Korea Domestic Agent Rules 2026 for Foreign Platforms
A foreign SaaS company with Korean enterprise users may think Korea domestic agent rules do not matter because its servers, contracts, and headquarters sit outside Korea. A global game publisher may reach Korean consumers through app stores without a Korean subsidiary. An AI platform may provide a Korean-language interface from Singapore, the United States, or Europe.
In 2026, that assumption is becoming risky. Korea domestic agent rules are expanding from data privacy into gaming, AI, telecommunications, and online platform regulation. For foreign companies, the question is no longer only whether Korean law applies. The practical question is who in Korea can receive regulator inquiries, handle user notices, preserve documents, and coordinate compliance responses when the foreign company has no local office.
This matters for foreign executives and investors because a domestic agent is not just a mailing address. Under Korean law, the agent may become the operational bridge between overseas management and Korean regulators such as the Personal Information Protection Commission, the Ministry of Science and ICT, the Korea Communications Commission, and gaming authorities. A weak appointment can turn a manageable inquiry into an enforcement problem.
Korea Domestic Agent Rules Are Becoming a Platform Compliance Issue
Korea has used domestic agent requirements for several years in sectors where overseas businesses serve Korean users without a local entity. The policy logic is straightforward: if a foreign business earns revenue from Korean users or processes Korean data, Korean regulators want a responsible domestic contact.
The most important recent development is the amended Personal Information Protection Act (PIPA). Under Article 31-2(2) of PIPA, certain foreign personal information controllers must designate a domestic agent. The 2025 amendment, effective from October 2, 2025, tightened the rule for foreign data controllers that already have a Korean subsidiary or affiliate.
Instead of freely appointing an unrelated third-party service provider, a covered foreign data controller must generally appoint a Korean entity established by the foreign controller or a Korean entity over which it exercises significant influence. Under the related Enforcement Decree, significant influence may exist where the foreign controller can appoint or dismiss the representative director, appoint at least half of the board, or holds at least 30% of the issued shares or capital contribution.
For foreign groups, this changes the compliance analysis. If a US parent has a Korean sales subsidiary and the parent operates the global platform that collects Korean user data, the Korean subsidiary may be the required domestic agent. The parent cannot assume that an outside consultant remains an acceptable long-term substitute if the statutory criteria point to its controlled Korean entity.
Failure to comply can result in an administrative fine under Article 75(3) Item 3 of PIPA. The statutory ceiling is approximately USD 14,500, but the larger risk is operational: regulator notices, breach communications, inspection requests, and corrective orders may be mishandled if the group does not define responsibilities in advance.
Korea Domestic Agent Rules Under PIPA: What Foreign Controllers Must Do
The PIPA domestic agent rule applies only to foreign personal information controllers that meet the relevant statutory thresholds. However, many foreign businesses underestimate how easily they can become Korean personal information controllers. A platform that collects Korean names, email addresses, phone numbers, payment identifiers, device IDs, login records, or behavioral data may fall within Korea’s broad concept of personal information.
Under PIPA, personal information includes information that identifies a living individual directly and information that can identify an individual when combined with other data. This is similar in policy scope to the EU General Data Protection Regulation, but Korean enforcement practice has its own terminology, notice standards, and regulator expectations.
For a foreign company subject to Article 31-2, the domestic agent should be able to perform several functions. It should receive official communications from Korean authorities. It should support data subject communications. It should help coordinate breach notifications, document submissions, and implementation of corrective measures. It should also understand the foreign company’s business model well enough to escalate issues to the right legal, security, and product teams.
The amended Enforcement Decree also creates a supervision issue. Foreign controllers should train their domestic agents at least annually and inspect whether the agent has prepared and implemented a plan for its duties. If deficiencies are found, the foreign controller should confirm remediation rather than treating the appointment as a one-time filing.
A practical example illustrates the problem. Suppose a Singapore-based analytics provider has Korean enterprise clients and a Korean sales subsidiary. The global platform is operated by the Singapore company, but Korean customer support sometimes routes requests through the Korean subsidiary. If the Korean subsidiary is appointed as domestic agent, the group should document how privacy inquiries are triaged, who approves PIPC responses, what evidence is preserved, and whether the Korean subsidiary has access to enough information to perform its role.
The domestic agent should not be left to improvise during an incident. Korean regulators may expect prompt and coherent responses, especially where user impact is significant.
Gaming, AI, and Telecom Rules Are Expanding the Same Model
The domestic agent model is no longer limited to privacy. Foreign gaming and AI businesses should now treat local representative planning as part of Korea market entry.
For games, the amended Game Industry Promotion Act introduces domestic agent obligations from October 23, 2025. Under Article 48(1) of the Game Industry Promotion Act, failure to designate a domestic agent where required can lead to an administrative fine of approximately USD 14,500. Draft subordinate rules have focused on large-scale foreign game businesses, including those with substantial global revenue, games causing serious user harm, or mobile games with significant daily new installs in Korea.
For AI, the Framework Act on the Development of Artificial Intelligence and Establishment of Trustworthy Foundation takes effect on January 22, 2026. Article 36(1) requires covered foreign AI service providers to designate a domestic agent, while Article 43(1) Item 2 provides an administrative fine of approximately USD 21,700 for non-compliance. Proposed criteria have focused on large providers, including those with global revenue of approximately USD 724 million, AI-sector revenue of approximately USD 7.2 million, at least one million average daily domestic users during a relevant period, or providers that receive a data submission request after an AI safety event.
The Telecommunications Business Act also matters for foreign value-added telecommunications service providers, a category that can cover many online services. Korea has already used domestic agent concepts for foreign online service providers, and legislative attention continues around whether more platform-related statutes should require domestic entities rather than unrelated agents.
The Act on Promotion of Information and Communications Network Utilization and Information Protection (Network Act) remains important for online service operators. Recent policy discussions indicate that Korea may continue aligning the Network Act with the stricter domestic entity model used in PIPA and the Telecommunications Business Act. Foreign companies should monitor National Assembly amendments rather than waiting until a final enforcement date is close.
The trend is clear. Korea is moving from sector-by-sector consumer protection to a broader regulatory expectation: foreign platforms serving Korean users should have a reliable Korean contact point with real authority, information access, and escalation procedures.
How Foreign Companies Should Choose a Domestic Agent
A domestic agent appointment should be treated like a governance decision, not a vendor formality. The right choice depends on the foreign company’s Korean footprint.
If the company has a Korean subsidiary, branch, or controlled affiliate, Korean law may require the domestic agent to be selected from that group. In that case, the main issue is whether the local entity has enough staff, authority, training, and information access to discharge the role. A Korean sales office with no privacy or technical personnel may need a formal escalation protocol and outside counsel support.
If the company has no Korean entity, a third-party provider may still be possible depending on the applicable law. However, the company should check the statute carefully. PIPA, gaming law, AI law, telecom rules, and any platform-specific law may use different thresholds and agent eligibility requirements.
The appointment document should be specific. It should state which Korean laws the agent covers, which regulator communications it can receive, how quickly it must notify headquarters, what documents it must maintain, and who bears responsibility for translation, evidence collection, and user response coordination.
Foreign companies should also distinguish between a registered address and a functional domestic agent. A registered address may receive mail. A domestic agent must be able to understand the legal significance of what arrives and move the matter to the correct people. For a platform with Korean users, those are very different functions.
Investors conducting due diligence should ask whether the target has mapped its Korean agent obligations. This is especially relevant for SaaS, games, AI tools, digital marketplaces, fintech, cloud infrastructure, adtech, healthtech, and consumer apps. Missing domestic agent appointments may not show up as a large balance-sheet liability, but they can create enforcement risk, reputational damage, and closing conditions in a cross-border transaction.
Korea Domestic Agent Rules: Compliance Checklist for 2026
Foreign businesses should prepare a short but disciplined review before expanding Korean sales or launching a Korean-language service.
- Map Korean user touchpoints. Identify whether the company collects Korean personal information, offers games, provides AI services, operates a communications or online platform, or otherwise targets Korean users.
- Identify applicable laws. Review PIPA Article 31-2, the Game Industry Promotion Act Article 48, the AI Act Articles 36 and 43, and relevant telecommunications and Network Act obligations.
- Check threshold tests. Determine whether user count, revenue, Korean data volume, local subsidiary control, or regulator requests trigger appointment obligations.
- Confirm agent eligibility. If the group has a Korean subsidiary or affiliate, analyze whether Korean law requires that entity to serve as the domestic agent.
- Document supervision. Provide annual training, inspect performance plans, and keep records showing that headquarters supervises the domestic agent.
- Prepare incident playbooks. Align domestic agent procedures with breach response, Korean-language user notices, regulator submissions, and evidence preservation.
- Review contracts. Service agreements with third-party agents should cover response time, confidentiality, authority limits, document retention, and termination transition.
- Coordinate with other compliance areas. Domestic agent planning should connect with PIPA compliance, DART disclosure readiness for listed groups, foreign investment reporting, and Korean employment or branch-office decisions.
Why This Matters for Korea Market Entry and M&A
Domestic agent rules can influence structure. A foreign company that plans to incorporate a Korean subsidiary for sales or customer support should understand that the entity may also become the legally preferred or mandatory domestic agent. That can affect staffing, insurance, internal reporting lines, and the subsidiary’s relationship with headquarters.
For example, a US AI company may establish a Korean subsidiary to manage enterprise sales. If the AI Act domestic agent obligation applies, the subsidiary may need technical and legal escalation procedures even if product operations remain overseas. The board should decide whether Korean compliance requests go to the chief legal officer, the chief privacy officer, the security team, or a regional general manager.
In M&A, domestic agent compliance should be part of Korean regulatory diligence. A buyer acquiring a foreign platform with Korean users should ask whether the target has Korean subsidiaries, which entity is designated as domestic agent, and whether the designation matches the amended PIPA and upcoming AI or gaming requirements. If the domestic agent is a third party but the target controls a Korean entity, further analysis is needed.
This also affects post-closing integration. If a foreign acquirer reorganizes Korean affiliates, changes board appointment rights, or transfers platform operations, domestic agent eligibility may change. The legal team should review whether any amendment filing, notice, or revised appointment is needed.
Key Takeaways
Korea domestic agent rules are becoming a central compliance issue for foreign platforms. The rules are still developing, but the direction is already visible.
Foreign data controllers subject to PIPA Article 31-2 should verify whether a Korean subsidiary or controlled affiliate must serve as domestic agent. Gaming companies should monitor the Game Industry Promotion Act and its subordinate rules. AI providers should prepare for the AI Act effective January 22, 2026. Online services should track telecommunications and Network Act developments.
The practical goal is not simply to avoid an administrative fine. The goal is to make sure Korean regulator communications, user requests, breach notifications, and data submissions reach the right people quickly and accurately.
Korea Business Hub assists foreign companies, investors, and platform operators with Korean market-entry structuring, PIPA compliance, AI and online platform regulation, subsidiary governance, and regulatory response planning. If your business serves Korean users from abroad, 2026 is the right time to review whether your domestic agent structure is legally sufficient and operationally reliable.
About the Author
Korea Business Hub
Providing expert legal and business advisory services for foreign investors and companies operating in Korea.
Need help with regulatory compliance?
Our team of experienced professionals is ready to assist you. Get in touch for a consultation.
Contact Us