Legislation and regulation

Recognition of concept

Is cloud computing specifically recognised and provided for in your legal system? If so, how?

The Cloud Computing Act defines cloud computing, cloud computing technology and cloud computing service as follows:

Cloud computing

An information processing system that enables elastic use of integrated and shared resources for information and communications (such as devices for information and communications, information and communications systems, and software) through information and communications networks, to fit the users’ requirements or demands.

Cloud computing technology

Technology required for setting up and using the cloud including the following:

  • virtualisation technology: technology for virtually combining or dividing resources for information and communications including integrated or shared information and communications devices, information and communications facilities, and software;
  • distributed processing technology: technology that processes a large volume of information by dispersing it into multiple information and communications resources; and
  • others: technology that utilises information and communications resources in setting up and using cloud computing systems, including technologies that automate the placement, management and so on of information and communications resources.
Cloud computing services

Commercial services for providing resources for information and communications by utilising cloud computing including the following:

  • service of providing servers, storage, networks, among others;
  • service of providing software, including applications;
  • service of providing an environment for developing, distributing, operating, managing, and suchlike, software, including applications; and
  • other services combining at least two of the above services.
Governing legislation

Does legislation or regulation directly and specifically prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

The purpose of the Cloud Computing Act is to promote and develop cloud computing rather than to regulate cloud computing. Under the Cloud Computing Act, an agreement between the cloud computing service provider and the cloud service user will be deemed to satisfy the requirements for IT facilities, devices and systems that are necessary to obtain permits, approvals, registration or designations pursuant to other laws. However, the Cloud Computing Act does not contain explicit prohibitions. Rather, detailed measures that directly or indirectly restrict to cloud computing are contained in industry specific laws and the privacy laws of Korea. In other words, Korea adopts a negative regulatory approach, where cloud computing is generally permitted unless explicitly restricted by a specific statute.

What legislation or regulation may indirectly prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

For personal information protection in the cloud, the Personal Information Protection Act (the PIPA) and the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc (the Network Act) apply. Accordingly, the collection, use, provision, delegation, destruction, storage of personal information being processed by cloud computing is subject to the PIPA and the Network Act. Both the PIPA and the Network Act contain stringent provisions to ensure the protection of data subjects with corresponding heavy penalties. Under the PIPA, a cloud computing service provider is considered a delegatee who has been delegated with personal information processing and is treated as a data processor.

With regard to data security, the Ministry of Science and ICT has promulgated ‘Standards for Information Protection by Cloud Computing Providers’ (Cloud Computing Standards). The Cloud Computing Standards do not have the effect of binding law but compliance therewith is, nonetheless, recommended.

Breach of laws

What are the consequences for breach of the laws directly or indirectly prohibiting, restricting or otherwise governing cloud computing?

A cloud computing service provider could become subject to criminal penalties in the event the cloud computing service user’s data is provided to a third party by the cloud computing service provider. As noted above, the Cloud Computing Standards do not have the force of law and therefore, in theory, the quality, performance and data protection levels stated therein are not mandatory. The failure to notify the occurrence of any infiltration incidents to the relevant authorities or to the users or return or destroy information will be subject to a fine. Furthermore, if the cloud service provider breaches any provisions of the PIPA or the Network Act, the cloud service provider could be subject to a fine, corrective measure or criminal penalty based on the relevant statutory provisions.

Consumer protection measures

What consumer protection measures apply to cloud computing in your jurisdiction?

Pursuant to the Cloud Computing Act, the Ministry of Science and ICT, in consultation with the Fair Trade Commission, has published a model cloud computing agreement for business-to-business (B2B) and business-to-consumer (B2C), respectively. The purpose of this model agreement is to protect the rights of the users and to establish fair trade. The Ministry of Science and ICT can issue a recommendation to use this model agreement to cloud computing providers.

The model agreement includes the following protective measures:

  • the PIPA and the Network Act will apply to personal information thereby reinforcing the protection of personal information;
  • any incident of leakage of user information must be notified to the user and the Ministry of Science and ICT to enable prompt remedial measures with respect to such incident;
  • to enhance the user’s right to know, in the event the user’s data is stored overseas, the user can demand disclosure of the country where data is stored and the fact that cloud computing is being used, with respect to which recommendation measures for disclosure can be issued; and
  • to prevent the misuse of user data, any provision of user data to third parties without consent or use of user data beyond the agreed purpose shall be subject to criminal penalties.
Sector-specific legislation

Describe any sector-specific legislation or regulation that applies to cloud computing transactions in your jurisdiction.

Public sector

The Cloud Computing Act states the obligation of governmental agencies to use efforts to adopt cloud computing and recommends that governmental agencies use the cloud computing systems developed by the private sector rather than developing its own cloud computing system. To support the adoption of cloud computing in the public sector, a joint policy commission consisting of the Ministry of the Interior and Safety, the Ministry of Science and ICT, the Ministry of Economy and Finance, the Public Procurement Service and the National Intelligence Service has been set up. A security review by the National Intelligence Service is required for governmental agencies to adopt a certain cloud computing system.

Finance sector

The amendments to the Electronic Finance Supervisory Regulations announced by the Financial Services Commission became effective on 1 January 2019. These amendments allow personal credit information to be processed on the cloud while strengthening the security level and management supervisory systems of cloud computing used in the financial sector. The major amendments are as follows:

  • The most important amendment is the expanded scope of cloud use that is permitted. In the past, financial institutions and electronic financial companies could only use the cloud to process non-critical information in the cloud. Now, under the amendments to the Electronic Finance Supervisory Regulations, the cloud can be used for personal credit information and personal identification information as well (article 14-2, sections 1 and 8).
  • The amendments provide for a new finance-sector-specific standard for the use and provision of cloud services such as security measures applicable to the finance sector (article 14-2, section 1, Annex 2-2), which did not exist previously.
  • The amendments impose a new obligation to financial institutions and electronic financial companies to assess the security of the data processing systems in the cloud and to conduct a review and decision process by their internal data protection committee (article 14-2, sections 1 and 2).
  • The amendments reinforce the supervisory role of the regulatory authorities by requiring financial institutions and electronic financial companies to report the use of cloud services for personal credit information and personal identification information, for matters that materially impact the security and credibility of electronic financial transactions and for other critical events (article 14-2, sections 3 and 6).
  • To ensure regulatory enforcement and consumer protection, only cloud computing providers whose data processing systems are in Korea can be used for processing personal information and personal identification information (article 14-2, section 8).
Healthcare sector

The amendment to the Standards on Facilities and Devices for Administration and Retention of Electronic Medical Records in 2016 has paved the way for the adoption of cloud computing in the healthcare sector. The amendment revises the requirement to store electronic medical records inside hospitals and allows the administration and storage of medical records with external companies or at remote locations that meet certain qualifications. However, electronic medical records cannot be stored outside of Korea.

Insolvency laws

Outline the insolvency laws that apply generally or specifically in relation to cloud computing.

There are no insolvency laws that only apply to cloud computing service providers. However, the Cloud Computing Act contains a provision that applies when the cloud computing provider suspends its service due to reasons such as sudden insolvency. Under this provision, the cloud computing service provider and the user can agree to temporarily store the user’s data with a third party. Also, if a cloud computing service provider intends to terminate its business, it must notify the user of such termination and return or destroy all data to the user prior to the date of termination of business. If, for any reason, it becomes impossible to return the information (for example, the user fails to accept, or refuses, the return of such information), the cloud computing service provider must destroy the information.