South Korea: Data Regulators Clarify New Data Security Requirements for Foreign Online Service Providers

Regulators have announced criteria and thresholds (in terms of nexus and scale) for foreign online businesses required to appoint local agent.

As clarified by regulator on March 19, 2019, local agent requirement signifies that affected offshore businesses (but not only those businesses) should in any event comply with local data rules relative to Korean users.

Separately, criteria have also been unveiled for required designation of exclusive-role chief information security officer (CISO), and liability insurance or reserve requirements, to apply from June 2019..

The long-awaited standards are in follow-up to amendments of the IT Networks Act announced in May and August 2018.

In follow-up to amendments of the Act on Promotion of Information and Communications Network Utilization and Data Protection, Etc. (IT Networks Act or ITNA, a key data privacy statute) passed in August 2018 (reported in our legal update of September 5, 2018), on March 19, 2019 the Korean government announced concrete standards defining those offshore “IT service providers” (which includes online/connected services) that are now required, from this same month of March 2019, to appoint a local agent in Korea.

Further to another set of ITNA amendments passed in May 2018 (reported in our update of June 1, 2018), the government on February 18 and 20, 2019 unveiled proposed standards for the scope of IT service providers (which may include offshore businesses) that will be required to designate a chief information security officer (CISO), and to maintain liability insurance (or reserve) in case of violation of data security rules. (These standards are in proposed form, but are likely to be adopted largely as-is ahead of the effective date of the amendments in June 2019.)

By operation of these thresholds and standards, a range of larger offshore IT service providers, including many of the major online vendors and service providers, will be required to appoint a local agent, from this month. (It is generally believed that some grace period will apply.) From June 2019, offshore businesses, with nexus to Korea, will have to appoint a person as CISO (and exclusively as CISO, depending on scale of local business), and will be subject to insurance/reserve requirements depending on numbers of users involved.

Requirement for offshore business to appoint local agent

Under ITNA as amended in August 2018, and effective March 19, 2019, offshore IT service providers (including online/connected services and sellers) are required to appoint a local agent (or “representative”, 대리인) in Korea, for data compliance and regulatory oversight purposes, if they provide IT services (of a threshold level) to Korea, and are of a threshold scale, but lack an “address” or “place of business”in Korea. (The basic requirement is modelled partly on a similar system instituted in the EU pursuant to GDPR.) Left unclear at the time (see our September 5, 2018 report) were the specific thresholds that are to apply, and the precise meaning of “address” or “place of business”.

To clarify these aspects of nexus, scale and lack of presence in Korea, concrete standards were announced (rather belatedly) on March 19, 2019, partly in guidelines of the Korea Communications Commission (KCC), and partly in provisions for the Presidential Decree of the ITNA amendments (ITNA-PD – the prime implementing regulation). By implication, foreign companies that fall under the requirement of appointing a local agent (though not exclusively those companies) are required to comply with ITNA rules in relation to Korean users, including a range of disclosure and consent requirements and data security rules. (Broadly speaking, implications of this requirement under ITNA will be somewhat comparable to those following appointment of a “representative” for GDPR purposes.)

Nexus to Korea:The KCC guidelines clarify that the “main factors” to be considered, in determining whether an offshore service operator is required to appoint a local agent, will include (i) actual provision of IT service to Korea, i.e. numbers of local users, (ii) whether the service is offered in the Korean language, and (iii) whether the business has obtained a license from Korean authorities. (These are non-exclusive criteria.) The criteria evidently go to purposeful targeting of the Korean market as much as volume of local usage.

To illustrate how the criteria will play out in practice, the KCC gives the scenario of an offshore business that only uses servers situated offshore, and has yet to carry out any filing in Korea, but offers it service in the Korean language, collects personal information from a large number of Korean users, and gains revenue from ad placements by Korean businesses. There, says the KCC, the operator would meet the nexus criterion.

Scale of global / local business: More broadly, under the ITNA-PD issued in March, offshore IT service providers will be subject to these requirements only if they satisfy one of these thresholds of worldwide business scale: (i) its total revenues globally (all operations) exceed KRW 1 trillion (approx. USD 900 million); or (ii) its total Korean revenues from IT services exceed KRW 10 billion (USD 9 million); or (iii) it has over 1 million daily average Korean users (whose personal information is kept by it).

Note: Scale is not a sine qua non for applicability of data rules: A foreign business that satisfies the threshold scale of business, in addition to local nexus and lack of presence criteria, will have to appoint a local agent, and will clearly need to conform to data privacy/security requirements under ITNA. However, offshore companies may be required to conform to those rules despite not meeting the scale thresholds – that is, in general principle, compliance may be required of an offshore operator depending on nexus to Korea, irrespective of scale.

Duty to appoint local agent, in case of violation: Irrespective of any of the above thresholds, under the amended ITNA, an IT service provider (lacking an address or place of business in Korea) is required to appoint a local agent for legal process purposes, in the event the KCC undertakes an investigation of the service provider following complaints from users regarding an alleged ITNA violation, or upon otherwise learning of a legal violation by the business.

Lack of “address” or “place of business”: Also unclear, under the ITNA amendment in August 2018, was what sort of presence in Korea would obviate the local agent requirement. The March 19 KCC guidelines clarify (as expected) that the requirement will not apply to an offshore business that has a local branch or representative office in Korea. But in the case of a subsidiary, it depends: If the offshore operator has a subsidiary in Korea, but this subsidiary does not provide IT services in Korea, then it will not mean that the offshore entity has an “address” or “place of business” here. At the same time, it’s not clear that, if the offshore entity has a subsidiary that does provide IT services in Korea (and not necessarily relating to the IT services in question), this will necessarily constitute an “address” or “place of business”. Basically, the presence-in-Korea factor remains at least in part a gray area.

Who can serve as local agent: As we reported on September 5, 2018, the amended ITNA didn’t provide for specific qualifications of a local agent, and allowed for this person to be either an individual or a corporate entity. The belated KCC guidelines merely add that there is a language requirement anyway: The agent must be able to communicate with regulators in Korean. The agent will be responsible for, among other things, effecting personal data protection measures, and notifying users in case of data breaches. The person will also be responsible for responding, and submitting documents and materials, to authorities in case of an ITNA violation.

Possible consequences for non-appointment: Failure to appoint a local agent, when required, can incur an administrative fine of up to KRW 20 million (around USD 18,000). While the requirement took effect as of March 19, 2019, it is generally expected that the KCC, as regulator in charge, will observe (informally) a grace period of a few months.

Requirement of designating chief information security officer (CISO)

Under the ITNA amendments as passed in May 2018, IT service providers – online sellers and services - must, from June 13, 2019, designate a suitably qualified CISO (as an executive or company officer level position), and report that appointment to the Ministry of Science & ICT (MSIT). (The only exception to this requirement is for quite small businesses.) The requirement will apply to offshore companies depending on nexus to Korea, and the standards in that regard will be as clarified by the KCC and noted above (a separate factor from global scale of business). The person so designated by the IT service provider must not hold a (paid) position with any other company (including any affiliate). Furthermore, an IT service provider must appoint a CISO to serve exclusively in that capacity in the company, if the company meets certain some thresholds of scale. The thresholds in that regard, as well as other qualifications (if any) for a CISO, were left to be later specified.

Thresholds of business scale requiring exclusive-role CISO: The draft ITNA Presidential Decree, unveiled by the MSIT on February 20, 2019, would stipulate that the special requirement, of designating an individual to serve solelyas CISO within a given organization, applies to IT service providers meeting any of the following tests:

(a) Its total assets amount to KRW 5 trillion(approx. USD 4.5 billion) or more; or

(b) Its total assets amount to KRW 500 billion(approx. USD 450 million) or more; and either:

(i) It is a nationwide internet service provider, or an internet data center (or falls within any of certain other classes of facility, such as large schools);

(ii) Its annual revenues from telecommunications services exceed KRW 10 billion (USD 9 million); or

(iii) It has over 1 million daily average users.

One might suppose that tests (b)(ii) and (b)(iii) would be in reference to Korean revenues and users, but this has yet to be clarified. Thus, in case of a business (including offshore, but with nexus to Korea) that meets one of the above thresholds, not only will it have to designate a person as CISO (being an executive or officer level position), but that person must serve only in that particular capacity, at the company. (As a likely exception, however, the draft rules seem to leave room for the person to serve the company in a related data security role, such as chief privacy officer.)

As for the CISO’s qualifications, under the draft ITNA-PD, the person must have at least 4 years’ experience in information security or at least 5 years’ experience information technology. Additionally, according to the draft rules, the CISO must not serve in a (paid) position with any other entity – which would preclude a position with any affiliate as well, based on the letter of these rules.

It is worth noting that these conditions – exclusive CISO role (in case of enterprises of sufficient scale), and data security/technology experience – would not apply to a CISO so designated before the effect date of the ITNA amendments, June 13, 2019. Thus, logically, it would seem that a person designated as CISO before June 13 may fulfill the role without meeting those particular conditions.

The draft ITNA-PD right now is only that, a draft, but it is likely to be adopted as-is or nearly as-is, ahead of the effective date of the ITNA amendments in this regard, which is June 13, 2019. Under these rules, in any event the failure to designate a CISO as required can incur up to a KRW 30 million administrative fine.

Required liability insurance or reserve

The May 2018 ITNA amendments also provided, in general terms, that IT service providers must maintain liability insurance, or maintain a reserve, against liability arising from a breach of data protection rules. Now, under draft provisions for the ITNA-PD announced by the KCC on February 18, 2019 (and likely to be adopted before the June 13, 2019 effective date of the relevant ITNA amendments), the insurance or reserve requirements would apply to online businesses maintaining personal information (PI) of merely 1,000 or more users, but minimum cover levels would vary with the number of users and with the total revenues, as follows.

In unveiling the draft sections of the ITNA-PD, the KCC stated that the insurance / reserve requirement will apply equally to any offshore IT service provider that has sufficient nexus to Korea (a point clarified by the KCC as noted above), provided that the criteria for the level of coverage will be the number of users in Korea but the total revenue globally. (Criteria for the insurance/reserve requirement may overlap in part, but is separate from, scale thresholds for the local agent appointment requirement – an offshore operator may be subject to the obligatory insurance/reserve without being also subject to the local agent requirement.)

Barring some unusual turn of events, these proposed standards for minimum insurance/reserve will be adopted before the June 13, 2019 effective date of the amended ITNA provisions. Failure to maintain minimum insurance may incur up to a KRW 20 million administrative fine.

Kwang Hyun Ryoo
Tae Uk Kang
Juho Yoon