Under amendments to IT Networks Act, set to take effect in March 2019, offshore online businesses, meeting thresholds of nexus to Korea, will be required to designate local agent for regulatory oversight purposes.
Amended rules will also newly restrict onward transfer (to additional countries) of personal information by offshore parties, and, on a reciprocity basis, allow regulators to restrict transfers of personal information to countries that likewise restrict outflows of such data.
Passed on August 30, 2018, amendments to the Act on Promotion of Information and Communications Network Utilization and Data Protection, Etc. (or IT Networks Act) will impose, on some range of larger offshore businesses, an obligation to appoint a local agent responsible for Korean data privacy compliance. The amended law will also impose new restrictions on the offshore on-transfer, i.e. to 3rdcountries, of personal information (PI), requiring consent of, or at least notice to, the individuals, and extend to onward transferors a duty to take protective measures (vis-à-vis the transferee). And the amendments include a reciprocity principle that will allow the government to restrict transfers of PI to offshore companies whose home jurisdictions similarly restrict outflow of PI. The amended rules will take effect in early March 2019, i.e. 6 months from the formal promulgation which is during this first week of September 2018.
Major online businesses lacking “presence” in Korea will be required to appoint a local agent, responsible for privacy compliance.
Under the amended IT Networks Act, offshore “IT service providers” – including online/connected service providers and sellers – will be required to appoint an agent in Korea, for data regulation purposes, if theysatisfy some threshold of scale (in terms of local user numbers and/or revenue, but yet to be decided) and lack an “address” or “a place of business” in Korea. The requirement could also apply, evidently, to offshore transferees of data – offshore businesses that (e.g. as data controllers or processors) receive PI of Korean individuals from IT service providers, given the way in which the amended law refers to “IT service providers and others”. 
The local “agent” (or representative, “대리인” in Korean) will be responsible for local data privacy compliance, as the chief privacy officer (person in charge of personal information protection, 개인정보보호책임자). As such, the agent will be responsible for effecting PI protection measures, reporting to authorities and notifying users in case of data leaks, and responding, and submitting documents and materials, to the authorities in case of some violation of the IT Networks Act.(The “authorities” will mean mainly the Ministry of Science & ICT and the Korean Communications Commission.) If the agent should end up violating the IT Networks Act, this will be imputed to the offshore entity.
The local agent can be either an individual or a corporate entity, but it isn’t clear whether the agent has to have any specific standing or qualification. On the face of the amended law, the local agent might be, say, an officer or employee of a local subsidiary. (It might be that having a local subsidiary already means that one does not lack a local “address” or “business presence” in the first place, but this seems doubtful.)
As to the separate issue of whether the offshore business indeed lacks a local “address” or “place of business”, what would that mean? Surely the new requirement will not apply to, say, an offshore entity that has a local branch or representative office in Korea. The question is what else would constitute a local presence for this purpose. As noted above, it seems unlikely that that would include a local subsidiary. But this part of the new requirement isn’t particularly defined, nor is it slated to be clarified by ensuing regulations. It may, for some time, remain a point for interpretation.
New restrictions on offshore onward transfer of PI
Also, where PI is so transferred to country 3, the amended statute calls for the transferor (in country 2) to take measures to safeguard the PI so transferred. Under the current law this duty applies in the first stage, to an entity in Korea that transfers PI to a party in country 2, but the required “measures” are defined in a loose way (including “discussing” with a transferee, and “reflecting” in a contract with the transferee, matters of technical/managerial safeguards, and handling in case of a data breach). Under the amended law, this requirement will also apply to the transferor in country 2, in relation to the country 3 transferee.
Moreover, the amendments newly provide for a specific penalty in case of failure to take the protective measures, on the part of a first transferor and subsequent transferors. On the other hand, the required “measures” (to be finalized by Presidential Decree) seem likely to remain loosely defined. Nor is it obvious how the new rules would effectively bind an entity that is offshore.
Reciprocity in PI outflow restrictions
Under the amended law, Korean regulators will be able to impose restrictions on the transfer of Korean PI to offshore IT service providers – online/connected services and goods – if and to the extent that those businesses’ home jurisdictions restrict the transfer of PI to overseas. How this change in the statute may translate into actual restrictions at the agency level – including the Korean Communications Commission – remains to be seen.
This reciprocity principle is seen to be largely in reaction to similar laws that have been passed, or are under consideration, to restrict PI outflows in a number of foreign jurisdictions, such as Russia, China, Vietnam and so on. Ultimately this type of issue would seem to call for resolution through bilateral treaty or international convention.