Korean data law amendments pose
new constraints for cross-border online services
and data flows
Under amendments to IT Networks Act, set to take effect in March 2019, offshore online businesses, meeting thresholds of nexus to Korea, will be required to designate local agent for regulatory oversight purposes.
Amended rules will also newly restrict onward transfer (to additional countries) of personal information by offshore parties, and, on a reciprocity basis, allow regulators to restrict transfers of personal information to countries that likewise restrict outflows of such data.
Passed on August 30, 2018, amendments to the Act on Promotion of Information and Communications Network Utilization and Data Protection, Etc. (or IT Networks Act) will impose, on some range of larger offshore businesses, an obligation to appoint a local agent responsible for Korean data privacy compliance. The amended law will also impose new restrictions on the offshore on-transfer, i.e. to 3rdcountries, of personal information (PI), requiring consent of, or at least notice to, the individuals, and extend to onward transferors a duty to take protective measures (vis-à-vis the transferee). And the amendments include a reciprocity principle that will allow the government to restrict transfers of PI to offshore companies whose home jurisdictions similarly restrict outflow of PI. The amended rules will take effect in early March 2019, i.e. 6 months from the formal promulgation which is during this first week of September 2018.
Major online businesses lacking “presence” in Korea will be required to appoint a local agent, responsible for privacy compliance.
Under the amended IT Networks Act, offshore “IT service providers” – including online/connected service providers and sellers – will be required to appoint an agent in Korea, for data regulation purposes, if theysatisfy some threshold of scale (in terms of local user numbers and/or revenue, but yet to be decided) and lack an “address” or “a place of business” in Korea. The requirement could also apply, evidently, to offshore transferees of data – offshore businesses that (e.g. as data controllers or processors) receive PI of Korean individuals from IT service providers, given the way in which the amended law refers to “IT service providers and others”. [1]
The local “agent” (or representative, “대리인” in Korean) will be responsible for local data privacy compliance, as the chief privacy officer (person in charge of personal information protection, 개인정보보호책임자). As such, the agent will be responsible for effecting PI protection measures, reporting to authorities and notifying users in case of data leaks, and responding, and submitting documents and materials, to the authorities in case of some violation of the IT Networks Act.[2] (The “authorities” will mean mainly the Ministry of Science & ICT and the Korean Communications Commission.) If the agent should end up violating the IT Networks Act, this will be imputed to the offshore entity.
The local agent can be either an individual or a corporate entity, but it isn’t clear whether the agent has to have any specific standing or qualification. On the face of the amended law, the local agent might be, say, an officer or employee of a local subsidiary. (It might be that having a local subsidiary already means that one does not lack a local “address” or “business presence” in the first place, but this seems doubtful.)
To what offshore businesses will the new requirements apply? Precise thresholds for the affected offshore businesses, in terms of user numbers and revenues, remain to be defined. This will follow under a Presidential Decree (primary implementing regulation), which should issue at latest a month or two before the early March 2019 effective date of the amendments. Widespread speculation in Korea is that, in any case, the thresholds will “capture” businesses on the scale of Google, Apple and Facebook.
As to the separate issue of whether the offshore business indeed lacks a local “address” or “place of business”, what would that mean? Surely the new requirement will not apply to, say, an offshore entity that has a local branch or representative office in Korea. The question is what else would constitute a local presence for this purpose. As noted above, it seems unlikely that that would include a local subsidiary. But this part of the new requirement isn’t particularly defined, nor is it slated to be clarified by ensuing regulations. It may, for some time, remain a point for interpretation.
New restrictions on offshore onward transfer of PI
Under the current IT Networks Act, the transfer of Korean personal information by an IT service provider from Korea (country 1) to an offshore country (country 2) is already restricted: This requires specific user consent. (As an exception, it suffices to disclose offshore transfers, typically in a privacy policy, insofar as the transfers are both “necessary” for the carrying out of the services and designed to enhance the user’s convenience.) Under the current statute, it’s not clear that these restrictions apply equally to an onward transfer of PI – that is, from country 2 to a country 3.
Under the amended law, however, the same requirement that applies to offshore transfer in the first place will apply to onward transfer offshore: Transfer of PI from country 2 to country 3 will require the users’ consent [3] – provided that advance disclosurewill suffice in case of transfers that are for the purposes of providing the specific services and accommodating users’ convenience. In practice the requirement of consent will entail inclusion of an additional consent item (which should be accompanied by particulars such as identities of the transferees in country 3) among the initial set of consents requested of the users in Korea (typically in checkbox format). In situations where advance disclosure of the on-transfer will suffice, this can be provided for in the privacy policy, for which initial consent is requested.
Also, where PI is so transferred to country 3, the amended statute calls for the transferor (in country 2) to take measures to safeguard the PI so transferred. Under the current law this duty applies in the first stage, to an entity in Korea that transfers PI to a party in country 2, but the required “measures” are defined in a loose way (including “discussing” with a transferee, and “reflecting” in a contract with the transferee, matters of technical/managerial safeguards, and handling in case of a data breach). Under the amended law, this requirement will also apply to the transferor in country 2, in relation to the country 3 transferee.
Moreover, the amendments newly provide for a specific penalty in case of failure to take the protective measures, on the part of a first transferor and subsequent transferors.[4] On the other hand, the required “measures” (to be finalized by Presidential Decree) seem likely to remain loosely defined. Nor is it obvious how the new rules would effectively bind an entity that is offshore.
Reciprocity in PI outflow restrictions
Under the amended law, Korean regulators will be able to impose restrictions on the transfer of Korean PI to offshore IT service providers – online/connected services and goods – if and to the extent that those businesses’ home jurisdictions restrict the transfer of PI to overseas. How this change in the statute may translate into actual restrictions at the agency level – including the Korean Communications Commission – remains to be seen.
This reciprocity principle is seen to be largely in reaction to similar laws that have been passed, or are under consideration, to restrict PI outflows in a number of foreign jurisdictions, such as Russia, China, Vietnam and so on. Ultimately this type of issue would seem to call for resolution through bilateral treaty or international convention.
[1] This part of the amended IT Networks Act is modelled in part on the local agent designation system instituted in Europe under Article 27 of GDPR, which came into force in May 2018. However, the local agent in Korea under the IT Networks Act will be directly responsible for fulfilling PI protection duties.
[2] Failure to appoint a local agent is subject to an administrative fine of up to KRW 20 million (around USD 18,000); how the sanction would be enforceable in absence of a local presence might be questioned, but clearly it would be best to comply insofar as practical.
[3] The amendment provides that transfer of PI without obtaining such consent, as required, will be subject to penalties in the amount of up to 3% of related sales. The new rules in this regard are patterned after GDPR Article 44.
[4] Under the amended law, failure to take such measures, insofar as required, will be subject to an administrative fine of up to KRW 30 million (around USD 27,000). The current law lacks an explicit penalty, including in relation to the first transferor of PI from Korea.
