The Korea Communications Commission announced its “Guidelines for Personal Information Protection for Smartphone Apps” (hereinafter the “Guidelines”) in order to alleviate concerns  by users in using smartphone apps.  The Guidelines require the related enterprisers to provide transparency in handling personal information by notifying the users of the status of handling their personal information in each stage of the smartphone app service in advance.

With the introduction of the new Guidelines, it is expected that the following information would be more conveniently communicated to individual users of smartphone apps: (i) permission setup for accessibility to device information, (ii) registration for app markets, (iii) usage of app services and (iv) termination of app services.  The Guidelines have been in effect since August 6, 2015 and a policy information session for the related enterprisers is scheduled to be held in September 2015.  Finally, compliance checks are planned to be carried out from October 2015.  The main substance of the Guidelines is as follows:

  • Permission setup at the app development stage: The new Guidelines minimize the scope of permission granted to information which is essential for provision of services:  
    • The Guidelines require the scope of permission granted in regard to the smartphone app to access the user’s smartphone device information (hereinafter “app permission”) to be minimized to the scope that is essential for the provision of services.  
    • In order to effectuate the above, the operating system (OS) enterprisers (e.g. Google Android, Apple iOS and others) are required to provide a developmental environment for the app developers to minimize the permission setup that would unnecessarily access user’s device information or other personal information.  
    • In order to communicate accurate information regarding the status of personal information handling to users, app service providers are required to provide the following instructions to the users through their privacy policy: “Not all information with app permission setup is immediately collected and transferred.  Information may be collected and transferred only after the app service notifies and obtains permission from the user to access the device information or other personal information within the scope that has received consent for collection and use of personal information.”  
      • If an app service is granted excessive app accessibility permission and collects personal information from the device information or other sources without the user’s consent, such app service may be liable for administrative surcharges of up to 3% of the relevant sales, imprisonment of up to five years, or fines of up to KRW 50 million for violating the Act on Communications Network.  
  • App market registration stage: The new Guidelines require the app providers to provide notifications that are easy for the users to understand:  
    • App markets are required to provide room on their interfaces to enable users to conveniently verify the app permission setup, the app’s privacy policy and other terms and conditions prior to downloading the app.  
    • For apps with the problem of excessive app permission setup and personal information collection, the new Guidelines require the app markets to provide a “report to the app market” menu to strengthen the voluntary correction function in app usage.  
  • Provision of App services and termination stage: The new Guidelines require the app providers to clarify the consent and termination procedures:  
    • The new Guidelines require the service providers to simplify the consent procedure regarding handling of personal information in order to allow a more convenient service use, and to develop a simple service termination procedure.  
    • With respect to the required consent matters such as “Terms of Service” or “Personal Information Collection and Use (Mandatory),” the new Guidelines require the app providers to concisely communicate what the user is consenting to and to allow the user to provide his or her consent using the one-click function.  
    • In contrast, regarding the optional consent matters such as “Sharing of Personal Information with Third Parties” or “Marketing Use,” a consent procedure different from that of the mandatory consent matters has to be provided to permit the users to directly choose the scope of such information sharing.  
    • The new Guidelines prohibit the app providers from refusing service based on the user’s refusal to provide consent to the optional consent matters.  
      • If the service provider coerces consent from users for information sharing with third parties, such provider may be subject to administrative surcharges of up to KRW 10 million (up to KRW 30 million after December 23, 2015).  If the service provider violates the principle of minimum collection, i.e., coercing consent for marketing use, such provider may be subject to administrative surcharges of up to KRW 30 million.  
    • To allow users to conveniently locate the termination menu on the app screen, such menu should be placed on the starting screen page of the app.  Moreover, reachable contact information is required to be expressly shown in the app’s privacy policy.  

If personal information remains with the app service provider despite the user deleting the app from his or her smartphone device, the provider must inform the user that a separate request, i.e., membership termination, is necessary for the destruction of personal information through its privacy policy.