to standardize and harmonize various AI technologies is “the government,” without specifying any particular agency (Article 14). Formerly in the SIBCC Bill, the MSIT was to take charge of such projects.
|
The rest of the final version of the AI Act remains in substance largely the same as the SIBCC Bill.
For the implications of the AI Act, please see the table below.
|
Extraterritorial Applicability and Introduction of Domestic Agent Requirement
|
|
Key Details
|
Implications
|
-
Extraterritorial application: The AI Act applies to acts performed outside of Korea if such acts affect the Korean market or users based in Korea (Article 4).
-
Domestic agent: An AI business operator with no domicile or place of business in Korea, whose number of users and/or revenue meets certain criteria, must appoint its domestic agent in Korea in writing and report it to the MSIT (Article 36).
|
–
|
Violation of the AI Act by the domestic agent constitutes a violation by the AI business operator.
|
|
-
AI business operators headquartered in countries outside of Korea but whose market territories include Korea must comply with the AI Act, including appointing its domestic agent if required.
-
Further details on the threshold number of users and sales revenue for appointing the domestic agent will be available under the subordinate regulations to the AI Act, which will be drafted and published in a form of the Presidential Decree.
-
The domestic agent requirement is not unique to the AI Act; other Korean statutes such as the Personal Information Protection Act, Telecommunications Business Act and Network Act also provide analogous domestic agent requirements that apply to offshore service providers doing business in Korea. It remains to be seen whether the domestic agent requirement under the AI Act will be different from those under the existing statutes.
|
|
AI Business Operators’ Duties Relating to High-Impact AI
|
|
Key Details
|
Implications
|
-
High-Impact AI: High-impact AI systems are those that significantly influence or pose risks to the safety of human life and body as well as fundamental rights of individuals, such as AI systems deployed in areas of nuclear, energy, traffic control, and public education (Article 2, Subparagraph 4).
-
Preliminary Review Obligation: AI business operators must assess whether their AI technology qualifies as high-impact AI before deployment. They may request the Minister of the MSIT’s review to confirm (Article 33).
-
Advance Notification Obligation: Any AI deployer who offers products and services using high-impact AI must provide advance notice to end users (Article 31(1)).
-
Safety and Reliability Measures: Anyone who offers high-impact AI systems, including products and services adopting such systems, must implement safety and reliability measures (Article 34).
|
-
The AI Act imposes a high degree of duties on high-impact AI business operators.
-
Upcoming Presidential Decree to the AI Act and relevant regulatory notification from the MSIT will be another important milestone in AI legislation in Korea from a practical perspective, since (i) the decree will articulate the scope of high-impact AI and (ii) the decree and MSIT notification will set forth the measures to take to fulfill the safety and reliability requirement.
-
AI business operators are advised to also review other requirements set forth under the AI Act, such as verification and certification on AI safety and reliability (Article 30(3)) and AI impact assessment (Article 35).
|
|
AI Business Operators’ Obligations Relating to Generative AI
|
|
Key Details
|
Implications
|
-
Advance Notice Obligation: Any AI deployer who seeks to provide products or services based on generative AI must provide an advance notice to end users (Article 31 (1)).
-
Labeling Obligation: AI developers and AI deployers must clearly label their products or services as generative AI or products/services created by generative AI (Article 31(2)).
-
Deepfake Content: AI deployers must ensure that any “deepfake” content they provide bears relevant labels (Article 31(2)).
|
–
|
As a limitation, service providers have more flexibility in the way they label their deepfake content if the content is an “artistic or creative expression,” to ensure fair appreciation of such expressions.
|
|
|
|
Requirements for AI Systems Developed with a Significant Cumulative Amount of Compute Used for Training
|
|
Key Details
|
Implications
|
-
High Performance AI: For AI systems where the cumulative compute used for training surpasses a certain threshold (to be provided under the Presidential Decree), the AI Act requires AI business operators to identify, assess, and mitigate risks throughout the AI life cycle, and establish a risk management system (Article 32).
|
|
|
Fact-Finding Investigations, Suspension/Corrective Orders, and Imposition of Administration Fines
|
|
Key Details
|
Implications
|
|
|
|
The AI Act is the first statute to govern legal requirements specific to AI technologies and products. It distinguishes between various parties subject to its obligations, categorizing them as “AI business operator,” “AI developer,” and “AI deployer.” As such, companies should assess their current or planned AI-based services to determine their applicable category and establish a tailored compliance strategy in advance.
Further, upcoming legislations on subordinate regulations, such as Presidential Decree and MSIT notifications, will play a critical role in clarifying key statutory provisions in the AI Act. Industry stakeholders are thus advised to closely monitor these legislative developments.
[Korean Version]
