In this issue:
1. Korea on verge of major amendment of data privacy statute
Draft amendment to Personal Information Protection Act, likely to be passed in 4Q 2021, would significantly reinforce and expand the regulatory framework.
Key provisions would drastically augment potential fines for violation (to a percentage of worldwide revenue), enable regulator to enjoin transfers of data overseas, clarify applicability to offline (as well as online) data handlers, and mandate local dispute resolution for all data controllers.
Other provisions would institute a scope of data portability. Framework for data processor to data (sub)processor transfers would be tightened.
Impending amendment also includes some accommodation for exceptions to requirement of data subject consent for data collection and processing.
A bill to amend the Personal Information Protection Act (PIPA), significantly bolstering regulatory control over collection and use of personal information (PI), is likely to be passed, without major revision, by the National Assembly before the end of 2021, possibly within October 2021. Sponsored by ruling party legislators, the bill has advanced swiftly, with few modifications, since an initial version was unveiled in January 2021, and faces little opposition now, amid a widespread perception that foreign-based online services tend to observe a lesser degree of compliance with PIPA than Korean businesses.
Assuming this probable-though-uncertain amendment of Korea’s main data protection statute in 4Q 2021, important changes – such as a broad expansion in the scope of possible fines for violations, and changes to the framework for overseas transfer of PI – would seem likely to come into force by late 2022, if not sooner (that is, 6 to 12 months following formal promulgation). The amendments, which in multiple ways emulate features of GDPR (and are partly linked to the approaching GDPR adequacy decision), will significantly expand the remit of the primary regulator, the Personal Information Protection Commission (PIPC). Main features of the draft legislation, if passed in its current form, will include the following:
● Maximum administrative penalty of 3% of total revenue: Under current PIPA, the most severe available administrative sanctions – for primary types of violations such as collecting or transferring PI without required consent – is up to 3% of the PI controller’s revenues “relating to the violative conduct”, normally meaning revenues relating to the affected service in Korea. In a key change, the pending bill would augment this maximum penalty to 3% of the PI controller’s total revenues altogether, in other words, worldwide, across its entire range of revenues.
● Overseas transfer of PI: PIPA will allow data controllers to transfer PI overseas – not only with opt-in consent of data subjects as at present – but without such consent in situations such as where (i) the transfer is to a country deemed by the PIPC to satisfy PIPA levels of data protection (including as to data subjects’ rights and remediation), or (ii) the transferee has obtained a certification, to be administered by PIPC, and implemented data security and certification-related measures, or (iii) the transfer is necessary, in contractual context, for data processing or storage and is suitably informed to the data subject.
● Authority to suspend overseas transfer: At the same time, the PIPC will newly have authority to order suspension of PI transfer to overseas, where the transfer is conducted in violation of PIPA, or the transferee’s – or its country’s – data protection standards are deemed by the PIPC to fall “clearly” short of PIPA standards.
● Data portability: The draft amendments include a scope of data portability rights: Data subjects will be able to require the transfer of their PI (processed by computer or other IT methods) to themselves, or to another data controller (or designated special agency), subject to certain parameters. Among various limitations, the right will only be assertable to data controllers meeting certain to-be-defined thresholds (in revenue and users), for transmission of PI to transferees that meet data security compliance criteria and facility/equipment standards.
● Consent required for re-entrustment: Amended provisions will newly require an entrustee (data processor in GDPR terms) to obtain the data controller’s consent before re-entrusting the data to another entrustee (sub-processor), whereas current rules require only that such re-entrustment be, in some fashion, governed under the initial entrustment contract.
● Modifications to consent requirements: The draft amendments would seem to relax data subject consent requirements in some respects, including by allowing collection and processing, without consent per se, where this is “necessary” (rather than “indispensable”, as under current rules) to comply with a request of the data subject in the course of entering into or performing a contract with the data subject.
● Offline data controllers: Parts of the PIPA framework that has applied only to online businesses will specifically also apply to offline ones, including requirements: to update data subjects annually on the use and transfer of their PI; above certain thresholds of revenues or users, to maintain insurance, or reserve, to cover liability for data incidents; and, in the case of offshore PI controllers above certain thresholds, to appoint a local data representative. Potential criminal as well as administrative penalties (of which the latter will be newly augmented, as noted above) will also extend to offline PI controllers.
● Excluding PI from automatic decision-making: Data subjects will have the right to refuse the use of their PI in automated decision-making (such as AI-powered credit- or employment-related decisions) that impact significantly on their rights or obligations, or, in theory at least, to demand explanation of the decisions. However, this will entitle the data subject to refuse use of their PI only in processing that will otherwise be without their consent in a certain range of situations.
● Dormant PI: Relaxing current PIPA in one respect, the changes will eliminate the requirement to delete, or separately store, PI of users who have been dormant for a year or longer. PIPA will still generally require prompt destruction of PI once the purpose of collection is fulfilled, however, and the amendment will newly include pseudonymized data in this requirement.
● Dispute resolution; fact-finding powers: Under the draft amendment, all data controllers would be required to accede to dispute resolution with the Personal Information Dispute Mediation Committee, and that body would enjoy broader powers to conduct site visits and access records when this is deemed necessary for fact-finding purposes.
● Other: Further changes would somewhat enlarge the PIPC’s latitude to take corrective measures (no longer confining this to cases of impending irremediable harm), and to monitor, and “recommend” modifications to, privacy policies. Other provisions go to technology advances, such as by regulating mobile video recording devices, e.g. drones, but also relaxing current constraints for the use of CCTV by, basically, allowing it for some wider set of purposes than at present.
These impending change to PIPA, if passed – which, while uncertain, looks very likely to happen in 2021, with the amended statute taking force by late 2022 –, will soon usher in a markedly different regulatory terrain for data protection compliance. For many offshore as well as domestic services that collect and process PI of customers and users in Korea, it may well be useful to anticipate the looming changes in potential compliance risks and related needs.
2. Korea to police “unfair” payment and other practices of app market operators such as Google and Apple
Amendments to Telecommunications Business Act, passed on August 31, 2021, impose constraints on how “app market enterprises” deal with app developers and other content providers, and require added disclosure for users.
Key provisions effective from September 14, 2021 restrict app stores from “unfairly” requiring developers to use a specific payment system i.e. such as the operator’s in-app billing system. Further provisions restrict how store operators handle review and deletion of apps.
Other parts of the rules, taking effect in March 2022, require further scope of disclosures, such as payment-related information, for benefit of app users.
The National Assembly on August 31, 2021 passed legislation to restrict the billing policies and other aspect of how “app market enterprises” – of uncertain scope, but clearly including app store operators such as Google and Apple – transact with app developers (more generally, mobile content providers – CPs) and end customers. The amendments to the Telecommunications Business Act (TBA), Korea’s main telecom sector statute, also impose on app market enterprises (or “app market service providers”) certain requirements of payment-related disclosure to users.
The main provisions, which took effect at formal promulgation on September 14, 2021, prohibits various kinds of “unfair” dealing with app CPs, and enable regulatory probing in case of suspected violation, potentially subject to revenue-based fines and also criminal sanctions. The rules apply to “app markets”, where transactions in mobile content are hosted and mediated, which clearly includes app stores, but, for now, could conceivably reach further scope of further platforms where mobile content is offered for purchase or “mediated”. App market enterprises are classed as a subcategory of “value added telecom service providers”.
Billing and other practices in relation to CPs: As noted in our fuller bulletin, a key clause would prohibit app markets from: “unfairly taking advantage of bargaining position so as to impose a particular payment method” on a CP. It is this clause which has been widely reported in the press as prohibiting app stores like Google and Apple from requiring use of their in-app billing systems, but there will be situations where the qualification in terms of acting “unfairly” will be relevant. The same part of the amended law also prohibits an app market operator from “unfairly delaying review of mobile content”, or “unfairly removing mobile content from the market”. What specific kinds of practices would fall within such descriptions is not fully clear, for now, and is a point of brewing controversy in Korea.
Those restrictions took effect on September 14, 2021, although the regulator in charge, the Korea Communications Commission (KCC), has indicated that it will allow some space for “voluntary” moves toward compliance. The potential administrative penalty for violation of these restrictions is up to 3% of the store operator’s average annual revenue (impliedly Korean revenue) during the 3 preceding years, and there is also a potential criminal penalty, in fines of up to KRW 300 million, around USD 250,000. The KCC would have to first determine there is a violation, and in that regard other parts of the law, set to take effect in March 2022, will enable further fact-finding and investigative steps by the KCC. This along with some other features await elaboration in a Presidential Decree, or prime implementing decree, which should be finalized by the early part of 2022, ahead of that March effective date.
The scope of an existing local dispute resolution framework for users will be extended to these aspects. Various kinds of disputes between users and telecom service providers are already capable of being submitted for mediation to the Telecommunications Dispute Resolution Committee, a subcommittee of the KCC. Under the amended TBA, this mediation forum will also be available to users for their disputes with app market operators relating to payments, cancellations and refunds.
3. Korean Supreme Court rules that posting links to copyright-infringing download sites can constitute complicity in copyright infringement
The act of posting a link to unlawful file-share resources can constitute copyright infringement, according to a September 9, 2021 decision of the Korea Supreme Court. As reported in our fuller bulletin, in a case involving a local “Watch Again Links” website, listing links to offshore video sharing pages, the court ruled that, where a person posts a link to webpages containing material that violates copyrights, this act of posting a link can itself constitute complicity in infringement of the rights of public transmission in the copyrighted content, if the person, in posting the links, (i) does so for profit and in a continual manner, (ii) is sufficiently aware that the linked materials violate copyrights, and (iii) facilitates general access (by “members of the public”) to the infringing content. In deference to free speech concerns, the court further clarified that culpable complicity on this basis may be found only if the posting user was “clearly” cognizant of the unlawfulness of the linked content and, further, the act of posting the link actually contributed to the effective infringement by the main offenders, in this context the sundry “unidentified persons” who posted the content on the file-share sites.
In the court’s reasoning, if the posting of such links enables “members of the public” to access copyright-infringing content that they would not otherwise have come across, thus facilitating the offering of such content by the main offenders, and augmenting their infringements of the public transmission rights, that act of posting links can fall within the criminal offense of aiding and abetting the infringements. (Procedurally, the Supreme Court remanded the case to the intermediate court, which had ruled the defendant not guilty of infringement.)
The situation till now, widely criticized for the easy access to unlawful offshore downloads, has been partly attributable to the Supreme Court’s own finding, in a 2015 precedent, that posting a link could not be seen as aiding the commission of copyright infringements. Veering from that precedent, the present decision would seem to have implications for a variety of entertainment, news and other content-sharing services and platforms, supplying a potential predicate for damages and injunctive actions against Korean parties, in relation to one of the prevalent modes of infringement on the internet.
4. “Information Security Industry” Statute Will Require Disclosure of Data Security-Related Expenditures and Headcount, for Range of Online and IT Related Businesses
Draft criteria announced on August 11, 2021 point to applicability of disclosure requirements – effective from December 9, 2021 – to potentially wide range of online services, for one thing
Recent amendments to the Act on Promotion of Information Security Industry (or ISIA), coupled with the implementing regulations, will require online service providers (if meeting some threshold of scale), along with telecoms, and data center and cloud computing businesses, to disclose certain information concerning their information technology and data security resources on an annual business, starting with figures for 2021. Required disclosures will cover basic figures for (i) amounts of investment in information technology and data security, (ii) numbers of personnel dedicated to IT and data security, and (iii) status of data security certifications and related programs and efforts (inspection, training, etc.).
The ISIA, till now a purely voluntary (and thus widely disregarded) framework for these disclosures concerning scope of IT and data security, was amended on June 8, 2021, with effect from December 9, 2021, to mandate these same disclosures, for companies that meet applicable criteria, left to be defined in the Enforcement Decree for the amended statute (ISIA-ED).
According to a draft ISIA-ED, published on August 11, 2021 by the Ministry of Science & ICT (MSIT, the main regulator in this regard), subject companies would include any “IT service provider” (including any business providing information through an online network – virtually any online service) if it had even just 100,000 or more Korean users, in daily average numbers during the 4th quarter of the preceding year – a decidedly modest threshold (surprising to most observers), drafted perhaps with a view to multinational B2B service providers. Also subject to disclosure, according to the MSIT draft, would be any Korea stock exchange-traded company of a certain scale (KRW 50 billion, around USD 40 million, or more in revenues), and, regardless of scale, any telecom (facilities-based telecom service provider), and any company in the business of operating data centers or cloud computing services. (For these and other features of the draft ISIA-ED, the MSIT invited public comment, with due date of September 23, 2021.)
The final ISIA-ED will probably come out by late November 2021, if not sooner, ahead of December 9 when the requirements come into force. Among other aspects that might change, the 100,000 user threshold for IT service providers in general seems likely to be enlarged – at least a significant part of comments submitted to the MSIT go to that feature – but this remains to be seen.
Affected businesses will be required to post the data to the online disclosure system run by the Korea Internet & Security Agency. The scope of required disclosures is not extensive, but clearly there will be potentially sensitivities at some level. The figures must include investment in IT and information security, as noted above, broken down into costs and assets, and personnel numbers, external as well as internal. On the face of them, the requirements are potentially ambiguous, including even about basis aspects such as whether they should cover worldwide figures, or only in-Korea figures. Other required disclosures involve data security related certifications (ISMS certifications etc.), and efforts such as inspection, monitoring, training.)
5. Data protection regulator supplements guidelines for use of biometric data, extends them to all data controllers
The Personal Information Protection Commission (PIPC) of Korea on September 8, 2021 issued amended guidelines for the use and protection of biometric information such as fingerprints and palm prints, facial images and measurements, and iris captures. The amended guidelines, issued further to the Personal Information Protection Act (PIPA) and effective from September 13, 2021, serve to clarify basic encryption requirements, and specify a detailed set of further security measures for the use of “biometric identifiers”, as an advanced range of biometric data. The “Biometric Information Protection Guidelines”, while not regulations per se, will merit careful observance among relevant data controllers and processors, including businesses involved in development and offering of biometric data-based services.
Among key aspects, as detailed in our fuller bulletin, the modified Guidelines are expressly applicable to all personal information controllers, offline as well as online, not just (as was previously the case) “IT service providers” such as online services.
Pre-existing guidelines addressed a number of general issues surrounding use of bodily data (called “bio-information” till now), but the amended Guidelines newly distinguish the subcategory of “biometric identifiers” – bodily data that is additionally processed for purposes of identifying individuals (such as algorithmic facial mapping data). The Guidelines clarify the applicability, to such data, of encryption requirements under separate standards and guidelines issued pursuant to PIPA.
The Guidelines newly introduce a range of protective measures that should be observed in the several defined phases of processing of biometric identifiers, for example: in development phase, planning of alternatives in case of data subject objection to use of their biometric identifiers; in collection and use/transfer phases, steps to protect such data in process of transmission and to ensure use within consented-to scope. Among implications, the Guidelines make it clear that processing of previously collected bodily data (e.g. facial photos) so as to newly generate biometric data (e.g. facial mapping) will require further consent, insofar as this falls outside the original consented-to purpose of collection.
The PIPC has helpfully circulated a self-checklist (in Korean) that runs through the main points of the Guideline. (An English version of the checklist is available from BKL.)
6. Regulator invalidates food delivery app terms that disclaimed any platform liability, altogether, for order and delivery issues
The Korea Fair Trade Commission (KFTC) on August 18, 2021 announced that, among the app terms for use of the two leading food delivery apps in Korea (Baedal Minjok and Yogiyo), it had found invalid several kinds of conditions, and required the platform operators to modify them, including clauses that purport to exclude any liability on their part for any sort of mishaps or other problems with orders or deliveries. (Local news reports include this one in English.) As worded, the disclaimer clauses, occurring in the terms for users, were found by the KFTC to be “unfair” and, specifically, invalid under the Act on Regulation of Terms and Conditions, a statute generally governing fairness in context of uniform terms and conditions. The revisions required by the KFTC, however, as disclosed in its press release, are somewhat limited in nature, and exhibit a degree of compromise: (i) in the case of Baedal Minjok, the KFTC lets the terms disclaim liability “excluding situations where [the company] is liable under applicable law”; and (ii) in case of Yogiyo, for loss to users resulting from delay, Yogiyo “may bear liability resulting from reasons attributable to” Yogiyo. It remains to be seen what precise scope of liabilities these platforms may actually come to bear as a result.