Increasing concerns are being raised as to privacy issues involved in recent cases where some smartphone app service providers have accessed and leaked information stored in users' smartphones.

In an attempt to address these concerns, amendments to the Act on the Promotion of Information Communication Network Utilization and the Protection of Information (the “ICN Act”) and the Enforcement Decree thereof (the “Amendment”) have been implemented since March 23, 2017, requiring app service providers to obtain user consent after informing users about “essential” access rights of smartphone apps distinct from “selective” ones.

In order to promote understanding of the Amendment and to prevent confusion when the Amendment is applied to practice, the Ministry of the Interior together with the Korean Communications Commission issued a “Privacy Guide for Access Rights of Smartphone Apps” (the “Guide”) which provides practical guide on what should and should not be done by smartphone operating systems, smartphone manufacturers, app service providers, app developers or app market operators. Some key aspects of the Guide are as follows: 

Click here to view table.

2. Definitions

  • An “operating system provider” is defined as “someone that manufactures and supplies a base operating system of mobile devices” under Article 22-2(3) of the ICN Act [e.g., Google (Android OS), Apple (iOS)].
  • A “smartphone manufacturer” is referred to as a “manufacturer of mobile devices” under Article 22-2(3) of the ICN Act (e.g., Samsung Electronics, LG Electronics, Apple).
  • An “app service provider” is referred to as a “telecommunications service provider” under Article 22-2(1) of the ICN Act (e.g., Naver, Kakao, SKT). Government agencies which provide app services are also deemed to be app service providers.
  • An “app developer” is defined as “someone that manufactures and supplies software for mobile devices” under Article 22-2(3) of the ICT Act.
  • An “app market operator” means someone that provides a mobile marketplace where apps can be traded between users and app service providers [e.g., Google (Google Play), Apple (App Store)].

3. What Providers/Operators/Developers Should Do

  • ​App service providers should
    • Limit apps’ access to information stored in smartphones or installed functions only to the extent necessary for services.
    • Distinguish between essential access rights and selective ones; clearly inform users about items requiring access rights and their reasons; and obtain user consent for both essential and selective access rights. 
  • Operating system providers should
    • Provide settings to consent or withdraw consent to access rights.
    • Prepare and release operating standards for access rights which app developers can easily understand so that they will not set unnecessary access rights.
  • Smartphone manufacturers should install operating systems on smartphones that provide settings to consent or withdraw consent to access rights.
  • App developers should implement settings to consent or withdraw consent to access rights in the process of manufacturing and supplying apps to fit the environment of smartphones and their operating systems.
  • App market operators should provide app services providers with space for notices related to access rights so that users can easily access such notices.

4. Scope of Application

  • The Guide applies to smartphones and table PCs with mobile communications. The Guide will not apply to devices that only perform functions such as Bluetooth, Wi-Fi, and tethering without utilizing mobile communication networks.
  • Access Rights Subject to User Consent Requirements
    • User consent will be required if the app service provider accesses, through apps, information stored in smartphones and installed functions (such as user save information, auto save information, device identification information, or input/output function).
    • User consent will not be required if the app only works within smartphones without sending or receiving information to and from the server of the app service provider. 
    • User consent will not be required if the app is pre-installed on smartphones in the process of manufacturing and the app accesses information in order to perform essential functions of smartphones (such as communications, or playing music or videos).

​The Guide is expected to ease concerns about personal data breach that may occur as a result of app service providers and others accessing information on users’ smartphones without authorization. The Ministry of the Interior and the Korean Communications Commission said that they would enforce the mobile application industry’s compliance with the laws and regulations on access rights of mobile apps starting from July this year after the period of raising awareness until June.