The appellate decision, now on appeal by Google to the Korean Supreme Court, centered on user rights under the Act on Promotion of Information and Communications Network Utilization and Information Protection (“IT Network Act”) of Korea. A key data privacy statute of Korea, the IT Network Act provides that, if “IT service providers” (including any business of supplying information by telecom or online in Korea) pass personal information to third parties, they must, upon the user’s request, disclose the identities of those third parties, the scope of that information and the purpose of passing it, and details such as the time it is passed. Identifying Google Inc. along with Google Korea as IT service providers, the Korean plaintiffs filed this action in 2014, prompted by the Edward Snowden revelation that Google-stored information had gone to intelligence agencies in the U.S. The lower court in Korea had already, in 2015, ruled for plaintiffs as against Google Inc., but excluded Google Korea. The influential appellate court now includes Google Korea in its disclosure order.

As recounted in the judgment, Google’s argument is that it is not subject to the Korean law requirements under the IT Network Act, in relation to the service, because its stated terms provide for California governing law, as well as exclusive jurisdiction of California courts. The appeals court, however, like the lower court, reasoned that the clause did not validly subject users, being ordinary consumers, to California law exclusively.

Rather, the court said, the user’s right to disclosure under the IT Networks Act, concerning information passed to third parties, is a mandatory rule, for the protection of consumers, and as such it applies notwithstanding an ostensible agreement to the contrary. Thus, the users are entitled to have these IT service providers disclose what information they passed to third parties, including U.S. government agencies. To the extent such a disclosure is prohibited under U.S. law, however, that is, thankfully, a “reasonable” basis for withholding disclosure, an exception to the requirement.

As to Google Korea, the lower court (Seoul Central District) had accepted the argument that Google Inc., not Google Korea, was the service provider, and thus Google Korea was not subject to the disclosure obligation, but the appellate court disagreed. Google Korea, the High Court said, was certainly an “IT service provider” in the relevant way, owning the “google.co.kr” domain and processing users’ search requests as part of the Google search service. The appellate court thus encompassed Google Korea in its order.

While the plaintiffs had also sought damages, evidently couched as compensation for psychological injury, the appellate court as well as the lower court rejected that claim, finding no such injury.

The court decision underscores the need for companies offering telecom or online services in Korea to be wary – including when it comes to their offshore handling of information – of restrictions and duties under the IT Network Act, as well as other Korean data privacy regulations governing personal and location information. While the decision awaits Supreme Court review, for now it should be assumed that Korean consumer-protective data privacy rules may apply regardless of an exclusive governing law clause to the contrary. Moreover, the judgment is a reminder for multinationals that their local subsidiary or branch may be “on the hook” for compliance obligations (and susceptible to enforcement action), notwithstanding that the main service is operated by an offshore parent or affiliate.

At the same time, the decision leaves some large questions unanswered. The court gave no special attention to the precise contours of the disclosure required of Google. Presumably that need not include a comprehensive log of all the user’s information that Google furnished to the U.S. government, and every detail of that activity. But the minimum scope is unclear.

The case also invites the question of what standard, if any, should limit the reach of these rules to offshore operators Google Inc. was treated as subject to the IT Network Act restrictions despite having itself, as distinct from its subsidiary, no noted presence in Korea. Left open is the possibility that the rule might apply to any offshore any Korean user information, although enforcement would be another question.

Part of the ruling is that disclosures by Google are not required insofar as they are barred under U.S. law. While that may be logical, it implies further issues. One might question, for instance, what sort of proof would establish that Google is prevented from disclosing what it knows, and whether that proof might not itself implicate U.S. national security concerns. Other questions include whether a Korean court should expect Google to take active steps, and if so, to what lengths, to seek U.S. government clearance for a disclosure.