Korea Privacy Watchdog Says Facial ID for Phone Sign-Ups Lacks Legal Ground

South Korea’s Personal Information Protection Commission told the Ministry of Science and ICT on May 27 that its facial authentication pilot for mobile phone activation needs a legal overhaul before it can go live nationwide. The system, running since December 23, 2024, compares a customer’s face against the photo on their government-issued ID in real time at the point of sale. The commission says the ministry skipped the privacy review, built the system on shaky legal ground, and designed a consent flow that gives users no real choice.

The pilot was part of a joint government push to kill voice phishing, a fraud category that cost South Koreans hundreds of billions of won in 2024. SIM-swap attacks, where criminals activate a phone number in someone else’s name, are a common vector. Facial authentication was supposed to close that gap by proving the person standing in the store is the person named on the ID.

The Legal Gap the Watchdog Found

Biometric data sits in a special category under South Korea’s Personal Information Protection Act. Processing it requires either explicit consent from the data subject or a clear statutory basis. The commission reviewed the Telecommunications Business Act and related regulations and found neither. The ministry introduced facial authentication as an identity verification method without amending the law to authorize it.

The commission’s May 27 recommendation states that the current legal framework does not clearly permit facial information to be used as a means of identity authentication for phone activation. That gap matters because telecom carriers are now collecting, storing, and comparing facial scans without the statutory cover biometric processing demands.

The ministry has not yet responded publicly to the recommendation. The pilot continues to operate while the commission waits for a formal reply.

Consent That Is Not Really Consent

The second problem is structural. When a customer walks into a carrier store to activate a phone, the facial scan is presented as part of the standard identity verification flow. Refusing the scan means the activation cannot proceed. The commission determined that this design makes consent effectively mandatory, violating the principle that biometric data processing must be voluntary.

The Personal Information Protection Act allows processing of sensitive information only when the data subject has given genuine consent or when a law explicitly requires it. Because the Telecommunications Business Act does not require facial authentication, the system relies entirely on consent. But consent given under duress, where refusal blocks access to an essential service, does not meet the legal standard.

The commission also flagged the scope of data collected by the contractor operating the authentication system. It said the ministry needs to minimize what personal information flows through the contractor’s infrastructure and ensure that data retention periods are as short as technically feasible.

How the System Works Today

The facial authentication process runs in three steps. First, the customer presents a government-issued ID card at the carrier’s point of sale. Second, the system extracts the photo from the ID using optical character recognition. Third, a live camera captures the customer’s face and a matching algorithm compares the two images in real time. If the match score exceeds a threshold, the activation proceeds. If it fails, the customer must use an alternative verification method, typically a manual document check by store staff.

The system does not store the live facial image after the comparison completes, according to the ministry’s December 2024 briefing. The ID photo is likewise discarded once the session ends. But the commission’s review found that metadata about the transaction, including timestamps and match scores, persists in the contractor’s logs for an unspecified period, raising questions about secondary use and data minimization.

The Voice Phishing Context

Voice phishing, known locally as boseu pising, accounted for 1.2 trillion won in reported losses across South Korea in 2024, according to the Financial Supervisory Service. SIM-swap fraud is a subset of that total. Criminals obtain a victim’s personal details through phishing or data breaches, then visit a carrier store with a fake or stolen ID to activate a new SIM card in the victim’s name. Once the number is live, the attacker intercepts two-factor authentication codes sent via SMS and drains bank accounts.

The government’s comprehensive anti-phishing plan, announced in November 2024, included facial authentication as one of several technical controls. Other measures in the plan include real-time transaction monitoring by banks, mandatory cooling-off periods for large transfers, and a centralized fraud reporting hotline. The facial authentication pilot was the most visible and the most controversial.

What the Commission Wants Fixed

The commission’s May 27 recommendation lists four specific actions. First, the ministry must conduct a full necessity and proportionality review before rolling the system out nationwide. That review must weigh the privacy cost of collecting biometric data against the fraud-prevention benefit and consider whether less intrusive alternatives exist.

Second, the ministry must clarify the legal basis for processing facial information. That likely means amending the Telecommunications Business Act to explicitly authorize facial authentication as an identity verification method, or finding another statutory hook that satisfies the Personal Information Protection Act’s requirements for sensitive data.

Third, the ministry must redesign the consent flow so that customers can refuse facial authentication without losing access to phone activation. The commission suggested offering alternative verification methods, such as document checks or knowledge-based authentication, as parallel options rather than fallbacks.

Fourth, the ministry must apply privacy-by-design principles to the contractor’s system. That includes minimizing the personal information collected, shortening data retention periods, encrypting data in transit and at rest, and conducting regular audits to ensure compliance with the protection law.

Privacy-by-Design in Practice

Privacy-by-design is a framework that embeds data protection into the architecture of a system from the start, rather than bolting it on after deployment. In the context of facial authentication, it means designing the system so that the minimum necessary data is collected, the data is processed locally when possible, and the data is deleted immediately after use.

The commission’s recommendation implies that the current pilot does not meet that standard. The contractor’s system collects more data than strictly necessary for the matching operation, retains metadata longer than the transaction requires, and lacks transparency about how the data flows through the infrastructure. The commission wants those gaps closed before the system scales.

The Proportionality Question

Proportionality is the legal test that balances the benefit of a data processing activity against the harm it causes to individual rights. The commission’s recommendation asks whether the fraud-prevention benefit of facial authentication justifies the privacy cost of collecting biometric data from every phone customer.

The ministry’s December 2024 briefing cited a 40 percent reduction in SIM-swap fraud cases during the first two months of the pilot, based on carrier-reported data. The commission has not disputed that figure, but it argues that the reduction alone does not prove proportionality. The test also requires considering whether less intrusive methods, such as improved document verification or multi-factor authentication using non-biometric factors, could achieve a similar result.

The commission also noted that the pilot’s scope is narrow. It applies only to in-store activations, not to online activations or SIM swaps initiated through customer service channels. That means the system addresses only a fraction of the fraud surface, raising questions about whether the privacy cost is justified by the partial coverage.

What Happens If the Ministry Ignores the Recommendation

The Personal Information Protection Commission’s recommendations are not legally binding, but they carry significant weight. If the ministry proceeds with a nationwide rollout without addressing the commission’s concerns, the commission can escalate to a formal investigation and issue a corrective order. Corrective orders are enforceable and can include fines, suspension of the system, and mandatory deletion of collected data.

The commission has used that authority before. In 2023, it ordered a major e-commerce platform to delete facial recognition data collected without proper consent and fined the company 2.8 billion won. The ministry is unlikely to risk a similar outcome, especially given the political sensitivity of privacy issues in South Korea following several high-profile data breaches in recent years.

The Broader Biometric Debate

South Korea is not the only country grappling with the trade-off between biometric convenience and privacy risk. India’s Aadhaar system, which uses fingerprints and iris scans for identity verification, has faced years of legal challenges over consent and data security. The European Union’s General Data Protection Regulation treats biometric data as a special category requiring heightened protection, and several EU member states have banned facial recognition in public spaces.

The South Korean debate is playing out in a regulatory environment that is more permissive than the EU but stricter than the United States. The Personal Information Protection Act, enacted in 2011 and amended several times since, gives the commission broad authority to review and block data processing activities that fail to meet legal standards. The commission has used that authority aggressively in recent years, particularly in cases involving biometric data and location tracking.

The facial authentication pilot is a test case for how far the government can push biometric surveillance in the name of fraud prevention. The commission’s May 27 recommendation suggests the answer is: not this far, not without a legal foundation and a genuine consent mechanism.

What Comes Next

The ministry has not set a timeline for responding to the commission’s recommendation. The pilot will continue to operate in its current form until the ministry decides whether to proceed with a nationwide rollout, scale back the system, or abandon it entirely. The commission said it will monitor the ministry’s response and will support the government’s anti-phishing efforts as long as they comply with the Personal Information Protection Act.

The outcome will likely hinge on whether the ministry can find a legal basis for facial authentication that satisfies the commission. Amending the Telecommunications Business Act would require legislative approval, a process that could take months or years depending on political priorities. Without that amendment, the system remains on shaky ground, and the commission’s next move could be a formal order to shut it down.

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Privacy regulations vary by jurisdiction, and individuals concerned about biometric data collection should consult a qualified legal professional. Figures and regulatory details are accurate as of publication.