The purpose of this Act is to provide for basic matters concerning electronic signatures in order to ensure the safety and reliability of electronic documents and to facilitate the use of electronic signatures, thereby accelerating informatization of the nation and the society and enhancing public convenience.
The terms used in this Act are defined as follows:
| 1. | The term “electronic document” means data generated, transmitted, received, or stored in electronic form through an information processing system; |
| 2. | The term “electronic signature” means data in electronic form which are attached to or logically associated with an electronic document for the following purposes: |
| (a) | To identify the signatory; |
| (b) | To verify the fact that the electronic document has been signed by the signatory; |
| 3. | The term “electronic-signature-creation data” means electronic data which are used by the signatory to create an electronic signature; |
| 4. | The term “electronic-signature-creation device” means any electronic means used to implement an electronic signature; |
| 5. | The term “electronic signature certification” means an act of verifying and attesting the fact that electronic-signature-creation data is uniquely linked to a subscriber; |
| 6. | The "certificate" means electronic data verifying and attesting the fact that electronic-signature-creation data is uniquely linked to a subscriber and other relevant information; |
| 7. | The term “electronic-signature certification services” means the business of providing electronic-signature certification services, including electronic-signature certification and management of all records related to electronic-signature certification; |
| 8. | The term “certification-service provider” means a person who provides electronic-signature certification services; |
| 9. | The term “subscriber” means a person who obtains electronic signature certification about his or her electronic-signature-creation data from a certification-service provider; |
| 10. | The term "user" means a person who uses electronic-signature certification services provided by a certification-service provider. |
| Article 3 (Effects of Electronic Signatures) |
| (1) | An electronic signature is not denied legal effectiveness as a hand-written signature, signature and seal, or name and seal solely on the grounds that it is in electronic form. |
| (2) | Where an electronic signature is selected as a means of writing a signature, signature and seal, or name and seal under the provisions of any statute or regulation or an agreement between parties concerned, the electronic signature has the same effect as a hand-written signature, signature and seal, or name and seal. |
| Article 4 (Establishment of Policies for Developing Electronic Signatures) |
The Government shall establish and implement policies on the following matters for the development of electronic signatures by ensuring the safety and reliability of electronic signatures, diversifying electronic-signature-creation devices, facilitating the use of electronic signatures, etc.:
| 1. | Enhancing the reliability of electronic signatures, diversifying electronic-signature-creation devices, and facilitating the use of electronic signatures; |
| 2. | Improving electronic signature schemes and amending related statutes or regulations; |
| 3. | Protecting the rights and interests of subscribers and users; |
| 4. | Promoting the interoperability of electronic signatures; |
| 5. | Developing and standardizing technologies, and training human resources, related to electronic signatures; |
| 6. | Using safe encryption to ensure the reliability of electronic signatures; |
| 7. | International cooperation, including mutual recognition of electronic signatures used in foreign countries; |
| 8. | Safely managing electronic signatures used for public services; |
| 9. | Other matters necessary for the development of electronic signatures. |
| Article 5 (Assistance to Promote Use of Electronic Signatures) |
The Minister of Science and ICT may provide administrative, financial and technical assistance in respect of the following in order to promote the use of electronic signatures:
| 1. | Research and development, utilization and standardization of technologies related to electronic signatures; |
| 2. | Training of professional personnel related to electronic signatures; |
| 3. | Conduct of pilot projects to promote the wide use of various electronic-signature-creation devices; |
| 4. | Technical assistance to promote the interoperability of electronic signatures and operation of interlinking devices; |
| 5. | Conduct of business affairs by, and operation of, the accreditation agency designated under Article 9 and assessment bodies selected under Article 10; |
| 6. | Other matters necessary to promote the use of electronic signatures. |
| Article 6 (Facilitating Use of Various Electronic-Signature-Creation Devices) |
| (1) | The State shall endeavor to facilitate the use of various electronic-signature-creation devices, such as biometric authentication and blockchain. |
| (2) | The State shall not restrict it to the use of a specific electronic-signature-creation device in the statutes, the National Assembly Regulations, the Supreme Court Regulations, the Constitutional Court Regulations, the National Election Commission Regulations, the Presidential Decrees, or the Board of Audit and Inspection Regulations, unless otherwise provided in such statutes, Decrees or Regulations. |
| Article 7 (Operational Standards for Electronic-Signature Certification Services) |
| (1) | The Minister of Science and ICT shall establish measures necessary to enhance the reliability of electronic signatures and to provide subscribers and users with information to enable them to make reasonably choices of electronic-signature certification services. |
| (2) | The Minister of Science and ICT shall establish and publicly notify operational standards for electronic-signature certification services including the following (hereinafter referred to as “operational standards”). In this case, the operational standards shall be established, in consideration of internationally recognized standards, etc.: |
| 1. | Measures to prevent electronic signatures and electronic documents against forgery and counterfeiting; |
| 2. | Procedures for signing up for, and using, electronic-signature certification services, and methods of verifying subscribers; |
| 3. | Procedures for ceasing or discontinuing electronic-signature certification services; |
| 4. | Requirements for systems related to electronic-signature certification services and data protection methods; |
| 5. | Measures to protect the rights and interests of subscribers and users; |
| 6. | Other matters related to the operation and management of electronic-signature certification services. |
| Article 8 (Accreditation of Compliance with Operational Standards) |
| (1) | A certification-service provider (including a person who intends to provide electronic-signature certification services; hereafter the same shall apply in Articles 8 through 11) may obtain accreditation as to its compliance with the operational standards from the accreditation agency designated under Article 9. In such cases, it shall first undergo an assessment conducted by the assessment body selected under Article 10 on its compliance with the operational standards. |
| (2) | A certification-service provider who intends to obtain an accreditation under the former part of paragraph (1) (hereinafter referred to as “accreditation of compliance with the operational standards”) shall be a national agency, local government or legal person. |
| (3) | A legal person is prohibited from obtaining an accreditation of compliance with the operational standards if any of its executive officers is: |
| 1. | A person under adult guardianship; |
| 2. | A person declared bankrupt and not yet reinstated; |
| 3. | A person in whose case two years have not passed since his or her imprisonment without labor or greater punishment declared by a court was completely executed (or deemed to be completely executed) or exempted; |
| 4. | A person who is under suspension of the execution of his or her imprisonment without labor or greater punishment declared by a court; |
| 5. | A person who is disqualified or suspended under a court ruling or other statutes. |
| Article 9 (Accreditation Agency) |
| (2) | Upon receiving an assessment report submitted under Article 10 (3), the accreditation agency shall check the assessment report and whether a certification-service provider that intends to obtain an accreditation of compliance with the operating standards has the qualifications specified in Article 8, and shall determine as to whether to grant an accreditation of compliance with the operating standards. |
| (3) | Upon determining to grant an accreditation of compliance with the operating standards under paragraph (2), the accreditation agency shall issue to the relevant certification-service provider a certificate stating the details of the accreditation and the period of validity. In this case, it shall publicly announce the fact that it has issued a certificate, as prescribed by Presidential Decree. |
| (4) | The accreditation agency may collect from certification-service providers fees necessary to conduct the business under paragraphs (2) and (3). |
| (5) | A code of conduct which contains determinations as to accreditation of compliance with the operating standards and revocation of accreditation, the period of validity of an accreditation of compliance with the operating standards, and other necessary matters shall be prescribed by Presidential Decree. |
| Article 10 (Assessment Bodies) |
| (1) | The Minister of Science and ICT may select and publicly notify a body that conducts assessments (hereinafter referred to as “assessment body”) under the latter part of Article 8 (1). |
| (2) | A certification-service provider that intends to obtain an accreditation of compliance with the operating standards shall apply for an assessment to any assessment body. |
| (3) | An assessment body shall assess whether a certification-service provider that has applied for an assessment complies with the operating standards, and shall submit an assessment report containing assessment results to the accreditation agency. |
| (4) | An accreditation agency may collect from certification-service providers fees necessary to conduct the business under paragraph (3). |
| (5) | A code of conduct which contains the criteria and procedures for selection of assessment bodies and evaluation methods, the standards and procedures for assessment of compliance with the operating standards, and other necessary matters shall be prescribed by Presidential Decree. |
| Article 11 (Internationally-Accepted Assessments) |
| (1) | The Minister of Science and ICT may determine and publicly notify internationally-accepted assessments recognizing compliance with the operating standards (hereinafter referred to as “internationally-accepted assessment”). |
| (2) | A certification-service provider is deemed to have obtained an assessment of an assessment body if it has obtained an internationally-accepted assessment. In this case, it may apply to the accreditation agency for an accreditation of compliance with the operating standards, and Article 9 (2) through (5) shall apply mutatis mutandis in respect of the accreditation agency’s determination as to accreditation and procedures for issuing a certificate. |
| (3) | Criteria for the selection of internationally-accepted assessments shall be prescribed by Presidential Decree. |
| Article 12 (Revocation of Selection as Assessment Body) |
| (1) | The Minister of Science and ICT may revoke a selection as an assessment body or may order an assessment body to suspend its business, in whole or in part, for a specified period not to exceed one year if any of the following is applicable to the assessment body: Provided, That the Minister shall revoke a selection in the case of subparagraph 1 or 2: |
| 1. | If the assessment body has obtained a selection by fraud or other improper means; |
| 2. | If the assessment body conducts an assessment during the suspension period; |
| 3. | If the assessment body fails to conduct an assessment without good cause; |
| 4. | If the assessment body fails to comply with the selection criteria under Article 10 (5); |
| 5. | If the assessment body conducts an assessment in violation of the code of conduct or the standards and procedures for assessment of compliance under Article 10 (5). |
| (2) | The Minister of Science and ICT shall hold a hearing to revoke a selection under paragraph (1). |
| (3) | Revocation of selections and suspension of business under paragraph (1) and other necessary matters shall be prescribed by Presidential Decree. |
| Article 13 (Indication of Compliance with Operating Standards) |
| (1) | A certification-service provider that has obtained an accreditation of compliance with the operating standards may use an indication that it complies with the operating standards, as prescribed by Ordinance of the Ministry of Science and ICT. |
| (2) | A certification-service provider that does not obtain an accreditation of compliance with the operating standards (or a certification-service provider whose accreditation of compliance with the operating standards becomes has become invalid upon the expiration of the period of validity) shall not use an indication under paragraph (1) or any other similar indication. |
| Article 14 (Verification of Identities) |
A certification-service provider that has obtained an accreditation of compliance with the operating standards shall verify the identity of every person who intends to sign up for electronic-signature certification services, as prescribed by Presidential Decree.
| Article 15 (Observance of Electronic-Signature Certification Practice Statement) |
| (1) | A certification-service provider that has obtained an accreditation of compliance with the operating standards shall prepare the electronic-signature certification practice statement that contains the following (hereinafter referred to as “Certification Practice Statement”), publish the Certification Practice Statement on its website, and fully observe such Statement. The same shall also apply when the certification-service provider modifies its Certification Practice Statement: |
| 1. | Types of electronic-signature certification services it provides; |
| 2. | Fees for electronic-signature certification services, the scope of use, and the period of validity and other terms and conditions; |
| 3. | How and in what process it provides electronic-signature certification services; |
| 4. | Other matters necessary to provide electronic-signature certification services. |
| (2) | To cease electronic-signature certification services in whole or in part, a certification-service provider that has obtained an accreditation of compliance with the operating standards shall notify its subscribers of the intention to cease and the period of cessation not later than 30 days of the date of cessation and also publish the same on its website. |
| (3) | To discontinue electronic-signature certification services, a certification-service provider that has obtained an accreditation of compliance with the operating standards shall notify its subscribers of the intention to discontinue not later than 60 days of the date of discontinuation and also publish the same on its website. |
| (4) | Details to be notified and published under paragraphs (2) and (3) shall include measures to protect subscribers, such as refund of fees and destruction of subscribers’ personal information. |
| (5) | Methods for preparing Certification Practice Statements under paragraph (1), methods of publication and notice under paragraphs (2) and (3), and other necessary matters shall be prescribed by Ordinance of the Ministry of Science and ICT. |
| (1) | The Minister of Science and ICT may require a certification-service provider that has obtained an accreditation of compliance with the operating standards to submit necessary materials, or require relevant public officials to enter the office, place of business or other necessary place of a certification-service provider that has obtained an accreditation of compliance with the operating standards to inspect equipment, books, documents or other articles, if the Minister determines necessary for such purposes as ensuring the safety and reliability of electronic-signature certification services it provides and protecting its subscribers. |
| (2) | To conduct an inspection under paragraph (1), the Minister of Science and ICT shall notify the relevant certification-service provider of an inspection plan stating the date and purpose of the inspection and details to be inspected, seven days prior to the date of the inspection. |
| (3) | A public official who conducts an inspection upon entering any premises under paragraph (1) shall produce evidence of that public official’s authority to interested persons, and present a document containing the name of the public official, the time and purpose of entry and other relevant details, to interested persons. |
| Article 17 (Corrective Orders) |
The Minister of Science and ICT may order a certification-service provider that has obtained an accreditation of compliance with the operating standards to take corrective measures within a specified period, as prescribed by Presidential Decree, if any of the following is applicable to that certification-service provider:
| 1. | If it fails to comply with the operating standards; |
| 2. | If it breaches any obligations in respect of an indication of compliance with the operating standards under Article 13 (1); |
| 3. | If it breaches any obligations in respect of the verification of identities under Article 14; |
| 4. | If it breaches any obligations in respect of the preparation and publication of the Certification Practice Statement under Article 15 (1) and (5), or fails to comply with the Certification Practice Statement; |
| 5. | If it breaches any obligations in respect of the cessation and discontinuation of electronic-signature certification services under Article 15 (2) through (5); |
| 6. | If it fails to submit materials required under Article 16 (1), submit any false materials, or refuses, obstructs or evades any public official who is entering any premises or is conducting an inspection; |
| 7. | If it fails to obtain insurance under Article 20 (2). |
| Article 18 (Time Stamping of Electronic Documents) |
A certification-service provider may, if requested by its subscriber or user, may verify the time at which an electronic document is presented to that certification-service provider using its electronic signature.
| Article 19 (Protection of Electronic-Signature-Creation Data) |
| (1) | No one shall use without permission or disclose any electronic-signature-creation data of another person. |
| (2) | No one shall engage in any of the following conduct in respect of a certificate issued by a certification-service provider that has obtained an accreditation of compliance with the operating standards: |
| 1. | Being issued a certificate in the name of another person or helping any other person to be issued a certificate in the name of another person by fraud or other improper means; |
| 2. | Transferring or lending a certificate to another person to exercise it for an unlawful use or acquiring or borrowing a certificate from another person to exercise it for an unlawful use. |
| Article 20 (Liability for Damage) |
| (1) | A certification-service provider that has obtained an accreditation of compliance with the operating standards shall be liable for damage if it causes such damage to any subscriber or user in respect of the provision of its signature-certification services: Provided, That such certification-service provider is exempted from liability for damages if it proves that it has not acted by intention or negligence. |
| (2) | A certification-service provider that has obtained an accreditation of compliance with the operating standards shall obtain insurance for liability of damages under paragraph (1), as prescribed by Presidential Decree. |
| Article 21 (Support for Policies on Electronic Signature Certification) |
The Korea Internet and Security Agency shall conduct the following business in order to create an environment in which electronic signatures can be safely and reliably used and to support policies on electronic signature certification:
| 1. | Developing, distributing, and conducting research to standardize, technologies related to electronic signature certification; |
| 2. | Researching schemes related to electronic signature certification, mutual recognition, and other support for international cooperation; |
| 3. | Supporting public officials in inspecting certification-service providers under Article 16 (1); |
| 4. | Other matters necessary to support policies on electronic signature certification. |
| Article 22 (Mediation of Disputes) |
| Article 23 (Entrustment of Duties) |
The Minister of Science and ICT may entrust all or part of his or her duties under Article 5 and Article 7 (2) to the Korea Internet and Security Agency or a relevant specialized institution, as prescribed by Presidential Decree.
| Article 24 (Penalty Provisions) |
| (1) | Any of the following persons shall be punished by imprisonment with labor for not mote than three years or by a fine not exceeding 30 million won: |
| 1. | A person who uses without permission or discloses the electronic-signature-creation data of another person in violation of Article 19 (1); |
| 2. | A person who is issued a certificate in the name of another person or helps any other person to be issued a certificate in the name of another person by fraud or other improper means in violation of Article 19 (2) 1. |
| (2) | A person who transfers or lends a certificate to another person to exercise it for an unlawful use, or acquires or borrows a certificate from another person to exercise it for an unlawful use in violation of Article 19 (2) 2 shall punished by imprisonment with labor for not more than one year or by a fine not exceeding 10 million won |
| Article 25 (Joint Penalty Provisions) |
If the representative of a legal person or an agent or employee of, or any other person employed by, the legal person or an individual commits any violations described in Article 24 in conducting the business of the legal person or individual, the legal person or individual shall, in addition to punishing the violators accordingly, be punished by a fine prescribed in the relevant Article: Provided, That the same shall not apply if such legal person or individual has not been negligent in giving due attention to, and in supervising, the business affairs to prevent such violations.
| Article 26 (Administrative Fines) |
| (1) | A person who fails to comply with a corrective order issued under Article 17 without good cause shall be subject to an administrative fine not exceeding 20 million won. |
| (2) | Any of the following persons shall be subject to an administrative fine not exceeding five million won: |
| 1. | A person who uses an indication of compliance with the operating standards not as prescribed by Ordinance of the Ministry of Science and ICT in violation of Article 13 (1); |
| 2. | A person who uses an indication of compliance with the operating standards or any other similar indication in violation of Article 13 (2); |
| 3. | A person who fails to prepare or publish the Certification Practice Statement in violation of Article 15 (1); |
| 4. | A person who fails to notify his or her subscribers of or to publish, the intention to cease or discontinue signature-certification services or measures to protect subscribers in violation of Article 15 (2), (3) or (4); |
| 5. | A person who fails to submit materials, submit any false materials, or refuses, obstructs or evades any public official who is entering any premises or is conducting an inspection in violation of Article 16 (1); |
| 6. | A person who fails to obtain insurance in violation of Article 20 (2). |
| (3) | Administrative fines under paragraphs (1) and (2) shall be imposed and collected by the Minister of Science and ICT, as prescribed by Presidential Decree. |
ADDENDA <Act No. 17354, Jun. 9, 2020>
Article 1 (Enforcement Date)
This Act shall enter into force six months after the date of its promulgation: Provided, That the amended provisions of Article 6 (2) shall enter into force one year after the date of its promulgation. Article 2 (Transitional Measures concerning Authorized Certificates)
Valid authorized certificates issued under the previous Article 15 as at the time this Act enters into force shall be governed by the previous provisions on authorized certificates. Article 3 (Transitional Measures concerning Effects of Electronic Signatures)
Electronic signatures given under valid authorized certificates issued under the previous Article 15 as at the time this Act enters into force shall have the same effects as certified electronic signatures under the previous provisions, notwithstanding the amended provisions of Article 3. Article 4 (Transitional Measures concerning Licensed Certification Authorities)
Licensed certification authorities designated under the previous Article 4 as at the time this Act enters into force shall be deemed to be signature-certification service providers that has obtained an accreditation of compliance with the operating standards under the former part of the amended provisions of Article 8 (1) for the one-year period beginning on the date on which this Act enters into force although they do not undergo an assessment or obtain an accreditation. Article 5 (Transitional Measures concerning Certification Services)
| (1) | Certification services related to valid authorized certificates issued under the previous Article 15 as at the time this Act enters into force shall be governed by the previous Articles 7, 10, 16 through 18, 19 (1), 21, 22-2, 24, 25, and 26. |
| (2) | Management of records on authorized certificates issued under the previous Article 15 and certification services shall be governed by the previous Article 22. |
| (3) | Any violation of paragraph (1) or (2) shall be governed by the previous provisions of Articles 11 through 14, 29, and31 through 34. |
Article 6 (Transitional Measures concerning Penalty Provisions and Administrative Fines)
The previous provisions shall apply where the penalty provisions and administrative fines are to be applied to any violation committed before this Act enters into force.
Article 7 Omitted.
Article 8 (Relationship to Other Statutes or Regulations)
A citation of any provision of the previous Digital Signature Act in other statutes or regulations as at the time this Act enters into force shall be deemed to be a citation of the corresponding provision of this Act, in lieu of the previous provision, if such corresponding provision exists herein.