Korean data law amendments pose new constraints for cross-border online services and data flows

Bae, Kim & Lee LLC | View firm profile

Under amendments to IT Networks
Act, set to take effect in March 2019,
offshore online businesses, meeting thresholds of nexus to Korea, will be
required to designate local agent
for regulatory oversight purposes.

Amended rules will also newly restrict onward transfer (to additional countries) of personal
information by offshore parties, and, on a reciprocity basis, allow regulators
to restrict transfers of personal information to countries that likewise
restrict outflows of such data.

Passed on August 30, 2018,
amendments to the Act on Promotion of Information and Communications Network
Utilization and Data Protection, Etc. (or IT
Networks Act
) will impose, on some range of larger offshore businesses, an
obligation to appoint a local agent responsible for Korean data privacy
compliance. The amended law will also impose new restrictions on the offshore
on-transfer, i.e. to 3rd countries, of personal information (PI), requiring
consent of, or at least notice to, the individuals, and extend to onward
transferors a duty to take protective measures (vis-à-vis the transferee). And
the amendments include a reciprocity principle that will allow the government
to restrict transfers of PI to offshore companies whose home jurisdictions
similarly restrict outflow of PI. The amended rules will take effect in early March 2019, i.e. 6 months from
the formal promulgation which is during this first week of September 2018.

Major online businesses lacking “presence” in Korea will be
required to appoint a local agent, responsible for privacy compliance.

Under the amended IT Networks
Act, offshore “IT service providers
– including online/connected service providers and sellers – will be required
to appoint an agent in Korea, for data regulation purposes,if they satisfy some threshold of scale (in
terms of local user numbers and/or revenue, but yet to be decided) and lack an “address” or “a place of business”
in Korea. The requirement could also apply, evidently, to offshore
transferees of data – offshore
businesses that (e.g. as data controllers or processors) receive PI of
Korean individuals from IT service providers, given the way in which the
amended law refers to “IT service providers and others”. [1]

The local “agent” (or
representative, in Korean) will be responsible
for local data privacy compliance, as the chief privacy officer (person in
charge of personal information protection. As such, the agent will be responsible for effecting PI protection
, reporting to authorities and notifying users in case of data
leaks, and responding, and submitting documents and materials, to the
authorities in case of some violation of the IT Networks Act.[2] (The
“authorities” will mean mainly the Ministry of Science & ICT and the Korean
Communications Commission.) If the agent should end up violating the IT
Networks Act, this will be imputed to the offshore entity.

The local agent can be either an
individual or a corporate entity, but it isn’t clear whether the agent has to
have any specific standing or qualification. On the face of the amended law,
the local agent might be, say, an officer or employee of a local subsidiary.
(It might be that having a local subsidiary already means that one does not
lack a local “address” or “business presence” in the first place, but this
seems doubtful.)

To what offshore businesses will the new requirements apply? Precise thresholds for the
affected offshore businesses, in terms of user numbers and revenues, remain to
be defined. This will follow under a Presidential Decree (primary implementing
regulation), which should issue at latest a month or two before the early March
2019 effective date of the amendments. Widespread speculation in Korea is that,
in any case, the thresholds will “capture” businesses on the scale of Google,
Apple and Facebook.

As to the separate issue of
whether the offshore business indeed lacks
a local “address” or “place of business”
, what would that mean? Surely the
new requirement will not apply to, say, an offshore entity that has a local
branch or representative office in Korea. The question is what else would
constitute a local presence for this purpose. As noted above, it seems unlikely
that that would include a local subsidiary. But this part of the new
requirement isn’t particularly defined, nor is it slated to be clarified by
ensuing regulations. It may, for some time, remain a point for interpretation.

New restrictions on offshore onward transfer of PI

Under the current IT Networks
Act, the transfer of Korean personal information by an IT service provider from
Korea (country 1) to an offshore country (country 2) is already restricted:
This requires specific user consent. (As an exception, it suffices to disclose
offshore transfers, typically in a privacy policy, insofar as the transfers are
both “necessary” for the carrying out of the services and designed to enhance
the user’s convenience.) Under the current statute, it’s not clear that these
restrictions apply equally to an onward transfer of PI – that is, from country
2 to a country 3.

Under the amended law, however,
the same requirement that applies to offshore transfer in the first place will
apply to onward transfer offshore: Transfer of PI from country 2 to country 3
will require the users’ consent [3]
– provided that advance disclosure will suffice in case of transfers that are
for the purposes of providing the specific services and accommodating users’
convenience. In practice the requirement of consent will entail inclusion of an
additional consent item (which should be accompanied by particulars such as
identities of the transferees in country 3) among the initial set of consents
requested of the users in Korea (typically in checkbox format). In situations
where advance disclosure of the on-transfer will suffice, this can be provided
for in the privacy policy, for which initial consent is requested.

Also, where PI is so transferred
to country 3, the amended statute calls for the transferor (in country 2) to take measures to safeguard the PI so
transferred. Under the current law this duty applies in the first stage, to an
entity in Korea that transfers PI to a party in country 2, but the required
“measures” are defined in a loose way (including “discussing” with a
transferee, and “reflecting” in a contract with the transferee, matters of
technical/managerial safeguards, and handling in case of a data breach). Under
the amended law, this requirement will also apply to the transferor in country 2,
in relation to the country 3 transferee.

Moreover, the amendments newly
provide for a specific penalty in case
of failure to take the protective measures, on the part of a first
transferor and subsequent transferors.

[4] On the other hand, the required
“measures” (to be finalized by Presidential Decree) seem likely to remain
loosely defined. Nor is it obvious how the new rules would effectively bind an
entity that is offshore.

Reciprocity in PI outflow restrictions

Under the amended law, Korean
regulators will be able to impose
restrictions on the transfer of Korean PI to offshore IT service providers
– online/connected services and goods – if
and to the extent that those businesses’ home jurisdictions restrict the
transfer of PI to overseas. How this change in the statute may translate
into actual restrictions at the agency level – including the Korean
Communications Commission – remains to be seen.

This reciprocity principle is
seen to be largely in reaction to similar laws that have been passed, or are
under consideration, to restrict PI outflows in a number of foreign
jurisdictions, such as Russia, China, Vietnam and so on. Ultimately this type
of issue would seem to call for resolution through bilateral treaty or
international convention.

[1] This part of the amended IT Networks Act is
modelled in part on the local agent designation system instituted in Europe
under Article 27 of GDPR, which came into force in May 2018. However, the local
agent in Korea under the IT Networks Act will be directly responsible for
fulfilling PI protection duties.

[2] Failure to appoint a local agent is subject
to an administrative fine of up to KRW 20 million (around USD 18,000); how the
sanction would be enforceable in absence of a local presence might be
questioned, but clearly it would be best to comply insofar as practical.

[3] The amendment provides that transfer of PI
without obtaining such consent, as required, will be subject to penalties in
the amount of up to 3% of related sales. The new rules in this regard are
patterned after GDPR Article 44.

[4] Under the amended law, failure to take such
measures, insofar as required, will be subject to an administrative fine of up
to KRW 30 million (around USD 27,000). The current law lacks an explicit penalty,
including in relation to the first transferor of PI from Korea.

update is intended as a summary news report only, and not as advice. For legal
advice, please inquire with your contact at Bae, Kim & Lee LLC, or the
following authors of this bulletin:

Kwang Hyun RYOO  

T 82.2.3404.0150

E kh.ryoo@bkl.co.kr


T 82.2.3404.0485

E taeuk.kang@bkl.co.kr



T 82.2.3404.6542

E juho.yoon@bkl.co.kr

More from Bae, Kim & Lee LLC