We will start off this year by discussing the key amendments to the Act on Promotion of Information and Communications Network Utilization and Data Protection (“Network Act”) which will soon come into effect, and our data protection predictions for 2019.
1. Offshore information communication service providers will be required to appoint a local representative in Korea.
- The Amendments
Passed on August 30, 2018, amendment to the Network Act will require certain offshore information communication service providers which do not have an address or place of business in Korea, to appoint a local representative responsible for Korean data privacy compliance. This amendment will come into effect on March 19, 2019.
“Information communication service provider” under the Network Act refers to any person or entity that provides information or mediates flow of information through the telecommunication network. In practice, most companies engaged in online businesses or which provide information or services through the telecommunication network are considered to be information communications service providers.
On December 14, 2018, Korea Communications Commission (“KCC”) published the proposed amendment to the presidential decree which sets forth the range of offshore businesses that should comply with this obligation.
- A company that has achieved total sales of KRW 1 trillion (approximately USD 900 million) or over in the previous fiscal year;
- A company that has achieved total sales of KRW 10 billion (approximately USD 9 million) or over in the information communication service sector in the previous fiscal year;
- A company that has achieved the number of average daily user of 1 million or over during the last 3 month period of the previous fiscal year; and
- A company that has been requested by the KCC to submit goods or documents in accordance with Article 64(1) of the Network Act.
The local representative will be responsible to fulfill the duties of the Chief Privacy Officer under the Network Act, and responding to the requests for information by the Korean regulatory bodies. The local representative can be either an individual or a corporate entity, but the law does not prescribe any specific qualification except that the local representative must have a place of business in Korea. On the face of the language, an employee of an affiliated company in Korea, or an independent third party (such as an external law firm) may also be designated as the local representative.
Article 64(1) of the Network Act provides that the KCC may demand the information communication service providers to submit goods or documents for the purpose of investigating violations of the Network Act or for the purpose of protecting the users. According to the proposed amendment of the presidential decree, any company that has received this request from the KCC is required to appoint a local representative in Korea, even if the other thresholds have not been met.
There is still some uncertainty about the meaning of “no address or place of business in Korea.” Often global companies operate different services through different entities. If service ‘A’ is operated by an offshore entity, and service ‘B’ is operated by a Korean subsidiary or branch, the question remains whether the offshore entity would be required to appoint a local representative in respect of service ‘A.’ We will continue monitoring this issue and inform you once this interpretation becomes clearer.
It is important to note that, the information service provider would be held responsible for any violation of the Network Act by the local representative in performing his/her duties.
2. Prior consent will be required for cross-border transfer of personal information from an offshore country to another offshore country.
• The Amendment
Passed on August 30, 2018, amendment to the Network Act will impose additional restrictions on the cross-border transfer of personal information.
Under the current law, the transfer of personal information from Korea to an offshore country is already restricted - in principle, express prior consent of the data subject is required for the transfer to an offshore country. The amended law will impose similar restrictions on the offshore transfers that take place after the initial offshore transfer of personal information.
For example, under the current law, transfer of personal information from Korea to country ‘A’ would in principle require prior consent of the data subject, and there was no such requirement for the onward transfer from country ‘A’ to country ‘B.’ Under the new law, the transfer from country ‘A’ to country ‘B’ would also require prior consent of the data subject.
The amended law will take effect on March 19, 2019.
• Our Comments
The failure to comply with the new regulation may expose the companies to the administrative fine of up to 3% the relevant sales. It is advisable to check whether the onward offshore transfers have all been properly accounted for in the consent forms and the privacy policies.
3. Information communication service providers may be required to have in place insurance policies that cover civil liability for violating the Network Act.
• The Amendment
Passed on June 12, 2018, amendment to the Network Act will require certain large size information communication service providers (to be specified by the presidential decree) to have in place liability insurance or accumulate reserves for the purpose of compensating the data subjects in the event of losses resulting from any violation of the Network Act.
The purpose of this regulation is to ensure that the data subjects will be able to receive adequate compensation for any losses suffered as a result of the violation of the Network Act.
The amended law will take effect on June 13, 2019.
• Our Comments
The failure to comply with the new regulation may expose the companies to the administrative fine of up to KRW 20 million. The range of companies which will be subject to this requirement has not yet been announced by the presidential decree. Therefore, the businesses are advised to continue monitoring the regulatory updates.
4. There will be stronger protection for children below the age of 14.
• The Amendment
Passed on December 24, 2018, amendment to the Network Act will require the information communication service providers to use “clear and easily understandable language” when communicating privacy related information to children under 14 years of age.
In addition, when obtaining consent from the legal guardian on behalf of the children under 14 years of age, the businesses will be required to verify that the legal guardian has actually consented in the method prescribed by the presidential decree.
Further, information communication service provider who provides chatting service to children under 14 years of age should make best efforts to protect the children from being exposed to inappropriate contents.
The amended law will take effect on June 25, 2019.
• Our Comments
The failure to comply with the new regulation to verify the consent of the legal guardian may trigger administrative fine of up to 3% of the relevant sales. The specific verification method has not yet been announced by the presidential decree. The businesses that provide online or mobile services to children under 14 are advised to vigilantly monitor our regulatory updates.
5. Data Protection Predictions for 2019
• The legislative bills for the amendment of Personal Information Protection Act (“PIPA”) are still pending at the National Assembly. Some of the key provisions in these bills include: (a) introduction of the concept of “anonymized” personal information, for the purpose of allowing the use anonymized personal information for commercial or research purposes; (b) permitting the collection and use of personal information without the consent of the data subject when the data subject has publicly disclosed his/her personal information; and (c) limiting the scope of “personal information” by limiting the scope of information that may be combined with other personal information to be used to “identify” an individual.
While the critics are concerned that these amendments will pose significant risks to data privacy, online businesses and the ICT sector continue to strongly demand the amendment of the PIPA, arguing that this is necessary to maintain momentum in their technology innovation. So this reason, we believe there is a good chance that the National Assembly will pass at least some of these legislative bills this year, in an effort to make sure that privacy regulation does not impede innovation in the ICT sector.
• There are also legislative bills for the amendment of the Network Act which are still pending at the National Assembly. One prominent bill intends to strengthen the administrative penalty for violation of the Network Act. Under the current law, companies that violate the Network Act may face administrative fine of up to 3% of the relevant sales, or KRW 400 million (approximately USD 350,000), in the event that it is difficult to calculate the relevant sales. The amendment bill intends to raise this penalty amount to 3% of the relevant sales or KRW 1 billion (approximately USD 900,000), and also empower the Korea Communications Commission to issue an order to suspend the services against businesses that do not comply with corrective orders.
It can be seen from these pending bills that the data protection regulators in Korea intend to strengthen punishment for violators of the Korean privacy laws. We will continue to monitor the legislative status of these pending bills, and inform our clients and friends.