Under amendments to IT Networks

Act, set to take effect in March 2019,

offshore online businesses, meeting thresholds of nexus to Korea, will be

required to designate local agent

for regulatory oversight purposes.

Amended rules will also newly restrict onward transfer (to additional countries) of personal

information by offshore parties, and, on a reciprocity basis, allow regulators

to restrict transfers of personal information to countries that likewise

restrict outflows of such data.

Passed on August 30, 2018,

amendments to the Act on Promotion of Information and Communications Network

Utilization and Data Protection, Etc. (or IT

Networks Act) will impose, on some range of larger offshore businesses, an

obligation to appoint a local agent responsible for Korean data privacy

compliance. The amended law will also impose new restrictions on the offshore

on-transfer, i.e. to 3rd countries, of personal information (PI), requiring

consent of, or at least notice to, the individuals, and extend to onward

transferors a duty to take protective measures (vis-à-vis the transferee). And

the amendments include a reciprocity principle that will allow the government

to restrict transfers of PI to offshore companies whose home jurisdictions

similarly restrict outflow of PI. The amended rules will take effect in early March 2019, i.e. 6 months from

the formal promulgation which is during this first week of September 2018.

Major online businesses lacking “presence” in Korea will be

required to appoint a local agent, responsible for privacy compliance.

Under the amended IT Networks

Act, offshore “IT service providers”

– including online/connected service providers and sellers – will be required

to appoint an agent in Korea, for data regulation purposes,if they satisfy some threshold of scale (in

terms of local user numbers and/or revenue, but yet to be decided) and lack an “address” or “a place of business”

in Korea. The requirement could also apply, evidently, to offshore

transferees of data – offshore

businesses that (e.g. as data controllers or processors) receive PI of

Korean individuals from IT service providers, given the way in which the

amended law refers to “IT service providers and others”. [1]

The local “agent” (or

representative, in Korean) will be responsible

for local data privacy compliance, as the chief privacy officer (person in

charge of personal information protection. As such, the agent will be responsible for effecting PI protection

measures, reporting to authorities and notifying users in case of data

leaks, and responding, and submitting documents and materials, to the

authorities in case of some violation of the IT Networks Act.[2] (The

“authorities” will mean mainly the Ministry of Science & ICT and the Korean

Communications Commission.) If the agent should end up violating the IT

Networks Act, this will be imputed to the offshore entity.

The local agent can be either an

individual or a corporate entity, but it isn’t clear whether the agent has to

have any specific standing or qualification. On the face of the amended law,

the local agent might be, say, an officer or employee of a local subsidiary.

(It might be that having a local subsidiary already means that one does not

lack a local “address” or “business presence” in the first place, but this

seems doubtful.)

To what offshore businesses will the new requirements apply? Precise thresholds for the

affected offshore businesses, in terms of user numbers and revenues, remain to

be defined. This will follow under a Presidential Decree (primary implementing

regulation), which should issue at latest a month or two before the early March

2019 effective date of the amendments. Widespread speculation in Korea is that,

in any case, the thresholds will “capture” businesses on the scale of Google,

Apple and Facebook.

As to the separate issue of

whether the offshore business indeed lacks

a local “address” or “place of business”, what would that mean? Surely the

new requirement will not apply to, say, an offshore entity that has a local

branch or representative office in Korea. The question is what else would

constitute a local presence for this purpose. As noted above, it seems unlikely

that that would include a local subsidiary. But this part of the new

requirement isn’t particularly defined, nor is it slated to be clarified by

ensuing regulations. It may, for some time, remain a point for interpretation.

New restrictions on offshore onward transfer of PI

Under the current IT Networks

Act, the transfer of Korean personal information by an IT service provider from

Korea (country 1) to an offshore country (country 2) is already restricted:

This requires specific user consent. (As an exception, it suffices to disclose

offshore transfers, typically in a privacy policy, insofar as the transfers are

both “necessary” for the carrying out of the services and designed to enhance

the user’s convenience.) Under the current statute, it’s not clear that these

restrictions apply equally to an onward transfer of PI – that is, from country

2 to a country 3.

Under the amended law, however,

the same requirement that applies to offshore transfer in the first place will

apply to onward transfer offshore: Transfer of PI from country 2 to country 3

will require the users’ consent [3]

– provided that advance disclosure will suffice in case of transfers that are

for the purposes of providing the specific services and accommodating users’

convenience. In practice the requirement of consent will entail inclusion of an

additional consent item (which should be accompanied by particulars such as

identities of the transferees in country 3) among the initial set of consents

requested of the users in Korea (typically in checkbox format). In situations

where advance disclosure of the on-transfer will suffice, this can be provided

for in the privacy policy, for which initial consent is requested.

Also, where PI is so transferred

to country 3, the amended statute calls for the transferor (in country 2) to take measures to safeguard the PI so

transferred. Under the current law this duty applies in the first stage, to an

entity in Korea that transfers PI to a party in country 2, but the required

“measures” are defined in a loose way (including “discussing” with a

transferee, and “reflecting” in a contract with the transferee, matters of

technical/managerial safeguards, and handling in case of a data breach). Under

the amended law, this requirement will also apply to the transferor in country 2,

in relation to the country 3 transferee.

Moreover, the amendments newly

provide for a specific penalty in case

of failure to take the protective measures, on the part of a first

transferor and subsequent transferors.

[4] On the other hand, the required

“measures” (to be finalized by Presidential Decree) seem likely to remain

loosely defined. Nor is it obvious how the new rules would effectively bind an

entity that is offshore.

Reciprocity in PI outflow restrictions

Under the amended law, Korean

regulators will be able to impose

restrictions on the transfer of Korean PI to offshore IT service providers

– online/connected services and goods – if

and to the extent that those businesses’ home jurisdictions restrict the

transfer of PI to overseas. How this change in the statute may translate

into actual restrictions at the agency level – including the Korean

Communications Commission – remains to be seen.

This reciprocity principle is

seen to be largely in reaction to similar laws that have been passed, or are

under consideration, to restrict PI outflows in a number of foreign

jurisdictions, such as Russia, China, Vietnam and so on. Ultimately this type

of issue would seem to call for resolution through bilateral treaty or

international convention.

[1] This part of the amended IT Networks Act is

modelled in part on the local agent designation system instituted in Europe

under Article 27 of GDPR, which came into force in May 2018. However, the local

agent in Korea under the IT Networks Act will be directly responsible for

fulfilling PI protection duties.

[2] Failure to appoint a local agent is subject

to an administrative fine of up to KRW 20 million (around USD 18,000); how the

sanction would be enforceable in absence of a local presence might be

questioned, but clearly it would be best to comply insofar as practical.

[3] The amendment provides that transfer of PI

without obtaining such consent, as required, will be subject to penalties in

the amount of up to 3% of related sales. The new rules in this regard are

patterned after GDPR Article 44.

[4] Under the amended law, failure to take such

measures, insofar as required, will be subject to an administrative fine of up

to KRW 30 million (around USD 27,000). The current law lacks an explicit penalty,

including in relation to the first transferor of PI from Korea.

This

update is intended as a summary news report only, and not as advice. For legal

advice, please inquire with your contact at Bae, Kim & Lee LLC, or the

following authors of this bulletin:

Kwang Hyun RYOO  

T 82.2.3404.0150

E [email protected]

Tae Uk KANG

T 82.2.3404.0485

E [email protected]

Juho YOON

T 82.2.3404.6542

E [email protected]