South Korea

In January 2021, South Korea launched its digital ID system with the Mobile Public Official Card. This smartphone-based credential allows civil servants to prove their identity and professional status digitally, replacing the need for physical ID cards.^[17] Other mobile phone based IDs such as driver’s license (introduced in July 2022) and veterans’ registration cards (introduced in June 2023) have also been rolled out.^[18]

On 10 January 2025, the Ministry of Justice launched Mobile (Foreign) Residence Cards for foreign national residents aged 14 and above, including Foreign Residence Cards, Permanent Residence Cards, and Overseas Korean Residence Cards.^[19] The government then undertook the rest of its digital ID rollout with its nationwide issuance of the Mobile Resident Registration Card for citizens on 14 March 2025.^[20]

The mobile resident registration cards (‘mobile IDs’) for citizens and non-citizens act as a functional ID because they hold the same validity as physical residence cards and can be used for identity verification at any place where a physical card may be required such as government offices, banks, hospitals, and convenience stores.^[21] Although it is not mandatory for citizens and foreign residents to apply for mobile IDs, many government and financial services are increasingly being tied to mobile IDs for identity verification such as applying for bank accounts, insurance, investments or credits cards; accessing government websites, online voting, domestic flight check ins, and to pay taxes.^[22] Individuals can apply for a Mobile Resident Registration Card either by applying directly on the ‘Mobile IDentification App’ using newer residence cards with an IC-chip embedded Resident Registration Card or by scanning the QR code at a community center for those with the old resident cards that have no IC-chip embedded.^[23] Foreign residents who hold physical residence cards are eligible to use mobile IDs, as access is linked exclusively to these registration cards. However, stateless persons, refugees, and asylum seekers remain excluded, since they lack legal identity documents such as birth certificates and, consequently, physical residence cards.^[24] Each mobile ID is limited to one phone number (and smartphone) under an individual’s name, presenting an additional barrier for stateless persons, refugees, and asylum seekers as they are unable to access SIM cards without passports.^[25]

Individuals can access their mobile ID cards through the ‘Mobile IDentification App’ and Samsung Wallet.^[26] The South Korean government is looking to expand access through other wallets and applications as part of its wider plan to bridge public and private services with the development of mobile IDs.^[27] The government is relies on the private sector to increase adoption of mobile IDs as well as to connect mobile IDs to more digital services.^[28] Samsung has significantly increased its ability to collect biometric data, including through its new Galaxy Ring, which can now collect data such as ‘heart rate variability, time to fall asleep, movement during sleep, and sleep-time heart rate and respiratory rate’.^[29]

According to the World Bank, South Korea’s Mobile Resident Registration Card system is a global model.^[30] The system is secured with ‘advanced encryption and blockchain technology’ and ‘biometric verification is required to prevent identity theft.’ However, it remains unclear what blockchain is being used for.^[31] The system was designed and implemented by Korea Minting, Security Printing & ID Card Operating Corp. (KOMSCO), a state-owned corporation.^[32] KOMSCO has expanded its cooperation with the World Bank to share its expertise in system design with countries such as the Philippines, Indonesia, Costa Rica, Paraguay, and the UK, helping them explore the adoption of systems similar to South Korea’s.^[33] Even so, the system has experienced some issues, including a 56-hour outage where it could not be accessed. This outage was attributed to shortfalls in intensive monitoring for potential errors.^[34]

Domestic law and policy

The legal foundation for South Korea’s digital ID system is the Resident Registration Act of 1962. In November 2024, partial amendments to the Act were passed, including Article 24(2), which authorizes the issuance of mobile resident registration cards, and Article 25, which establishes identity verification through mobile IDs.^[35]

South Korea launched its ‘Digital Bill of Rights’ in September 2023 by the Ministry of Science and ICT, to establish digital norms and principles, as well as to position the country as a leader in global digital governance.^[36] The Bill outlines five principles: guarantees of freedom and rights; fair access and equal opportunities; building a trustworthy digital society; promoting digital innovation; and advancing global human well-being.^[37] On 21 January 2025, South Korea became the first jurisdiction in the Asia-Pacific to adopt comprehensive artificial intelligence (AI) legislation to regulate and enforce the use of AI, through the passing of the AI Basic Act (2025) which takes a similar approach to the EU’s AI Act.^[38]

Whilst there may not be a single comprehensive legislation on mobile ID in South Korea yet, the Electronic Government Act (2001, under Article 26, provides safeguards for the legal validity of electronic or digitized documents.^[39] Although the Act does not define digital IDs, it nonetheless provides definitions of ‘digitized documents’ and ‘electronic documents’ in Article 2(7) and 2(8).^[40] The Act also contains provisions to compel administrative agencies to take measures to protect personal information and privacy, such as Articles 4(1) and 4(4), amongst other Principles of Electronic Government set out in the Act.^[41] Such crucial provisions positions the Act as foundational for a digital ID system.^[42]

Data Protection

According to OneTrust DataGuidance, a global data protection regulation database, South Korea is said to have in place ‘some of the strictest personal information protection requirements in the world.’^[43] The Personal Information Protection Act (2025) (‘PIPA’) is South Korea’s core law governing data privacy which provides a comprehensive framework for the collection and processing of personal data in general and is supplemented by a detailed Enforcement Decree.^[44] It is also complemented by other laws regulating data collection and processing in specific contexts, such as the Act on Promotion of Information and Communication Network Utilization and Information Protection (2001), which regulates the use of personal data by information and communication service providers, as well as the Use and Protection of Credit Information Act (2009), which regulates the use of personal data in conducting due diligence for financial or commercial transactions.^[45] The PIPA Act and other sector-specific laws are also supported by a number of guidelines issued by data protection authorities. Whilst such guidelines may not be legally binding, they facilitate the interpretation of the laws.

Initially enacted in 2011, the PIPA was amended in 2020 and in 2023 to strengthen data subjects’ rights, particularly regarding consent for personal data processing. It also introduced technology-neutral regulations for online and offline data handling, mandates for prompt notification of data breaches, and outlined rules for mobile visual data processing devices.^[46] The PIPA was amended twice in 2025, with data portability rights coming into effect on 13 March 2025 and the second amendment on 2 October 2025, introduced binding AI-specific data protections and new obligations for foreign data controllers operating in Korea.^[47] The new amendment establishes a legal basis for utilizing personal information beyond its original collection purpose when deemed necessary for AI technology development or performance enhancement, subject to the review and approval of the Personal Information Protection Commission (‘PIPC’).^[48] The amendments also require foreign companies operating in South Korea that collect or process personal information to designate a local representative responsible for management, training, planning and inspections of personal information to ensure their compliance with local privacy laws.^[49]

Biometric data is included under the PIPA’s definition of ‘sensitive personal data’ but it does not yet have a comprehensive legislation of its own.^[50] With the government’s increasing use of biometric technology for identity verification from mobile resident registration cards to event tickets purchases, the government reported it is looking to introduce a legally binding regulatory framework for biometric information to ensure biometric data privacy regulations keep up with increasing use in 2025.^[51] Without a strong legal framework for the collection and use of biometric data, developments such as Samsung’s Galaxy Ring, which collects a wide range of biometric data capable of predicting many aspects of a person’s life, remain unregulated.^[52]

The right to privacy is highly protected by South Korea’s Constitution. For data protection, Article 17 of the Constitution provides specifically that ‘[t]he privacy of no citizen shall be infringed.’^[53] This provision appears to be an absolute and unqualified safeguard for the right to privacy of citizens. Moreover, Article 18 of the Constitution also provides that ‘[t]he privacy of correspondence of no citizen shall be infringed’.^[54]

There have been incidents of data breach. In September 2025, the PIPC, a data protection watchdog, launched a probe into a massive credit card data breach at Lotte Card that exposed the personal data of about 3 million customers.^[55] In December 2025, South Korea’s largest online e‑commerce retailer Coupang headquarters was raided by the police’s cyber investigation unit over a major leak involving 33 million customers information.^[56] The PIPC is looking to establish a ‘personal information protection system that provides citizens with peace of mind,’ in response to major data breaches in 2025.^[57] Besides data breaches, there are concerns that the fraudulent sales of mobile IDs, mainly targeting minors seeking age-restricted products, undermines the implementation of the mobile ID system.^[58]

Digital rights groups have raised concerns that the rapid adoption of AI in public administration, law enforcement, education, and social welfare, is outpacing legal and ethical safeguards, potentially putting human rights at risk.^[59] The report, launched in March 2025, raises red flags about opacity, surveillance, data privacy, and a lack of public oversight on what types of AI are being implemented, for what purposes, or how they are being governed.^[60] In August 2025, the High Court ruled in favor of civil society groups in their lawsuit against Google, which must now provide Korean users with greater transparency about the handling of their data, including individualized responses to requests regarding third-party data disclosures.^[61]

International Commitments

South Korea has ratified several major human rights treaties including the 1954 Statelessness Convention, 1951 Refugee Convention and its 1967 Protocol, ICCPR, ICESCR, ICERD, CRC, and CEDAW. As a signatory to the CRC, South Korea has an obligation to ensure all children are able to access essential services, which includes access to services that are linked to digital systems as well.^[62] In its 2023 concluding observations, the Human Rights Committee expressed its repeated concerns for inadequate birth registration for foreign children, undocumented children, and stateless children, who are often unable to rely on assistance from their embassies, which creates barriers towards accessing birth registration.^[63] South Korea also has an obligation to fulfill the universal right to birth registration for all children, regardless of documentation status or nationality of parents, under Article 24(2) of the ICCPR. The Foreign Child Birth Registration Act, a new bill to implement a birth registration system for non-Korean children born in South Korea, in order to provide legal status to newborns, regardless of their parents’ legal status, has been in development by the Ministry of Justice since February 2021.^[64]

On 26 June 2025, South Korea adopted the Ministerial Declaration on a Decade of Action for Inclusive and Resilient Civil Registration and Vital Statistics in Asia and the Pacific, pledging commitments to universal access, gender equality, digital inclusion, and resilient CRVS systems.^[65] The Declaration commits to building secure digital public infrastructure that enables equitable access to services and entitlements, while ensuring that ‘vulnerable and digitally marginalized groups’ are not excluded.^[66] South Korea has made a non-binding pledge, as part of the Global Compact for Migration’s fourth indicator ‘Legal Identity and Documentation’, to implement a system for foreign children or stateless children’s birth registration by December 31, 2026.^[67]

South Korea, as a member of the Organization for Economic Co-operation and Development (OECD), actively aligns with and contributes to the OECD Recommendation on the Governance of Digital Identity (2023). South Korea has topped the OECD Digital Government Index in 2023 and 2019 for its ‘efforts made by governments to establish the foundations necessary for a digital transformation of the public sector that is coherent and human-centred.’^[68] The OECD Digital Government Review concluded in October 2025 founds that South Korea is a global leader in digital government, with strong governance, strategic use of data in the public sector, pioneering AI adoption in government, and citizen‑centred public administrative services, though challenges remain around talent retention, regulatory agility, transparency, and aligning central and local service delivery.^[69]

South Korea also joined the Asia-Pacific Economic Cooperation Cross Border Privacy Rules (APEC CBPR) system in 2017, to facilitate secure, privacy-compliant international data transfers and to promote consumer, business, and regulator trust.^[70] The APEC CBPR is a voluntary, accountability-based framework where businesses are required to implement privacy policies consistent with APEC Privacy Framework’s principles on data handling, security, and consumer rights.^[71]

Legal Identity

Digital ID Overview

Law

Domestic law and policy

Data Protection

International Commitments

Designed to Include?