Recent Developments

Lee & Ko’s TMT Group provided comprehensive legal advisory services to SK Broadband and SK Telecom in connection with their large-scale AI data center project in partnership with Amazon Web Services (AWS), a leading global cloud service provider. The project, with an estimated investment of KRW 7 trillion, aims to establish Korea’s largest AI-dedicated data center, deploying approximately 60,000 GPUs.

Given the involvement of AWS and the unprecedented scale of the initiative, the project required a sophisticated contractual framework and careful coordination among multiple stakeholders. Lee & Ko advised SK Broadband and SK Telecom across all phases of the project—from identifying key legal issues to negotiating and executing complex cloud-related agreements, as well as analyzing potential legal risks.

In particular, Lee & Ko provided forward-looking legal guidance on regulatory approvals, power supply arrangements, cloud compliance, and real estate and construction requirements. This end-to-end advisory support enabled the clients to successfully close the transaction within the scheduled timeline.

This project represents a strategic milestone in advancing Korea’s AI ecosystem and large-scale infrastructure development. It also highlights Lee & Ko’s deep expertise in the ICT and infrastructure sectors and its broad experience in structuring and negotiating complex agreements. Following the successful completion of this transaction, additional mandates are expected in connection with SK Group’s data center operations, investment expansions, and future facility developments.
 

We are pleased to inform you of a landmark ruling by the Supreme Court of Korea which has significant implications for e-commerce platform operators within the country. In a recent case, the Supreme Court has overturned the sanctions imposed by the Personal Information Protection Commission (PIPC) against major online marketplaces, Naver (South Korea’s leading internet platform company) and Gmarket (formerly eBay Korea). This pivotal case clarified that sellers on e-commerce intermediary platforms (the “E-commerce Seller”) are not considered ‘personal information managers’ of the platforms providing intermediary sales services (the “E-commerce Platform”) under the Personal Information Protection Act (PIPA). This ruling marks a transformative moment for privacy law enforcement related to E-commerce Platforms in South Korea.

We will delve into the details of the Supreme Court’s decision and discuss its broader impact on the e-commerce landscape.

1. Overview of the Case
First, operators of the E-commerce Platform provide a service that enables members (including both sellers and buyers) to trade goods online. During the provision of this service, seller members utilize the personal information of buyer members, provided by the E-commerce Platform operators, to deliver products and carry out various sales-related tasks. In this context, the PIPC has interpreted that E-commerce Platform operators are ‘data controllers’ under PIPA, and that seller members are ‘personal information managers’ who process personal information under the direction and supervision of the E-commerce Platform operators. Based on this presumption, the PIPC found that E-commerce Platform operators breached the necessary safety measures required under PIPA by allowing seller members access to the seller system using only an ID and password, without employing additional secure authentication methods. As a result, the PIPC issued an order to seven (7) major platform operators to implement secure authentication methods and conduct regular training for their seller members (the “PIPC Order”).

Among the E-commerce Platform operators subject to the PIPC Order, Naver and Gmarket filed lawsuit actions against the PIPC seeking to annul the PIPC Order. We, Lee & Ko, have represented Naver and Gmarket from the court of first instance to the final decision by the Supreme Court.

2. Summary of the Supreme Court’s Ruling
The main issue presented to the Supreme Court concerned whether E-commerce Sellers qualify as ‘personal information managers’ for E-commerce Platform operators under PIPA. This distinction was critical, as PIPA’s requirement for data controllers to implement secure authentication methods specifically applies to ‘personal information managers.’ Consequently, the legality of the PIPC Order depended on this determination.

In this regard, the Supreme Court annulled the PIPC Order for the following reasons, determining that E-commerce Sellers do not qualify as the ‘personal information managers’ of the E-commerce Platform operators:

   - a ‘personal information manager’ is not limited to those who have an employment contract with a data controller. It includes any person who, under laws or contractual terms, acts under the direction and supervision of a data controller to carry out certain tasks;  
   - “third parties,” who receive personal information from data controllers and utilize it for their own business purposes and benefits, are distinct from and cannot coexist with personal information managers; and
   - the E-commerce Sellers receive personal information of buyer members from the E-commerce Platform operators and process that information according to their own discretion for their business operations. They are thus ‘data controllers’ and ‘third parties’ themselves rather than ‘personal information managers’ of the E-commerce Platform operators.

3. Significance of the Supreme Court’s Ruling
The significance of this case lies in the fact that it provided the first specific judicial interpretation of PIPA regarding the definition and scope of a ‘personal information manager,’ and the critical distinction between a ‘personal information manager’ and ‘third party.’ This ruling is pivotal not only for the e-commerce platform industry but also establishes a benchmark for future cases across various sectors involving the determination of who qualifies as a ‘personal information manager’ and who is subject to security measures requirements as per PIPA.

Prior to this ruling, the PIPC had used its guidelines as the legal basis to interpret E-commerce Sellers as ‘personal information managers’ for E-commerce Platform operators. However, this ruling clearly established that the PIPC’s guidelines cannot serve as grounds for enforcement actions. Nonetheless, it should be noted that independent of the Supreme Court’s decision, major E-commerce Platform operators such as Naver and Gmarket have proactively enhanced their security measures through self-regulatory efforts to safeguard the personal information of buyer members.

Furthermore, this ruling is also significant as it clearly delineates the responsibilities related to personal information processing between E-commerce Platform operators and their seller members. This provides critical guidance for E-commerce Platform operators on how to structure their compliance and governance frameworks to protect personal information effectively.


This ruling marks the first decision issued by the PIPC has been overturned since it became a central administrative agency in 2020. Lee & Ko features a Data Privacy & Cybersecurity Group comprised of the largest team of personal information protection and information security experts in Korea. Our comprehensive legal services encompass consultations, legal investigation responses, and litigation representation concerning personal information matters. If you require advice or assistance concerning privacy-related matters, please feel free to contact us at your convenience.

In January 2021, the Personal Information Protection Commission (PIPC) issued corrective orders and imposed administrative fines against Naver Corp. (Naver) and Gmarket Inc. (Gmarket) due to the continuous increase in electronic commerce fraud cases, such as the misuse of open market seller accounts. The orders were issued based on the grounds that the sellers did not take sufficient security measures when accessing the system. The PIPC considered the third-party sellers on Naver and Gmarket as personal information handlers of Naver and Gmarket, and held Naver and Gmarket responsible for their management and supervision of personal information handlers. 

Lee & Ko, on behalf of Naver and Gmarket, filed a lawsuit to cancel the corrective orders. Lee & Ko presented various evidence from different angles to prove that the sellers were independent personal information controllers who received personal information from Naver and Gmarket, rather than personal information handlers of Naver and Gmarket, and argued that the orders were illegal and unfair. 

The district court accepted the arguments of Naver and Gmarket and canceled the corrective orders imposed by the PIPC.

This case was the first case that clarified the scope of personal information handlers and holds significant value as a precedent in terms of the role and responsibilities of platform service providers in relation to e-commerce businesses, including open markets. The case is currently ongoing at the appellate court, and Lee & Ko continues to represent Naver and Gmarket.

In 2022, SK Telecom Co., Ltd. (SKT) sought to expand its metaverse platform, “Ifland,” overseas. In order to comply with the regulations of each target country, extensive legal review was required. Lee & Ko, in collaboration with a global firm, conducted a thorough examination of privacy, intellectual property, consumer protection, licensing, and other relevant local laws in the United States, Germany, Singapore, and the United Arab Emirates. They derived specific compliance requirements and prepared necessary documents such as consumer terms of service, privacy policies, and various consent forms to ensure compliance with local laws. As a result, SKT successfully launched the Ifland service in 49 countries worldwide, establishing itself as a global metaverse platform.

Lee & Ko not only handles domestic matters but also assists numerous domestic companies in their overseas expansion and service launches, ensuring compliance with regulatory requirements in other jurisdictions. Particularly, we collaborate with local law firms to provide efficient and tailored advice on privacy laws such as GDPR in Europe, FTC Act, CCPA, and CPRA in the United States, PIPL in China, and more. We have accumulated extensive expertise and experience, offering comprehensive and specialized services that meet the needs of our clients.

Lee & Ko provided comprehensive legal advice to SSG.COM in relation to the investment of 300 Billion Korean Won in issuance of new stocks from the investors which includes foreign private equity companies such as Affinity and BRV.
 
In 2018, Lee & Ko provided legal services to Shinsegae and E-Mart, the major shareholders of SSG.COM, in their execution of share subscription agreement and shareholders agreement with investors. Subsequently, Lee & Ko consulted on various transactions, including split-off from major shareholders of SSG.COM, merger between new entities after split-off, and investing 700 Billion Korean Won for the issuance of new shares from the investors in 2019. The investment of 300 Billion Korean Won to SSG.COM this year reflects the implementation of additional investment which was agreed upon during the 2019 transaction. In other words, this signifies that the transactions for pre-IPO have now been completed.
 
While complying with the contract terms signed in 2019 by and among the major shareholders and SSG.COM with their investors, Lee & Ko is able to say with confidence that they provided major shareholders and SSG.COM with various alternatives to minimize the impact on the major shareholders and SSG.COM.