Use the Lexology Getting the Deal Through tool to compare the answers in this article with those from other jurisdictions.

Market overview

Kinds of transaction

What kinds of cloud computing transactions take place in your jurisdiction?

A comprehensive variety of cloud computing services are being provided, and being adopted by, companies in Korea. Public, hybrid and private cloud models are all provided by cloud service providers. Cloud service users use cloud computing services in the form of software-as-a-service (SaaS), infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) or for mere storage, based on the particular user’s needs. Cloud computing is in the process of being adopted in various sectors such as healthcare, finance and information communications technology. In particular, cloud computing has been widely adopted in the online gaming industry.

Active global providers

Who are the global international cloud providers active in your jurisdiction?

In general, most large global cloud service providers are active in Korea. Notably, Amazon Web Services, Microsoft Azure, Google Cloud, IBM Cloud, Oracle Cloud, HP Cloud, Akamai and Rackspace have a presence in Korea.

Active local providers

Name the local cloud providers established and active in your jurisdiction. What cloud services do they provide?

There are numerous cloud computing service providers in Korea. The largest domestic cloud service providers are established companies in the information communication technology network providers, such as KT (uCloud) and SK (CloudZ), and internal portal companies, such as Naver (NAVER Cloud) and Kakao.

Market size

How well established is cloud computing? What is the size of the cloud computing market in your jurisdiction?

Cloud computing is becoming more and more widely adopted in Korea, with legislation being adopted by each industry to relax the legacy restrictions that made it difficult to adopt cloud computing. According to the article published by the Korean Association of Cloud Industry (KACI), the expected volume of sales for cloud computing for 2019 is more than 2 trillion Korean won. KACI also provides a breakdown of the estimated total sales volume for 2019 as follows:

  • IaaS: 37.9 per cent;
  • PaaS: 0.1 per cent;
  • SaaS: 32.2 per cent;
  • Cloud software: 26.6 per cent;
  • Cloud hardware: 3 per cent; and
  • Miscellaneous: 0.2 per cent.

Impact studies

Are data and studies on the impact of cloud computing in your jurisdiction publicly available?

Data and studies on the impact of cloud computing are publicly available. For example, KACI periodically posts studies and data on its website and the government provides a dedicated cloud portal (cloud.or.kr). Based on these studies and data, cloud computing is likely to grow at a rapid pace in the Korean market and will affect traditional IT vendors and IT outsourcing.

Policy

Encouragement of cloud computing

Does government policy encourage the development of your jurisdiction as a cloud computing centre for the domestic market or to provide cloud services to foreign customers?

Yes. To promote and develop cloud computing services, Korea has adopted the Act on the Development of Cloud Computing and Protection of its Users (the Cloud Computing Act) to develop the cloud computing industry in Korea and to promote Korean cloud computing services to foreign customers.

Under the Cloud Computing Act, the government can conduct the following activities to promote international cooperation on cloud computing and overseas expansion of cloud computing technology and services:

  • international exchange of cloud computing-related information, technology and personnel;
  • overseas marketing and promoting activities such as cloud computing exhibits;
  • joint research and development of cloud computing with other nations;
  • information collection, analysis and provision regarding information related to the overseas expansion of cloud computing;
  • mutual cooperation with other nations to ensure the effectiveness of international cooperation in relation to cloud computing; and
  • other activities to promote international cooperation and overseas expansion of cloud computing.

 

Incentives

Are there fiscal or customs incentives, development grants or other government incentives to promote cloud computing operations in your jurisdiction?

In order to develop and promote use of cloud computing technology and services, the government and municipalities can adopt measures such as tax incentives. Also, the government can provide support to small and medium-sized businesses related to cloud computing such as the following:

  • provide information and advice related to cloud computing business;
  • subsidise funds and provide technology assistance for the purpose of user protection;
  • training of cloud computing professionals; and
  • other activities necessary with regard to fostering small and medium-sized businesses related to cloud computing.

Furthermore, the government and municipalities can provide administrative, fiscal and technical support to parties that are establishing collective information communication facilities using cloud computing technology.

Legislation and regulation

Recognition of concept

Is cloud computing specifically recognised and provided for in your legal system? If so, how?

The Cloud Computing Act defines cloud computing, cloud computing technology and cloud computing service as follows:

Cloud computing

An information processing system that enables elastic use of integrated and shared resources for information and communications (such as devices for information and communications, information and communications systems, and software) through information and communications networks, to fit the users’ requirements or demands.

Cloud computing technology

Technology required for setting up and using the cloud including the following:

  • virtualisation technology: technology for virtually combining or dividing resources for information and communications including integrated or shared information and communications devices, information and communications facilities, and software;
  • distributed processing technology: technology that processes a large volume of information by dispersing it into multiple information and communications resources; and
  • others: technology that utilises information and communications resources in setting up and using cloud computing systems, including technologies that automate the placement, management and so on of information and communications resources.

Cloud computing services

Commercial services for providing resources for information and communications by utilising cloud computing including the following:

  • service of providing servers, storage, networks, among others;
  • service of providing software, including applications;
  • service of providing an environment for developing, distributing, operating, managing, and suchlike, software, including applications; and
  • other services combining at least two of the above services.

Governing legislation

Does legislation or regulation directly and specifically prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

The purpose of the Cloud Computing Act is to promote and develop cloud computing rather than to regulate cloud computing. Under the Cloud Computing Act, an agreement between the cloud computing service provider and the cloud service user will be deemed to satisfy the requirements for IT facilities, devices and systems that are necessary to obtain permits, approvals, registration or designations pursuant to other laws. However, the Cloud Computing Act does not contain explicit prohibitions. Rather, detailed measures that directly or indirectly restrict to cloud computing are contained in industry specific laws and the privacy laws of Korea. In other words, Korea adopts a negative regulatory approach, where cloud computing is generally permitted unless explicitly restricted by a specific statute.

What legislation or regulation may indirectly prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

For personal information protection in the cloud, the Personal Information Protection Act (the PIPA) and the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc (the Network Act) apply. Accordingly, the collection, use, provision, delegation, destruction, storage of personal information being processed by cloud computing is subject to the PIPA and the Network Act. Both the PIPA and the Network Act contain stringent provisions to ensure the protection of data subjects with corresponding heavy penalties. Under the PIPA, a cloud computing service provider is considered a delegatee who has been delegated with personal information processing and is treated as a data processor.

With regard to data security, the Ministry of Science and ICT has promulgated ‘Standards for Information Protection by Cloud Computing Providers’ (Cloud Computing Standards). The Cloud Computing Standards do not have the effect of binding law but compliance therewith is, nonetheless, recommended.

Breach of laws

What are the consequences for breach of the laws directly or indirectly prohibiting, restricting or otherwise governing cloud computing?

A cloud computing service provider could become subject to criminal penalties in the event the cloud computing service user’s data is provided to a third party by the cloud computing service provider. As noted above, the Cloud Computing Standards do not have the force of law and therefore, in theory, the quality, performance and data protection levels stated therein are not mandatory. The failure to notify the occurrence of any infiltration incidents to the relevant authorities or to the users or return or destroy information will be subject to a fine. Furthermore, if the cloud service provider breaches any provisions of the PIPA or the Network Act, the cloud service provider could be subject to a fine, corrective measure or criminal penalty based on the relevant statutory provisions.

Consumer protection measures

What consumer protection measures apply to cloud computing in your jurisdiction?

Pursuant to the Cloud Computing Act, the Ministry of Science and ICT, in consultation with the Fair Trade Commission, has published a model cloud computing agreement for business-to-business (B2B) and business-to-consumer (B2C), respectively. The purpose of this model agreement is to protect the rights of the users and to establish fair trade. The Ministry of Science ICT can issue a recommendation to use this model agreement to cloud computing providers.

The model agreement includes the following protective measures:

  • the PIPA and the Network Act will apply to personal information thereby reinforcing the protection of personal information;
  • any incident of leakage of user information must be notified to the user and the Ministry of Science and ICT to enable prompt remedial measures with respect to such incident;
  • to enhance the user’s right to know, in the event the user’s data is stored overseas, the user can demand disclosure of the country where data is stored and the fact that cloud computing is being used, with respect to which recommendation measures for disclosure can be issued; and
  • to prevent the misuse of user data, any provision of user data to third parties without consent or use of user data beyond the agreed purpose shall be subject to criminal penalties.

Sector-specific legislation

Describe any sector-specific legislation or regulation that applies to cloud computing transactions in your jurisdiction.

Public sector

The Cloud Computing Act states the obligation of governmental agencies to use efforts to adopt cloud computing and recommends that governmental agencies use the cloud computing systems developed by the private sector rather than developing its own cloud computing system. To support the adoption of cloud computing in the public sector, a joint policy commission consisting of the Ministry of the Interior and Safety, the Ministry of Science and ICT, the Ministry of Economy and Finance, the Public Procurement Service and the National Intelligence Service has been set up. A security review by the National Intelligence Service is required for governmental agencies to adopt a certain cloud computing system.

Finance sector

Due to the recent amendments to the Regulation on Supervision of Electronic Financial Transactions, the overseas delegation and sub-delegation of IT facilities and financial services is possible. In particular, for IT systems that do not process customer data (such as personal identification information or personal credit information), cloud computing can be adopted by the financial institution designating such systems as ‘non-material data-processing systems’ to which physical network separation does not apply. However, ‘material data processing systems’ (ie, systems that deal with customer data) are still subject to the requirement of physical network separation, thereby precluding the full adoption of cloud computing in the finance sector.

Healthcare sector

The amendment to the Standards on Facilities and Devices for Administration and Retention of Electronic Medical Records in 2016 has paved the way for adoption of cloud computing in the healthcare sector. The amendment revises the requirement to store electronic medial records inside hospitals and allows the administration and storage of medical records with external companies or at remote locations that meet certain qualifications. However, electronic medical records cannot be stored outside of Korea.

Insolvency laws

Outline the insolvency laws that apply generally or specifically in relation to cloud computing.

There are no insolvency laws that only apply to cloud computing service providers. However, the Cloud Computing Act contains a provision that applies when the cloud computing provider suspends its service due to reasons such as sudden insolvency. Under this provision, the cloud computing service provider and the user can agree to temporarily store the user’s data with a third party. Also, if a cloud computing service provider intends to terminate its business, it must notify the user of such termination and return or destroy all data to the user prior to the date of termination of business. If, for any reason, it becomes impossible to return the information (for example, the user fails to accept, or refuses, the return of such information), the cloud computing service provider must destroy the information.

Data protection/privacy legislation and regulation

Principal applicable legislation

Identify the principal data protection or privacy legislation applicable to cloud computing in your jurisdiction.

As noted above, the PIPA and the Network Act apply to cloud computing service providers in connection with data privacy. In principle, the privacy laws of Korea are structured to require the prior consent of the data subject for the collection, use and provision of personal information. Within personal information, sensitive information and personal identification information is subject to more stringent regulations. Under the PIPA and the Network Act, overseas provision of personal information to third parties requires the consent of the data subject. The overseas delegation of personal information processing to third parties does not require the consent of the data subject under the PIPA, whereas consent is required under the Network Act.

A personal information processor must take technical, organisational and physical measures stated in the privacy laws to ensure against the loss, theft or leakage of personal information. Upon leakage of personal information, the personal information processor must notify the data subject and the relevant authorities without delay. Any violation of the privacy laws may be subject to administrative sanctions or criminal penalties. In particular, any loss, theft, leakage, alteration or damage to personal information due to the lack of the security measures under the PIPA will be subject to a criminal penalty of not more than two years’ imprisonment or a monetary penalty of not more than 10 million Korean won.

Cloud computing contracts

Types of contract

What forms of cloud computing contract are usually adopted in your jurisdiction, including cloud provider supply chains (if applicable)?

In practice, cloud computing contracts usually adopted in Korea are similar to those globally used by cloud computing service providers. Many cloud computing service providers adopt modular agreements composed of several different components such as:

  • a master agreement between the customer and cloud servicer provider;
  • service level agreements and terms for each service;
  • the cloud service provider’s acceptable use policies; and
  • end-user licence agreement.

Often these agreements are presented as clickwrap agreements with non-negotiable terms. Accordingly, to protect the rights of the cloud service users, the Ministry of Science and ICT has published a model agreement that is analysed in questions 17 to 22.

Typical terms for governing law

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering governing law, jurisdiction, enforceability and cross-border issues, and dispute resolution?

Article 24 of the Cloud Computing Act states that the Ministry of Science and ICT, in consultation with the Fair Trade Commission, may establish a model agreement for cloud computing to protect the rights of cloud computing users and establish fair trade practices. In December 2016, the Ministry of Science and ICT published two versions of Model Cloud Agreement for Protection of Cloud Service Users and Establishment of Fair Trade Practices, one for B2B and one for B2C.

Under the Model Cloud Agreement for Protection of Cloud Service Users and Establishment of Fair Trade Practices for B2B (B2B Model Agreement), Korean law is the governing law and any disputes arising out of the agreement are subject to the jurisdiction of the Korean court.

Typical terms of service

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering material terms, such as commercial terms of service and acceptable use, and variation?

Under the B2B Model Agreement, the cloud service provider must provide cloud computing services in accordance with the B2B Model Agreement, and the specific service levels will be subject to the service level agreements. Any modifications to the service levels should be mutually discussed, provided that any modifications that are material or are contrary to the interests of the cloud computing user are subject to the user’s consent.

The B2B Model Agreement divides service fees into basic fees and ancillary fees. The details of the service fees (type, price, method of pricing, discounts, etc) must be listed in an attachment to the B2B Model Agreement or on the service website. In principle, the service fees are on a monthly basis and prorated on a daily basis upon termination. Any discount or waiver of fees can be determined based on mutual discussion. In the event of temporary suspension or disruption of services, the user will be entitled to request discount of the service fees or seek damages arising from such suspension or disruption.

Typical terms covering data protection

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering data and confidentiality considerations?

Under the B2B Model Agreement, the cloud computing provider must:

  • adopt the Cloud Computing Standards;
  • provide adequate security measures; and
  • ensure protection against leakage of personal information and third-party infiltration.

Further, the cloud computing provider cannot provide the user‘s information to a third party without the user’s consent or use the user’s data beyond the agreed purpose. The user is responsible for controlling its ID and password and bear responsibility for any theft or inappropriate use due to the user’s failure to exercise due care.

Data protection measures not stated in the B2B Model Agreement will be subject to the privacy laws such as the PIPA, Network Act or industry-specific laws based on the user’s business.

Typical terms covering liability

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering liability, warranties and provision of service?

In general, under the B2B Model Agreement, the cloud computing service provider is liable for damages incurred by the user owing to intentional or negligent service disruptions or for failure to meet the level of quality or performance of the services under the relevant service level agreement.

However, absent any intentional misconduct or negligence, the cloud computing service provider will not be liable for the user’s damages because of:

  • inevitable service interruption due to system upgrade, prevention of infiltration such as hacking or network failure, force majeure events that have been notified to the user pursuant to the B2B Model Agreement;
  • service suspension due to force majeure events beyond the control of existing technical capability;
  • service suspension, disruption or termination of B2B Model Agreement owing to the user’s intentional misconduct or negligence;
  • the network service provider’s discontinuation or disruption of network services;
  • ancillary issues arising from the user’s computer environment or network environment; and
  • user’s computer error or erroneous identification information or incorrect email address.

Further, the cloud computing provider is not liable for the credibility or accuracy of the information or material transmitted using the services or posted on the service website absent any intentional misconduct or negligence.

Additionally, the cloud service provider will not be liable in disputes regarding cloud computing services between users or between a user and a third party if all of the following conditions are met:

  • the cloud computing service provider has not violated the Cloud Computing Act;
  • the cloud computing service provider has proved that there is no intentional misconduct or negligence on its part;
  • the cloud computing service provider does not have the authority or capacity to control the acts of the user that is infringing on the rights of other users or third parties;
  • even if the cloud computing service provider does have the authority or capacity to control the user against the infringement of the rights of other users or third parties, the cloud computing service provider does not financially benefit from such infringement; and
  • the cloud computing service provider immediately suspends the infringement once it becomes aware of the fact or circumstances that a user or third party is infringing on the user’s rights.

On the other hand, if the user has caused damages to the cloud computing service provider, it will be liable for the damages incurred by the cloud computing service provider.

Typical terms covering IP rights

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering intellectual property rights (IPR) ownership in content and the consequences of infringement of third-party rights?

Under the B2B Model Agreement, the user must not violate the Copyright Act and related laws or moral customs and social order. Further, absent any intentional misconduct or negligence, the cloud computing service provider will not be liable for any infringement on IPR between users or between a user and a third party. Other matters concerning IPR ownership are not specifically mentioned in the B2B Model Agreement and would, therefore, be subject to the intellectual property laws of Korea.

Typical terms covering termination

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering termination?

Under the B2B Model Agreement, both the cloud computing servicer provider and the user can rescind or terminate the B2B Model Agreement. The termination rights of the cloud computing service provider and user are as follows:

User

  • Cloud computing service provider is unable to or there is a materially adverse effect on its ability to perform its obligations;
  • the cloud computing service provider fails to provide services as contracted; and
  • a material event has occurred that makes is impossible to maintain the contractual relationship.

Cloud computing service provider

  • The user violates its obligations such as payment default or assigns its rights to a third party without the consent of the cloud computing service provider;
  • a user whose use has been restricted under the B2B Model Agreement fails to cure the cause for such restriction for a substantial period of time; and
  • the cloud computing service provider terminates its cloud computing business.

The cloud computing service provider must return the data to the user upon the rescission, termination of the B2B Model Agreement or upon expiry of the service term. If the return of data is practically impossible, the cloud computing service provider must destroy the user data in an irreversible manner. The cloud computing service provider must also cooperate in transferring the user’s data to a different cloud computing service.

Employment law considerations

Identify any labour and employment law considerations that apply specifically to cloud computing in your jurisdiction.

There are no labour or employment laws specific to the cloud computing industry.

Taxation

Applicable tax rules

Outline the taxation rules that apply to the establishment and operation of cloud computing companies in your jurisdiction.

In general, to establish a corporation in Korea, a capital registration tax of 0.48 per cent of the initial capital applies. After establishment of the corporation, VAT, corporate income tax and local income tax will apply and other taxes such as withholding tax and municipal tax may also apply. It is notable that VAT applies to cloud computing services provide by Korean companies. Corporate income tax will be imposed at the following tax rates:

Tax basis (Korean won)

Tax rate*

200 million or less

10 per cent

200 million up to 20 billion

20 million + (20 per cent of the excess over 200 million)

20 billion up to 300 billion

3.98 billion + (22 per cent of the excess over 20 billion)

More than 300 billion

65.58 billion + (25 per cent of the excess over 300 billion)

* Local income tax equivalent to 10 per cent of the corporate income tax calculated based on the above will apply.

Indirect taxes

Outline the indirect taxes imposed in your jurisdiction that apply to the provision from within, or importing of cloud computing services from outside, your jurisdiction.

Although Korean companies are subject to VAT for cloud computing services, foreign companies are not. To resolve this discrepancy, in 2018, the government proposed amendments to the Value Added Tax Act that will impose VAT to cloud computing services provided by foreign companies from 1 July 2019.

Recent cases

Notable cases

Identify and give details of any notable cases, or commercial, private, administrative or regulatory determinations within the past three years in your jurisdiction that have directly involved cloud computing as a business model.

There are no such cases or determinations relating to cloud computing as a business model.

Update and trends

Update and trends

What are the main challenges facing cloud computing within, from or to your jurisdiction? Are there any draft laws or legislative initiatives specific to cloud computing that are being developed or are contemplated?

The adoption of cloud computing in the financial services industry has been a topic that is subject to heated debate and gradual changes. Given the highly confidential nature of financial information, the IT systems of financial institutions have been subject to strict network separation, both logically and physically. While logical network separation can be implemented in the cloud, physical network separation cannot be accommodated. In fact, physical network separation is a concept incompatible with cloud computing. In 2016, the Financial Services Commission (FSC) announced that the financial services industry would be able to use the cloud and eliminated the requirement for physical network separation for non-material systems (ie, systems not dealing with customer data). Due to such limited scope, the cloud adoption rates of Korean financial institutions are staggered compared with foreign financial institutions. In mid-2018, FSC officials have been quoted on relaxing the physical network separation requirement for material systems but no official announcements have been made as yet.