On March 3, 2015, the National Assembly passed the Act on the Development of Cloud Computing and Protection of Users (the “Act”) which aims to promote cloud computing by allowing government agencies and public institutions to use cloud services provided by private companies, supporting research and development, and enhancing data protection and security. The Act will come into force six months after its upcoming promulgation.

As a first step to promote the adoption of cloud computing, the Act requires the central and local governments and public institutions to make their endeavor to adopt cloud computing and consider the adoption of cloud computing as a priority in setting up information and communications technology projects and budgets (Article 12). To accelerate the adoption of cloud computing in the public sector, the Act allows government agencies and public institutions to use cloud services provided by private companies (Article 20).

The Act allows companies using cloud services to be eligible for business or project approval without being equipped with further computing facilities where computing facilities are required as a condition for approval, and thus reduces the time and cost of setting up computing facilities and also eases approval regulations (Article 21).

The Act includes a variety of measures that will help to enhance the nation’s competitiveness in the cloud industry, such as setting up a government-wide master plan (Article 5), government support for research and development (Article 8), pilot projects (Article 9), tax support (Article 10), support for small and medium sized enterprises (Article 11), disclosure of information about government agencies’ demand for cloud computing services (Article 13), training (Article 14), and industrial complexes for cloud computing (Article 17).

In addition, the Act provides greater assurance that cloud computing services afford adequate data protection and security. For instance, the Act allows the government to establish (i) detailed criteria regarding quality, performance reliability, data protection and security (Article 23), and (ii) standard contracts (Article 24), regarding cloud computing services, and recommend them to cloud computing service providers. The Act also states that service disruptions or leakage must be reported to users (Article 25). The Act empowers users to demand cloud computing service providers to disclose storage of user information overseas (Article 26). The Act prohibits cloud service providers from disclosing user information to any third party and requires them to return or destroy user information when they close their business (Article 27). Under the Act, cloud computing service providers will also be liable for damages that users have suffered due to their breach of the Act.

The Act is expected to vitalize the cloud computing market in Korea and enhance the nation’s competitiveness in the industry by expanding cloud adoption in the public sector, boosting investment, and providing assurance of adequate data protection and security. The Act will also urge cloud computing service providers to actively seek measures to prevent information leak.

The Act will help to create and develop new opportunities for cloud-based convergence services across a variety of fields including healthcare, education and security.

It should be carefully watched how the follow-up enforcement decree of the Act and the government-wide master plan will further materialize the provisions of the Act.