Korean

appeals court orders Google to disclose to Korean users what personal information

Google passed to U.S. government.

A Korean appellate court has

ordered Google Korea along with its U.S. parent Google Inc. (together, “Google”)

to disclose to users of the Google search service, when they so request, the scope

and status of the users’ personal information (including search records) that Google

has provided to the U.S. government. The decision of the Seoul High Court,

handed down in February (released in March) 2017, concluded that, notwithstanding

the choice of California law in the terms of service, Google’s use and handling

of information was subject to rights of the local users under Korean law, mandating disclosure to them

of what was passed to third parties including the U.S. authorities – except to

the extent the disclosure is prohibited under U.S. law.

The appellate decision, now on

appeal by Google to the Korean Supreme Court, centered on user rights under the Act on Promotion of Information and Communications Network Utilization

and Information Protection (“IT Network Act”) of Korea. A key data privacy statute

of Korea, the IT Network Act provides that, if “IT service providers”

(including any business of supplying information by telecom or online in Korea)

pass personal information to third parties, they must, upon the user’s request,

disclose the identities of those third parties, the scope of that information

and the purpose of passing it, and details such as the time it is passed. Identifying

Google Inc. along with Google Korea as IT service providers, the Korean plaintiffs

filed this action in 2014, prompted by the Edward Snowden revelation that Google-stored

information had gone to intelligence agencies in the U.S. The lower court in

Korea had already, in 2015, ruled for plaintiffs as against Google Inc., but

excluded Google Korea. The influential appellate court now includes Google

Korea in its disclosure order.

As recounted in the

judgment, Google’s argument is that it is not subject to the Korean law

requirements under the IT Network Act, in relation to the service, because its stated

terms provide for California governing law, as well as exclusive jurisdiction

of California courts. The appeals court, however, like the lower court,

reasoned that the clause did not validly subject users, being ordinary

consumers, to California law exclusively.

Rather, the court said, the user’s right to disclosure under the IT Networks Act, concerning information

passed to third parties, is a mandatory rule,

for the protection of consumers, and as such it applies notwithstanding an

ostensible agreement to the contrary. Thus, the users are entitled to have these IT

service providers disclose what information they passed to third parties,

including U.S. government agencies. To the extent such a disclosure is prohibited under U.S. law, however, that

is, thankfully, a “reasonable” basis for withholding disclosure, an exception

to the requirement.

As to Google Korea, the lower court (Seoul Central

District) had accepted the argument that Google Inc., not Google Korea, was the

service provider, and thus Google Korea was not subject to the disclosure

obligation, but the appellate court disagreed. Google Korea, the High Court

said, was certainly an “IT service provider” in the relevant way, owning the “google.co.kr”

domain and processing users’ search requests as part of the Google search

service. The appellate court thus encompassed Google Korea in its order.

While the plaintiffs had also

sought damages, evidently couched as compensation for psychological injury, the

appellate court as well as the lower court rejected that claim, finding no such

injury.

The court decision

underscores the need for companies offering telecom or online services in Korea

to be wary – including when it comes to their offshore handling of information –

of restrictions and duties under the IT Network Act, as well as other Korean

data privacy regulations governing personal and location information. While the

decision awaits Supreme Court review, for now it should be assumed that Korean

consumer-protective data privacy rules may apply regardless of an exclusive

governing law clause to the contrary. Moreover, the judgment is a reminder for

multinationals that their local subsidiary or branch may be “on the hook” for

compliance obligations (and susceptible to enforcement action), notwithstanding

that the main service is operated by an offshore parent or affiliate.

At the same time, the

decision leaves some large questions unanswered. The court gave no special

attention to the precise contours of the disclosure required of Google. Presumably

that need not include a comprehensive log of all the user’s information that Google furnished to the U.S.

government, and every detail of that activity. But the minimum scope is

unclear.

The

case also invites the question of

what standard, if any, should limit the reach of these rules to offshore

operators Google Inc. was treated as subject to the

IT Network Act restrictions despite having itself, as distinct from its

subsidiary, no noted presence in Korea. Left open is the possibility that the

rule might apply to any offshore any Korean user information, although enforcement

would be another question.

Part of the ruling is

that disclosures by Google are not required insofar as they are barred under U.S. law. While that may be

logical, it implies further issues. One might question, for instance, what sort of proof would establish

that Google is prevented from disclosing what it knows, and whether that proof might

not itself implicate U.S. national security concerns. Other questions include

whether a Korean court should expect Google to take active steps, and if so, to

what lengths, to seek U.S. government clearance for a disclosure.