In this issue:

1. App services: Korea data regulator scrutinizing smartphone app compliance with conditions for user permissions; waves of cautionary notices sent out by contractor Unpeople

2. Connectivity: Lawmakers press Google and other overseas content providers (CPs) on purported “uneven playing field” due to disparity between network usage fees for offshore versus local CPs

3. Online services, media: Ruling party signals push for legislation to restrict “fake news”, including requiring online media platforms to police and filter content

4. Big Data: Slow progress in proposed legislation to free up “Big Data” services

5. Connectivity, consumer protection: Data regulator displeased with results in widened evaluation of user protection by online services such as YouTube and Facebook; promises fuller disclosure of results in 2020

6. Mobility: Van ride-hailing service TADA declared illegal by prosecutors, under transportation regulations; executives indicted

1. App services: Korea data regulator scrutinizing smartphone app compliance with conditions for user permissions; waves of cautionary notices sent out

September-October:Data regulators, together with a private contractor called Unpeople, are in the process of reviewing compliance by app service operators with requirements for access to data stored and functions installed in users’ mobile devices. Several waves of cautionary emails, flagging infractions, have gone to hundreds of offshore app operators, sent out by Unpeople (pronounced yoo-en people) as contractor for the Korea Internet Security Agency (KISA), which itself is a monitoring arm of the Korea Communications Commission (KCC). The Unpeople emails, which typically are in English, with a number of enclosures, should be taken seriously as preliminary warnings, although they are not, in themselves, binding directives.

The main issue is that an app provider to Korean users must satisfy various disclosure requirements in seeking user permission for access to device data folders (such as contacts) and functionalities (such as camera), under data privacy rules, primarily the Act on Promotion of Information and Communications Network Utilization and Data Protection, Etc. Infractions getting flagged by Unpeople involve, for example, a requirement to denote each particular access item (such as contacts, photo gallery and so on) as “mandatory” or “optional” (in terms of need, in order for the app to serve its main function), and also to state, if only in a few words, the purpose of the particular access, such as by specifying: “Optional Access: . . . Storage: Save, modify or delete the data you select”. Unpeople emails to app providers will typically specify the infraction(s) discerned in their app, and also enclose for reference a long general catalog of rules and possible types of infractions.

The notices request the app provider to submit, within around 10 days, a reply stating “corrective” steps that the app provider proposes to take, such as to modify descriptive text in the app store. The notices, in the form used so far, sent by Unpeople, are not compulsory – they do not impose on the recipient a legal obligation to respond as requested. But, generally speaking, it may be prudent to reply in some fashion, advisedly. (In procedural terms, Unpeople or KISA may issue one or several additional notices of similar, and, in case of inaction, “escalate” to the KCC, which would then be in position to issue a binding corrective order.)

The notices, in the nature of preliminary warnings, follow upon the KCC’s launch in March 2019 of its program to check up on popular apps. Unpeople emails are likely to continue going out in intermittent waves for some time.

2. Connectivity: Lawmakers press Google and other overseas content providers (CPs) on purported “uneven playing field” due to disparity between network usage fees for offshore versus local CPs

October: As part of the National Assembly’s annual audit of work by data regulators, lawmakers questioned local heads of Google Korea, Facebook Korea and other multinational content providers (CPs), together with representatives of local internet service providers (ISPs), on the impact of differential network usage fees on competition with local CPs. Appearing before the committee with oversight of telecom and networks, executives were pressed for comment by ruling party members, citing data to the effect that local CPs were paying 6 times the network usage fees applied to overseas-based CPs including Google and Netflix. Also heard was testimony by Korean CPs blaming ISPs for a disparity between fees charged to local versus foreign CPs. (This echoed allegations of reverse discrimination by Korea’s fair competition regulator, as reported in our August 2019 newsletter.) Questions put to Google Korea’s CEO included whether the company intends to pay a “fairer” (i.e. higher) network usage fee, and Google Korea’s responses (such as saying that Google was in processing of reducing its ISP traffic by setting up a cache server) drew somewhat harsh criticism from ruling party members of the committee. The committee chair warned that he would soon submit a bill to amend the Telecommunications Business Act so as to obligate ISPs to report network usage fees, with visibility on comparative rates as between local and foreign CPs. (See e.g. this local news report.) The direction and thrust of the hearings were symptomatic of a persistent drumbeat of complaints and misgivings concerning an “uneven playing field” for local as opposed to offshore based CPs. (See, for example, our February 2019 newsletter item, “Important online sector council outlines solutions for ‘reverse discrimination’”.)

3. Online services, media: Ruling party signals push for legislation to restrict “fake news” by requiring online media platforms to police and filter content and imposing significant fines for violation

October: Korea’s ruling party, echoing concerns voiced by the Blue House, has announced it will pursue legislation that would require YouTube and other media platforms to monitor for and filter “fake news”, and, in case of non-compliance, impose fines of up to 10% of revenue from related contents. (See e.g.this local report.) The plan, as outlined by the Democratic Party’s Special Committee for Measures to Combat Fake News, would, among other things, require platforms (meeting some thresholds) to adopt technology (e.g. macro programs) to block rapid dissemination of libelous or other unlawful info; appoint personnel in charge of filtering suspicious content; impose training requirements; and require quarterly reporting for “transparency.” In case of violations, the plan contemplates possible punitive damages, as well as serious fines based on revenue, Unveiling the proposed measures on October 1, the ruling party emphasized that the objective will be to govern offshore enterprises equally with local platforms. When it comes to policing offshore businesses, the committee acknowledged deficiencies in the current regulatory framework (mainly under the Act on Promotion of Information and Communications Network Utilization and Data Protection, Etc.), butpromised to equip the law with efficacious provisions for extraterritorial reach.

The ruling party’s announcement is further reason to expect concerted movement toward legislation to curb false or scurrilous information disseminated online. Reining in “fake news” is widely seen as an important topic for the nationwide legislator elections in 2Q 2020, as well as in the lead-up to the Presidential contest in 2022. Recent appointments to the Korea Communications Commission, including the new chief Sang-Hyuk Han, are based at least in large part on their outspoken concerns regarding “fake news”. The coming months seem likely to witness significant draft legislation in this direction.

4. Big Data: Slow progress in proposed legislation to free up “Big Data” services

September-October: A slate of major amendments to data regulations, unveiled in late November 2018, promised to open the door for “Big Data” financial services, but this has been slow to advance in the legislature and faces a possible further delay. Welcomed by the financial sector and technology startups (as noted in our newsletter at that time), the bill would recognize a core concept of “pseudonymized information” (PSI) and permit a wide scope for processing of such PSI. Comprising amendments to the Personal Information Protection Act, the bill also proposed to integrate related oversight and enforcement powers in a central watchdog, the Personal Information Protection Committee (PIPC). However, it seems there has been persistent friction among legislators working on the draft bill, mainly over the scope of the PIPC’s scope of authority and industry reach. At this point the bill might not advance to a vote till 3Q 2020, though there are some indications of a late hour bipartisan push to finalize legislation within a few months. (See e.g.this local news report.)

5. Connectivity, consumer protection: Data regulator displeased with results in widened evaluation of user protection by online services such as YouTube and Facebook; criticizes lack of cooperation and promises fuller disclosure of results in 2020

October: The Korea Communications Commission (KCC) announced the completion of its trial phase, which started this year, in extending broadly to online service providers the existing framework for evaluation of user protection systems, with implications for the level of penalties in case of violations under the Telecommunications Business Act (TBA). Pursuant to the TBA, the KCC administers an annual assessment of user protection measures among mobile phone, internet service and other telecom service providers (SK Telecom and Broadband, for example, receiving highest grades for 2019 in several categories). Among the broad category of “value-added telecom service providers” (“VATS” providers) – that is, virtually all online and app services –, the KCC evaluation process, which relies on information and records requested from the subject companies, had till this year only covered portal search engines (such as Naver and Google) and app stores (Google, Apple, Samsung). The results can impact on penalties in case of a violation of the TBA, higher ratings (in a gradient from“highly superior” down to “unsatisfactory”) leading to significant abatements in administrative fines for violations (such as data incidents, service mishaps and other types of violations), where the fines could, in severe cases, total up to 3% of related revenues.

Starting in 2019, the KCC moved to include all VATS providers in the evaluation system, though for this first phase the agency focused on key services like YouTube and Facebook. Rather than publish grades or further details, the KCC confined itself to criticizing the lack of comprehension of this framework, and failure to furnish records or attend interviews, on the part of several of the major offshore firms (with some of them pleading confidentiality). (See e.g. this news article.) The KCC has indicated it will actively pursue this effort, and it plans to disclose concrete results in 2020. Whether the regulator will expand its assessment program to a broader selection of VATS providers in 2020 remains to be seen, but companies in the online service sector, especially those of higher profile, should be alert to the possibility of KCC inquiries in this direction.

6. Mobility: Van ride-hailing service TADA declared illegal by prosecutors, under transportation regulations; executives indicted

October: On October 28, 2019 Korean prosecutors indicted the CEO of VCNC, the operator of the rapidly expanding fleet of non-taxi vans hailed by smartphone app. Citing restrictions under the Passenger Transport Service Act (PTSA) that generally require a license for paid transport services, prosecutors concluded that TADA is unlawful in operating the vans without a taxi license. (See e.g.this local news report, and this report in English.) Indicted along with the CEO of VCNC was the CEO of its parent company Socar (online industry mogul Jae-Woong Lee). The ride-hailing service, which was launched in late 2018 and has mushroomed in popularity in recent months, was targeted in a criminal complaint by taxi industry representatives. VCNC has steadfastly maintained that it falls within a PTSA section exempting 11-seat and larger vans from the need of a license. It is possible, and apparently TADA opponents argue, that the PTSA exception was premised more on the situation of some people renting a van for a day or days, while also hiring a driver to do the driving.

The prosecutors’ action, greeted with scorn by the local start-up sector, represents the latest skirmish in a conflict, ongoing since at least early 2017, between the taxi industry and businesses like Kakao and TADA that seek to capitalize on ride-hailing functionalities of ubiquitous smartphones. The mainstream effort to overcome the impasse (involving Kakao as a key player, as reported in our August 23, 2019 newsletter) would, by amending the PTSA, allow ride-hailing platform operations to, in effect, borrow taxi licenses in a franchise structure. While that compromise effort moves ahead, the criminal process instituted against TADA is a stark reminder of risks that can attend a seeming regulatory loophole, relied on in a highly fraught political setting.