Market overview

Kinds of transaction

What kinds of cloud computing transactions take place in your jurisdiction?

A comprehensive variety of cloud computing services is being provided and being adopted by companies in Korea. Public, hybrid and private cloud models are all provided by cloud service providers. Cloud service users use cloud computing services in the form of software-as-a-service (SaaS), infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS) or for mere storage, based on the particular user’s needs. Cloud computing is in the process of being adopted in various sectors such as healthcare, finance and information communications technology. In particular, cloud computing has been widely adopted in the online gaming industry.

Active global providers

Who are the global international cloud providers active in your jurisdiction?

In general, most large global cloud service providers are active in Korea. Notably, Amazon Web Services, Microsoft Azure, Google Cloud, IBM Cloud, Oracle Cloud, HP Cloud, Akamai and Rackspace have a presence in Korea.

Active local providers

Name the local cloud providers established and active in your jurisdiction. What cloud services do they provide?

There are numerous cloud computing service providers in Korea. The largest domestic cloud service providers are established companies in the information communication technology network providers, such as KT (KT Cloud) and SK (Cloud Z), and internal portal companies, such as Naver (NAVER Cloud) and Kakao.

Market size

How well established is cloud computing? What is the size of the cloud computing market in your jurisdiction?

Cloud computing is becoming more and more widely adopted in Korea, with legislation being adopted by each industry to relax the legacy restrictions that made it difficult to adopt cloud computing.

According to the Worldwide Public Cloud Services Market Forecast (2019) published by Gartner in April 2019, the amount of spending by end-users of public cloud services in Korea is estimated as follows:

2018

2019

2020

2021

2022

Cloud Business Process Services (BPaaS)

174,207

196,530

220,103

244,684

271,235

Cloud Application Infrastructure Services (PaaS)

215,457

258,237

302,048

347,941

392,554

Cloud Application Services (SaaS)

778,711

962,156

1,167,356

1,366,834

1,574,564

Cloud Management and Security Services

195,045

228,866

263,468

300,665

337,992

Cloud System Infrastructure Services (IaaS)

577,251

696,982

828,838

979,971

1,147,494

Total

1,940,671

2,342,771

2,781,813

3,240,095

3,723,839

(Unit: one million won)

Impact studies

Are data and studies on the impact of cloud computing in your jurisdiction publicly available?

Data and studies on the impact of cloud computing are publicly available. For example, the Korea Association of Cloud Industry (KACI) periodically posts studies and data on its website and the government provides a dedicated cloud portal (K-ICT Cloud Innovation Center, www.cloud.or.kr). Based on these studies and data, cloud computing is likely to grow at a rapid pace in the Korean market and will affect traditional IT vendors and IT outsourcing.

Policy

Encouragement of cloud computing

Does government policy encourage the development of your jurisdiction as a cloud computing centre for the domestic market or to provide cloud services to foreign customers?

Yes. To promote and develop cloud computing services, Korea has adopted the Act on the Development of Cloud Computing and Protection of its Users (the Cloud Computing Act) to develop the cloud computing industry in Korea and to promote Korean cloud computing services to foreign customers.

Under the Cloud Computing Act, the government can conduct the following activities to promote international cooperation on cloud computing and overseas expansion of cloud computing technology and services:

  • international exchange of cloud computing-related information, technology and personnel;
  • overseas marketing and promoting activities such as cloud computing exhibits;
  • joint research and development of cloud computing with other nations;
  • information collection, analysis and provision regarding information related to the overseas expansion of cloud computing;
  • mutual cooperation with other nations to ensure the effectiveness of international cooperation in relation to cloud computing; and
  • other activities to promote international cooperation and overseas expansion of cloud computing.
Incentives

Are there fiscal or customs incentives, development grants or other government incentives to promote cloud computing operations in your jurisdiction?

In order to develop and promote the use of cloud computing technology and services, the government and municipalities can adopt measures such as tax incentives. Also, the government can provide support to small and medium-sized businesses related to cloud computing such as the following:

  • provide information and advice related to cloud computing business;
  • subsidise funds and provide technology assistance for the purpose of user protection;
  • training of cloud computing professionals; and
  • other activities necessary with regard to fostering small and medium-sized businesses related to cloud computing.

Furthermore, the government and municipalities can provide administrative, fiscal and technical support to parties that are establishing collective information communication facilities using cloud computing technology.

Legislation and regulation

Recognition of concept

Is cloud computing specifically recognised and provided for in your legal system? If so, how?

The Cloud Computing Act defines cloud computing, cloud computing technology and cloud computing service as follows:

Cloud computing

An information processing system that enables elastic use of integrated and shared resources for information and communications (such as devices for information and communications, information and communications systems, and software) through information and communications networks, to fit the users’ requirements or demands.

Cloud computing technology

Technology required for setting up and using the cloud including the following:

  • virtualisation technology: technology for virtually combining or dividing resources for information and communications including integrated or shared information and communications devices, information and communications facilities, and software;
  • distributed processing technology: technology that processes a large volume of information by dispersing it into multiple information and communications resources; and
  • others: technology that utilises information and communications resources in setting up and using cloud computing systems, including technologies that automate the placement, management and so on of information and communications resources.
Cloud computing services

Commercial services for providing resources for information and communications by utilising cloud computing including the following:

  • service of providing servers, storage, networks, among others;
  • service of providing software, including applications;
  • service of providing an environment for developing, distributing, operating, managing, and suchlike, software, including applications; and
  • other services combining at least two of the above services.
Governing legislation

Does legislation or regulation directly and specifically prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

The purpose of the Cloud Computing Act is to promote and develop cloud computing rather than to regulate cloud computing. Under the Cloud Computing Act, an agreement between the cloud computing service provider and the cloud service user will be deemed to satisfy the requirements for IT facilities, devices and systems that are necessary to obtain permits, approvals, registration or designations pursuant to other laws. However, the Cloud Computing Act does not contain explicit prohibitions. Rather, detailed measures that directly or indirectly restrict to cloud computing are contained in industry specific laws and the privacy laws of Korea. In other words, Korea adopts a negative regulatory approach, where cloud computing is generally permitted unless explicitly restricted by a specific statute.

What legislation or regulation may indirectly prohibit, restrict or otherwise govern cloud computing, in or outside your jurisdiction?

For personal information protection in the cloud, the Personal Information Protection Act (the PIPA) and the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc (the Network Act) apply. Accordingly, the collection, use, provision, delegation, destruction, storage of personal information being processed by cloud computing is subject to the PIPA and the Network Act. Both the PIPA and the Network Act contain stringent provisions to ensure the protection of data subjects with corresponding heavy penalties. Under the PIPA, a cloud computing service provider is considered a delegatee who has been delegated with personal information processing and is treated as a data processor.

With regard to data security, the Ministry of Science and ICT has promulgated ‘Standards for Information Protection by Cloud Computing Providers’ (Cloud Computing Standards). The Cloud Computing Standards do not have the effect of binding law but compliance therewith is, nonetheless, recommended.

Breach of laws

What are the consequences for breach of the laws directly or indirectly prohibiting, restricting or otherwise governing cloud computing?

A cloud computing service provider could become subject to criminal penalties in the event the cloud computing service user’s data is provided to a third party by the cloud computing service provider. As noted above, the Cloud Computing Standards do not have the force of law and therefore, in theory, the quality, performance and data protection levels stated therein are not mandatory. The failure to notify the occurrence of any infiltration incidents to the relevant authorities or to the users or return or destroy information will be subject to a fine. Furthermore, if the cloud service provider breaches any provisions of the PIPA or the Network Act, the cloud service provider could be subject to a fine, corrective measure or criminal penalty based on the relevant statutory provisions.

Consumer protection measures

What consumer protection measures apply to cloud computing in your jurisdiction?

Pursuant to the Cloud Computing Act, the Ministry of Science and ICT, in consultation with the Fair Trade Commission, has published a model cloud computing agreement for business-to-business (B2B) and business-to-consumer (B2C), respectively. The purpose of this model agreement is to protect the rights of the users and to establish fair trade. The Ministry of Science and ICT can issue a recommendation to use this model agreement to cloud computing providers.

The model agreement includes the following protective measures:

  • the PIPA and the Network Act will apply to personal information thereby reinforcing the protection of personal information;
  • any incident of leakage of user information must be notified to the user and the Ministry of Science and ICT to enable prompt remedial measures with respect to such incident;
  • to enhance the user’s right to know, in the event the user’s data is stored overseas, the user can demand disclosure of the country where data is stored and the fact that cloud computing is being used, with respect to which recommendation measures for disclosure can be issued; and
  • to prevent the misuse of user data, any provision of user data to third parties without consent or use of user data beyond the agreed purpose shall be subject to criminal penalties.
Sector-specific legislation

Describe any sector-specific legislation or regulation that applies to cloud computing transactions in your jurisdiction.

Public sector

The Cloud Computing Act states the obligation of governmental agencies to use efforts to adopt cloud computing and recommends that governmental agencies use the cloud computing systems developed by the private sector rather than developing its own cloud computing system. To support the adoption of cloud computing in the public sector, a joint policy commission consisting of the Ministry of the Interior and Safety, the Ministry of Science and ICT, the Ministry of Economy and Finance, the Public Procurement Service and the National Intelligence Service has been set up. A security review by the National Intelligence Service is required for governmental agencies to adopt a certain cloud computing system.

Finance sector

The amendments to the Electronic Finance Supervisory Regulations announced by the Financial Services Commission became effective on 1 January 2019. These amendments allow personal credit information to be processed on the cloud while strengthening the security level and management supervisory systems of cloud computing used in the financial sector. The major amendments are as follows:

  • The most important amendment is the expanded scope of cloud use that is permitted. In the past, financial institutions and electronic financial companies could only use the cloud to process non-critical information in the cloud. Now, under the amendments to the Electronic Finance Supervisory Regulations, the cloud can be used for personal credit information and personal identification information as well (article 14-2, sections 1 and 8).
  • The amendments provide for a new finance-sector-specific standard for the use and provision of cloud services such as security measures applicable to the finance sector (article 14-2, section 1, Annex 2-2), which did not exist previously.
  • The amendments impose a new obligation to financial institutions and electronic financial companies to assess the security of the data processing systems in the cloud and to conduct a review and decision process by their internal data protection committee (article 14-2, sections 1 and 2).
  • The amendments reinforce the supervisory role of the regulatory authorities by requiring financial institutions and electronic financial companies to report the use of cloud services for personal credit information and personal identification information, for matters that materially impact the security and credibility of electronic financial transactions and for other critical events (article 14-2, sections 3 and 6).
  • To ensure regulatory enforcement and consumer protection, only cloud computing providers whose data processing systems are in Korea can be used for processing personal information and personal identification information (article 14-2, section 8).
Healthcare sector

The amendment to the Standards on Facilities and Devices for Administration and Retention of Electronic Medical Records in 2016 has paved the way for the adoption of cloud computing in the healthcare sector. The amendment revises the requirement to store electronic medical records inside hospitals and allows the administration and storage of medical records with external companies or at remote locations that meet certain qualifications. However, electronic medical records cannot be stored outside of Korea.

Insolvency laws

Outline the insolvency laws that apply generally or specifically in relation to cloud computing.

There are no insolvency laws that only apply to cloud computing service providers. However, the Cloud Computing Act contains a provision that applies when the cloud computing provider suspends its service due to reasons such as sudden insolvency. Under this provision, the cloud computing service provider and the user can agree to temporarily store the user’s data with a third party. Also, if a cloud computing service provider intends to terminate its business, it must notify the user of such termination and return or destroy all data to the user prior to the date of termination of business. If, for any reason, it becomes impossible to return the information (for example, the user fails to accept, or refuses, the return of such information), the cloud computing service provider must destroy the information.

Data protection/privacy legislation and regulation

Principal applicable legislation

Identify the principal data protection or privacy legislation applicable to cloud computing in your jurisdiction.

The PIPA and the Network Act apply to cloud computing service providers in connection with data privacy. In principle, the privacy laws of Korea are structured to require the prior consent of the data subject for the collection, use and provision of personal information. Within personal information, sensitive information and personal identification information is subject to more stringent regulations. Under the PIPA and the Network Act, overseas provision of personal information to third parties requires the consent of the data subject. The overseas delegation of personal information processing to third parties does not require the consent of the data subject under the PIPA, whereas consent is required under the Network Act.

A personal information processor must take technical, organisational and physical measures stated in the privacy laws to ensure against the loss, theft or leakage of personal information. Upon leakage of personal information, the personal information processor must notify the data subject and the relevant authorities without delay. Any violation of the privacy laws may be subject to administrative sanctions or criminal penalties. In particular, any loss, theft, leakage, alteration or damage to personal information due to the lack of the security measures under the PIPA or the Network Act will be subject to a criminal penalty of not more than two years’ imprisonment or a monetary penalty of not more than 20 million Korean won (article 73 of PIPA and article 73 of the Network Act).

Cloud computing contracts

Types of contract

What forms of cloud computing contract are usually adopted in your jurisdiction, including cloud provider supply chains (if applicable)?

In practice, cloud computing contracts usually adopted in Korea are similar to those globally used by cloud computing service providers. Many cloud computing service providers adopt modular agreements composed of several different components such as:

  • a master agreement between the customer and cloud servicer provider;
  • service level agreements and terms for each service;
  • the cloud service provider’s acceptable use policies; and
  • end-user licence agreement.

Often these agreements are presented as clickwrap agreements with non-negotiable terms. Accordingly, to protect the rights of the cloud service users, the Ministry of Science and ICT has published a model agreement that is analysed in questions 17 to 22.

Typical terms for governing law

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering governing law, jurisdiction, enforceability and cross-border issues, and dispute resolution?

Article 24 of the Cloud Computing Act states that the Ministry of Science and ICT, in consultation with the Fair Trade Commission, may establish a model agreement for cloud computing to protect the rights of cloud computing users and establish fair trade practices. In December 2016, the Ministry of Science and ICT published two versions of the Model Cloud Agreement for Protection of Cloud Service Users and Establishment of Fair Trade Practices, one for B2B and one for B2C.

Under the Model Cloud Agreement for Protection of Cloud Service Users and Establishment of Fair Trade Practices for B2B (B2B Model Agreement), Korean law is the governing law and any disputes arising out of the agreement are subject to the jurisdiction of the Korean court.

Typical terms of service

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering material terms, such as commercial terms of service and acceptable use, and variation?

Under the B2B Model Agreement, the cloud service provider must provide cloud computing services in accordance with the B2B Model Agreement, and the specific service levels will be subject to the service level agreements. Any modifications to the service levels should be mutually discussed, provided that any modifications that are material or are contrary to the interests of the cloud computing user are subject to the user’s consent.

The B2B Model Agreement divides service fees into basic fees and ancillary fees. The details of the service fees (type, price, method of pricing, discounts, etc) must be listed in an attachment to the B2B Model Agreement or on the service website. In principle, the service fees are on a monthly basis and prorated on a daily basis upon termination. Any discount or waiver of fees can be determined based on mutual discussion. In the event of temporary suspension or disruption of services, the user will be entitled to request discount of the service fees or seek damages arising from such suspension or disruption.

Typical terms covering data protection

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering data and confidentiality considerations?

Under the B2B Model Agreement, the cloud computing provider must:

  • adopt the Cloud Computing Standards;
  • provide adequate security measures; and
  • ensure protection against leakage of personal information and third-party infiltration.

Further, the cloud computing provider cannot provide the user‘s information to a third party without the user’s consent or use the user’s data beyond the agreed purpose. The user is responsible for controlling its ID and password and bears responsibility for any theft or inappropriate use due to the user’s failure to exercise due care.

Data protection measures not stated in the B2B Model Agreement will be subject to the privacy laws such as the PIPA, Network Act or industry-specific laws based on the user’s business.

Typical terms covering liability

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering liability, warranties and provision of service?

In general, under the B2B Model Agreement, the cloud computing service provider is liable for damages incurred by the user owing to intentional or negligent service disruptions or for failure to meet the level of quality or performance of the services under the relevant service level agreement.

However, absent any intentional misconduct or negligence, the cloud computing service provider will not be liable for the user’s damages because of:

  • inevitable service interruption due to system upgrades, prevention of infiltration such as hacking or network failure, force majeure events that have been notified to the user pursuant to the B2B Model Agreement;
  • service suspension due to force majeure events beyond the control of existing technical capability;
  • service suspension, disruption or termination of the B2B Model Agreement owing to the user’s intentional misconduct or negligence;
  • the network service provider’s discontinuation or disruption of network services;
  • ancillary issues arising from the user’s computer environment or network environment; and
  • the user’s computer error or erroneous identification information or incorrect email address.

Further, the cloud computing provider is not liable for the credibility or accuracy of the information or material transmitted using the services or posted on the service website absent any intentional misconduct or negligence.

Additionally, the cloud service provider will not be liable in disputes regarding cloud computing services between users or between a user and a third party if all of the following conditions are met:

  • the cloud computing service provider has not violated the Cloud Computing Act;
  • the cloud computing service provider has proved that there is no intentional misconduct or negligence on its part;
  • the cloud computing service provider does not have the authority or capacity to control the acts of the user that is infringing on the rights of other users or third parties;
  • even if the cloud computing service provider does have the authority or capacity to control the user against the infringement of the rights of other users or third parties, the cloud computing service provider does not financially benefit from such infringement; and
  • the cloud computing service provider immediately suspends the infringement once it becomes aware of the fact or circumstances that a user or third party is infringing on the user’s rights.

On the other hand, if the user has caused damages to the cloud computing service provider, it will be liable for the damages incurred by the cloud computing service provider.

Typical terms covering IP rights

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering intellectual property rights (IPR) ownership in content and the consequences of infringement of third-party rights?

Under the B2B Model Agreement, the user must not violate the Copyright Act and related laws or moral customs and social order. Further, absent any intentional misconduct or negligence, the cloud computing service provider will not be liable for any infringement on IPR between users or between a user and a third party. Other matters concerning IPR ownership are not specifically mentioned in the B2B Model Agreement and would, therefore, be subject to the intellectual property laws of Korea.

Typical terms covering termination

What are the typical terms of a B2B public cloud computing contract in your jurisdiction covering termination?

Under the B2B Model Agreement, both the cloud computing service provider and the user can rescind or terminate the B2B Model Agreement. The termination rights of the cloud computing service provider and user are as follows.

User
  • Cloud computing service provider is unable to or there is a materially adverse effect on its ability to perform its obligations;
  • the cloud computing service provider fails to provide services as contracted; and
  • a material event has occurred that makes is impossible to maintain the contractual relationship.
Cloud computing service provider
  • The user violates its obligations such as payment default or assigns its rights to a third party without the consent of the cloud computing service provider;
  • a user whose use has been restricted under the B2B Model Agreement fails to cure the cause for such restriction for a substantial period of time; and
  • the cloud computing service provider terminates its cloud computing business.

The cloud computing service provider must return the data to the user upon the rescission, termination of the B2B Model Agreement or upon expiry of the service term. If the return of data is practically impossible, the cloud computing service provider must destroy the user data in an irreversible manner. The cloud computing service provider must also cooperate in transferring the user’s data to a different cloud computing service.

Employment law considerations

Identify any labour and employment law considerations that apply specifically to cloud computing in your jurisdiction.

There are no labour or employment laws specific to the cloud computing industry.

Taxation

Applicable tax rules

Outline the taxation rules that apply to the establishment and operation of cloud computing companies in your jurisdiction.

In general, to establish a corporation in Korea, a capital registration tax of 0.48 per cent of the initial capital applies. After establishment of the corporation, VAT, corporate income tax and local income tax will apply and other taxes such as withholding tax and municipal tax may also apply. It is notable that VAT applies to cloud computing services provided by Korean companies. Corporate income tax will be imposed at the following tax rates:

Tax basis (Korean won)

Tax rate*

200 million or less

10 per cent

200 million up to 20 billion

20 million + (20 per cent of the excess over 200 million)

20 billion up to 300 billion

3.98 billion + (22 per cent of the excess over 20 billion)

More than 300 billion

65.58 billion + (25 per cent of the excess over 300 billion)

* Local income tax equivalent to 10 per cent of the corporate income tax calculated based on the above will apply.

Indirect taxes

Outline the indirect taxes imposed in your jurisdiction that apply to the provision from within, or importing of cloud computing services from outside, your jurisdiction.

The Value-Added Tax Act has been amended and become effective as of 1 July 2019 to include cloud computing services as one of the taxable electronic services provided by foreign corporations (article 53, section 1, paragraph 3). This amendment was made to ensure tax equality between Korean corporations and foreign corporations. As a result of this amendment, foreign cloud service providers are obligated to charge a 10 per cent VAT.

Recent cases

Notable cases

Identify and give details of any notable cases, or commercial, private, administrative or regulatory determinations within the past three years in your jurisdiction that have directly involved cloud computing as a business model.

As of yet, there are no such cases or determinations relating to cloud computing as a business model.

Update and trends

Key developments of the past year

What are the main challenges facing cloud computing within, from or to your jurisdiction? Are there any draft laws or legislative initiatives specific to cloud computing that are being developed or are contemplated?

Key developments of the past year27 What are the main challenges facing cloud computing within, from or to your jurisdiction? Are there any draft laws or legislative initiatives specific to cloud computing that are being developed or are contemplated?

Important changes were made with respect to cloud computing in 2019, most notably the expanded scope of cloud use permitted in the finance sector and the imposition of VAT to cloud services provided by foreign corporations. Nonetheless, there are still regulatory hurdles that make full-scale cloud adoption difficult. One of the main barriers to the proliferation of cloud adoption are the strict data privacy laws of Korea. According to the 2018 cloud industry survey conducted by the Ministry of Science and ICT and the National IT Industry Promotion Agency, 47.8 per cent of cloud service providers cited ‘security’ as an obstacle to the development of the cloud computing industry. Under the current privacy laws such as the Personal Information Protection Act and the Network Act, the adoption of cloud computing is deemed delegation of data processing, and, therefore, requires compliance with the strict requirements for delegation. Such strict requirements are often not compatible with the nature of cloud computing, thereby making companies hesitant to adopt cloud computing. Accordingly, there are discussions as to whether the Cloud Computing Act should prevail over privacy laws to enable widespread adoption of cloud computing.