Key Changes to the Extraterritorial Applicability of the Network Act and Cross-border Transfer Rules of Personal Information | | On August 30, 2018, the National Assembly of Korea passed a bill containing a number of amendments to the Act on Promotion of Information and Communications Network Utilization and Information Protection (“Network Act”). This amended version of the Network Act (“Amended Act”) is expected to be promulgated in either September or October of this year, and will take effect 6 months after its promulgation date. The Amended Act contains several key changes regarding the extraterritorial applicability of the Network Act to foreign entities, and the cross-border transfer of personal information, among others. Key provisions of the Amended Act are summarized below. | (1) Foreign service providers required to designate a Korean representative (Amended Act, Article 32-5)
This new requirement is similar to Article 27 of the EU GDPR (which went into effect on May 25, 2018), which states that a controller or processor not established in the EU must designate a representative within the EU.
A. Key features of Article 32-5 | | a) | Who will be subject to this new requirement: (1) An information and communications service provider (“ICSP”) or (2) an entity that receives personal information from an ICSP that (i) does not have a local address or place of business in Korea and (ii) meets the criteria established by Presidential Decree (collectively, “Foreign Service Providers”). | | b) | Obligations of Foreign Service Providers: Foreign Service Providers must designate a corporation or individual that has an address or place of business in Korea as its representative with respect to the following tasks: (i) taking care of matters typically handled by a privacy officer (e.g., processing of user complaints), (ii) notifying/reporting data breaches to users and/or the pertinent authorities, and in cases where such notice/reporting is delayed, explaining the reason for such delay, and (iii) submitting materials to the Korean regulators responsible for enforcing the Network Act (i.e., Ministry of Science and ICT, Korea Communications Commission) that are necessary for the regulators to conduct their investigations. The Foreign Service Provider must include information regarding its Korean representative (e.g., name, contact information) in the Foreign Service Provider’s privacy policy. | | c) | What happens in case of a violation: If a Foreign Service Provider fails to designate a Korean representative in accordance with Article 35-2 of the Amended Act, the Foreign Service Provider will be subject to an administrative fine of up to KRW 20 million (apprx. USD 18,000). | B. Implications of Article 35-2 | | By adopting this Korean representative requirement, Korean legislators are said to be providing more explicit guidance on the extraterritorial applicability of the Network Act to foreign entities. The current version of the Network Act is silent on whether the Network Act applies to a foreign company without a local presence in Korea. However, in practice, the KCC has often taken the position that the Network Act applies to Foreign Service Providers as well. With the adoption of Article 35-2, it has become clearer that Foreign Service Providers may also be subject to the Network Act. Also, given the types of tasks that the Korean representative of a Foreign Service Provider is required to perform, Article 35-2 of the Amended Act will likely be used by regulators to strengthen the enforcement of the Network Act against Foreign Service Providers. The Presidential Decree that stipulates the criteria of the Foreign Service Providers who will be subject to Article 35-2 of the Amended Act has not yet been drafted, so foreign companies who provide information and communications services to Korean users are advised to continue monitoring any legislative developments on this front. Foreign Service Providers who are required to designate a representative in Korea will need to review their internal policies and practice to see whether they comply with the Network Act, and implement measures to address any identified gaps. In sum, Foreign Service Providers should take the necessary measures in advance to minimize any non-compliance risk and designate the appropriate representative in Korea after considering various factors since the representative is tasked with a very important role. | (2) Restrictions on onward transfers of personal information to a third country (Amended Act, Article 63(5))
The current version of the Network Act places certain restrictions on the cross-border transfer of personal information from Korea to an overseas location (Article 63), but does not specifically regulate the onward transfer of the said personal information to a third country after the initial transfer (which the Amended Act does).
A. Key features of Article 63(5) | | a) | Who will be subject to this new provision: Anyone who receives personal information from a Korean business entity that is subject to the Network Act (“Third-Party Recipient”). | | b) | Obligations of Third-Party Recipients: Third-Party Recipients (i) may not enter into any data processing agreement that violates the Network Act, and (ii) must obtain the user’s consent to re-transfer his/her personal information to a third country. (Yet, if the onward transfer is necessary to perform the contract with the users and enhances the convenience of users, consent does not need to be obtained as long as information concerning the onward transfer is disclosed in the privacy policy.) Also, Third-Party Recipients (iii) must implement certain safeguards prescribed by the Enforcement Decree of the Network Act in order to protect the personal information that is being re-transferred to a third country. | | c) | What happens in case of a violation: If the Third-Party Recipient fails to obtain the user’s consent to the onward transfer of his/her personal information, the Third-Party Recipient may be required to pay a penalty surcharge of up to 3% of its relevant revenue. Meanwhile, failure to implement the security measures prescribed by the Enforcement Decree of the Network Act may result in an administrative fine of up to KRW 30 million (apprx. USD 26,000). | B. Implications of Article 63(5) | | The adoption of Article 63(5) is expected to accelerate the ongoing process for the European Commission’s adequacy decision regarding the level of data protection offered by Korea. In addition, when it takes effect, Article 63(5) will finally provide a statutory basis for regulating onward transfers of personal information to third countries after initial cross-border transfers from Korea. As such, it will be necessary for Third-Party Recipients (including the foreign affiliates of Korean companies) that receive personal information from Korean ICSPs to check whether they will be conducting onward transfers of such personal information to third countries and the purposes therefor in order to ensure compliance with the various requirements contained in this new provision. | (3) Creation of Reciprocity Provision (Amended Act, Article 63-2)
A. Key Features of Article 63-2 | | Provides that comparable restrictions may be placed on cross-border transfers of personal information to ICSPs of any country that has placed restrictions on cross-border transfers of personal information therefrom (excluding cases where cross-border transfers are made pursuant to international treaties or agreements). | B. Implications of Article 63-2 | | The creation of this provision appears to be a response to the localization trend affecting the regulation of personal information throughout the world as evidenced by the restrictions placed on cross-border transfers of personal information in certain countries. Specifically, the adoption of Article 63-2 is seen as an attempt by Korean regulators to achieve parity with the regulatory policies of other countries and enhance protection of the personal information of Korean data subjects by subjecting foreign ICSPs to similar restrictions on cross-border data transfers as those applying to Korean companies in such countries at a time when the economic value of personal information is ever increasing. However, Article 63-2 merely provides a possibility that Korean regulators may impose similar restrictions based on the principle of reciprocity without specifying which regulator will issue such restrictions and which entities or individuals of other countries may actually be subject to such restrictions. Therefore, it appears difficult at the moment to implement specific and meaningful restrictions based on the principle of reciprocity by using this provision alone. Consequently, it may be necessary to keep track of how Korean regulators interpret and enforce this provision after the Amended Act takes effect. | (4) Conclusion
As discussed above, the Amended Act expands the applicability and enforceability of the Network Act to Foreign Service Providers and subjects them to strict restrictions on onward transfers of personal information to third countries after initial cross-border transfers from Korea. In particular, companies actively conducting cross-border data transfers to and from affiliates situated across various jurisdictions are advised to pay special attention to Article 63(5) of the Amended Act. Additionally, the adoption of Article 63-2 of the Amended Act may, depending on the specific measures that will be implemented by Korean regulators, have far-reaching consequences on cross-border transfers of personal information in the future. Therefore, ICSPs and Third-Party Recipients – both with or without a local address or place of business in Korea – are advised to continue monitoring developments related to the enactment of the corresponding Presidential Decree and the enforcement practice of Korean regulators following the effective date of the Amended Act. |
| | | | | |
| |
