Contributed By Kim & Chang
Generally speaking, the Korean government takes a positive stance towards cloud computing services, and has sought to support and promote cloud computing services. For instance, the Act on Promotion of Cloud Computing and Protection of Its Users (the 'Cloud Computing Act'), which aimed to promote the use of cloud computing services and protect its users, went into effect in 2015.
However, Korea has several licence/certification requirements that must be met in order to provide cloud computing services, including specific localisation requirements (eg, local data centre requirements) and physical network separation requirements applicable to cloud computer service customers (especially those in the public, financial and healthcare sectors). While there have been many discussions on relaxing regulations on cloud computing services, there still remain many regulations that hinder foreign companies seeking to provide cloud computing services in Korea. These regulations are discussed in greater detail below.
Telecommunication Licence Requirements
In Korea, the Telecommunications Business Act (TBA) currently broadly categorises telecommunications service providers into facility-based telecommunications service providers (FSPs), specific telecommunications service providers (SSPs) and value-added telecommunications service providers (VSPs).
Both FSPs and SSPs provide 'key services' that involve telecommunications carrier services (eg, transmission and network facility leasing). The key difference between FSPs and SSPs is that, while FSPs provide key services through the use of their own telecommunication network and related facilities, SSPs do so using an FSP’s telecommunication network facilities and services (eg, mobile virtual network operators (MVNOs)). VSPs are defined as telecommunications service providers that provide telecommunications services other than 'key services' and, therefore, the term VSP is extremely broad and covers a wide variety of companies, including cloud computing services and colocation services, online data processing services and content-on-demand services.
Therefore, a cloud computing or co-location service provider in Korea is required to file a VSP report, while a data centre operator is required to obtain:
However, it is important to note that the distinction between FSPs and SSPs will be abolished starting 25 June 2019, at which point services currently requiring an FSP or SSP licence will need to register as an FSP only.
Other Licence Requirements
In addition to the foregoing, the following licences, while not unique to cloud businesses, may be required depending on the business structure:
Major Regulatory Requirements Under the Cloud Computing Act
The Cloud Computing Act, which applies to cloud computing services providers, sets forth certain regulatory compliance obligations and recommendations for relevant service providers. The main items of the Cloud Computing Act are as follows:
Other Major Regulatory Requirements
There are other major regulatory requirements that may apply to an entity providing cloud services in Korea:
In Korea, there are specific regulations that apply to individual industries and sectors that can be an obstacle to the provision of cloud computing services.
Regulations on Public Sector Customers
The use of cloud services by customers in the public sector, including government institutions, local governments and government-owned public institutions (eg, academic institutions in the education sector) (collectively, 'Public Agencies') is actually very limited by the regulations below. There have been many recent discussions, however, to ease these regulations, and the regulatory landscape with regards to Public Agencies is rapidly changing.
The Guideline on Use of Commercial Cloud Services by Public Institutions promulgated by the Ministry of the Interior and Safety sets forth the following procedures and requirements for use of commercial cloud services by Public Agencies (it must be noted that this guideline is currently in discussion to be abolished or revised in the near future):
In addition, pursuant to the e-Government Act, any information protection system used by Public Agencies, including cloud computing systems, must undergo security compatibility review procedures established by the National Intelligence Service.
Regulations on Financial Sector Customers
Until 2018, financial companies and electronic financial business operators had only been able to use cloud services to process 'non-critical information' that do not contain personal credit information and/or unique identifying information.
In July 2018, the Financial Services Commission announced systematic advancements entitled the 'Plan to Increase Cloud Use in the Financial Sector', and as a result, an amendment to the Electronic Financial Supervisory Regulations (the 'Supervisory Regulations') and a new Guideline on the Use of Cloud Services in the Financial Industry became effective on 1 January 2019.
The key features of the amendment to the Supervisory Regulations include:
However, there are requirements in these amendments that may be burdensome for foreign cloud service providers (eg, guarantees of inspection and access rights for supervisory authorities in the cloud service agreement, limiting of the physical location for critical information processing to Korea and prohibition of wireless network use for cloud systems processing critical information).
Regulations on Healthcare Sector Customers
For healthcare institutions, amendments to the Medical Service Act in August 2016 allow for off-site storage of electronic medical records. However, due to additional requirements related to these amendments, such as local server location requirements and (physical or logical) network separation requirements, it is difficult in practice for foreign cloud service providers without local data centres to provide cloud services to the healthcare sector.
In Korea, the processing of personal data collected online is generally governed by the Network Act. Additionally, the Personal Information Protection Act (PIPA) may apply in the absence of special provisions in the Network Act. When processing personal credit information, the Credit Information Act may also apply.
In principle, neither the Network Act nor PIPA restricts the use of cloud services. However, if any personal information is processed by a cloud service provider, the customer will be deemed to have delegated the processing of personal data to the cloud service provider, and therefore, the customer as a delegator and the cloud service provider as a delegate must comply with the Network Act and PIPA’s requirements for delegation of personal data processing, including:
Currently, there are no Korean laws that directly apply to blockchain technology. Therefore, the most relevant issue relates to how legal risks and liabilities under existing laws apply to new services using blockchain technology or blockchain businesses. However, since existing laws were not established with blockchain technology in mind, it is unclear how Korean laws will apply to the blockchain industry, and the legal risks and liabilities that relate to blockchain technology in Korea remain uncertain.
As blockchain is a new business area to which no particular law expressly or directly applies, the government’s position on issues in this industry weighs more heavily compared with other business areas. However, the Korean government holds different positions on blockchain technology and on cryptocurrency.
The Korean government has emphasised its favourable view on the introduction of services utilising blockchain technology on numerous occasions, specifically highlighting the innovative nature of blockchain technology in many different industries. The Korean government has also expressed its interest in fostering, promoting and investing in blockchain technology as part of its strategic and economic plans for Korea to be a leader in the fourth Industrial Revolution.
In contrast to this position on blockchain technology, the Korean government generally holds a negative view on cryptocurrency, especially initial coin offerings (ICOs), despite industry views suggesting that blockchain technology and cryptocurrency are inseparable, particularly in public blockchains. The Korean government and relevant agencies have also been known to oppose new businesses that relate to cryptocurrency.
Currently, there are no Korean laws that expressly regulate cryptocurrency, nor are there any clear court decisions on the application of current regulations to cryptocurrency. Nevertheless, the Korean government has expressed its opinion that ICOs are prohibited in Korea despite the absence of any legal basis therefor. For instance, on 4 September 2017, the FSC issued a press release banning ICOs that violate the Financial Investment Services and Capital Markets Act, the main securities law in Korea. The financial regulators’ initial position was to penalise ICOs where tokens were offered in the form of a securities issuance (ie, where the token is classified as a security). Thereafter, on 29 September 2017, the financial regulators announced through another press release that any type of ICO, including those in the form of securities, would be prohibited.
Therefore, for blockchain business models, particularly those that are related to cryptocurrency, it would be advisable to conduct careful legal analysis on the risks and liabilities and continue to monitor the position of the government and relevant agencies on these issues. Furthermore, risks and liabilities under current laws may still apply to the blockchain business not related to cryptocurrency. Thus, thorough review on whether the blockchain business violates existing laws would be necessary.
In Korea, there have not been any intellectual property-related regulations that were newly enacted to directly address or otherwise apply to blockchain technology.
To launch a new service in Korea using blockchain technology, it is necessary to check whether there are any pending or published patents for blockchain technology that apply to the new service. The main technological theories and principles for blockchain technology have already been made public through academic articles and publications. Therefore, because basic blockchain principle itself does not satisfy the novelty requirement or the inventive steps requirement, it cannot be protected as a patent. However, as of 3 January 2019, there were 33,373 published and registered patents that relate to specific blockchain technology and services. Given this number of relevant patents, it will be necessary to review whether the blockchain technology used in a newly launched service will infringe on any published or registered patents. Forgoing this process may lead to civil action (eg, suspension of the service and claim for compensation based on the profits obtained from the operation of the service), or criminal action (eg, imprisonment of up to seven years or criminal fine of up to KRW100 million for patent infringement). If the aforementioned issues are raised, such claims can be disputed by proving that the blockchain technology that applies to the new service does not infringe on the existing patent, or by proving that the existing patent should be invalidated because it does not satisfy the novelty and inventive steps requirements.
The next issue to consider is whether the relevant technology should be registered as a patent or protected as a trade secret. To protect the technology through patent registration, it is necessary to prove that the relevant technology meets the novelty and inventive step requirements as a patent (as mentioned above). In addition, one can consider registering a patent for the service using the blockchain technology (and not the blockchain technology itself) and establishing an intellectual property right through that channel. On the other hand, when protecting the technology as a trade secret, it will be necessary to take actions to protect the trade secret such as collecting a confidentiality agreement from employees to prevent the leakage of trade secrets and building a system to continually monitor such leakage so that immediate action can be taken in response to a breach.
Korea has various data privacy laws that will apply to blockchain technology:
Whether encrypted data recorded on blockchain would constitute 'personal information' and whether each node on public blockchains would be deemed as personal information processor are still up to debate as there is no clear statue or established interpretation on such issues. For Korean privacy law to be applicable on any given case, however, the relevant encrypted data must be considered personal information and the applicable personal information processor must be identifiable. Therefore, these three laws may be applied individually or collectively depending on what kind of information is stored in the blockchain and how the blockchain service is provided.
Where Korean privacy law is applicable, the laws relating to personal information all provide specific regulations for each step of the processing of such information, generally comprised of:
For steps (i) through (iii), key regulations involve an obligation to obtain consent from the information subject. For step (iv), the main regulations involve an obligation to destroy the concerned personal information after the expiration of the consent period. Considering the features of blockchain technology, the key issues in introducing blockchain as related to these laws may be step (ii), which includes an obligation to obtain consent from the principal of personal information for provision of personal information, and step (iv), which includes an obligation to destroy personal information when the concerned individual cancels his or her membership for the service.
Under Korean privacy laws, when a service provider provides a third party with personal information obtained from a principal, it should obtain consent from the information subject by disclosing the recipient of the personal information and the purpose thereof. However, when information is recorded in a blockchain, it is shared with all nodes that exist in the blockchain network and also new nodes that will participate in the network in the future. In other words, information that is recorded in the blockchain network is provided not only to the blockchain network operator, but also to any individual who is participating or will participate in the network. Because the applicable law requires a service provider to obtain consent from the information subject by disclosing the recipient of the personal information, in theory, consent would need to be obtained only after disclosing all owners of nodes that exist in the blockchain network, and all owners who will participate in the blockchain network. Therefore, when introducing public blockchains to services that fall under the scope of personal information laws, it is important to review in advance relevant personal information issues as described above and organise the services in a way that does not violate such related laws.
In addition, there is also an issue related to the destruction of personal information. Under personal information laws, personal information of those individuals who have cancelled their membership should be destroyed after a certain given period. However, in blockchain technology, information that is already recorded cannot generally be deleted from the blockchain network, making it difficult to destroy the personal information of those who have withdrawn their membership. That being said, because current personal information laws did not contemplate the difficulties in destroying personal information in the case of blockchain technology when they were legislated, an obligation to destroy personal information under personal information-related laws could be flexibly interpreted. Therefore, it is important to organise the services in a way that does not violate regulations on personal information to the extent possible and explore practically feasible ways to avoid violations of regulations on personal information by consulting with relevant authorities.
In Korea, the legal discussion on new technologies such as big data, machine learning and artificial intelligence is mostly focused on the application of the personal data regulations with respect to big data and the subject of legal liability with respect to artificial intelligence and machine learning.
Big data is currently used in various aspects of FinTech (eg, product development, prevention of misconduct, marketing and credit rating), and as such, financial companies have been increasingly using customer data for analysis and processing as big data, subjecting themselves to the regulations under the Credit Information Use and Protection Act (the 'Credit Information Act'), the Personal Information Protection Act (the PIPA), the Electronic Financial Transactions Act (the EFTA), Regulation on Business Delegation of Financial Institutions, and Regulation on Outsourcing of Data Processing of Financial Companies, among others.
Given the volume, big data is more likely to include personal information, especially as it can be combined with other data in the process of drawing out useful data for marketing or other purposes through big data analysis and application, in which case PIPA and/or the Credit Information Act are applicable. As such, the service provider should be careful to not use or transfer any personal information for purposes different from what the data subjects initially consented to, and in the case it does, the service provider must obtain separate consent from the data subject. In addition, the EFTA may be applicable in case processing and/or analysis of big data involve data transmitted through electronic means.
Given the above regulations, there have been concerns that the regulations were substantially constraining the application and use of big data. To address these concerns, the government ministries jointly announced the 'De-identification Guidelines' on 30 June 2016, which detail 'de-identification measures' required to enable safe utilisation of big data within the legal frame of the current laws and regulations of personal data protection. Under the De-identification Guidelines, data processed with de-identification measures will not be viewed as personal information, and thus, service providers may use such data for business purposes without obtaining consent from the data subject. However, service providers must take certain administrative and technical protective measures, and certain restrictions will still apply to the use of de-identified data (eg, if the de-identified data is re-identified during its use, service providers must immediately cease any processing of such data and destroy it).
Even after the De-identification Guidelines were announced, there were concerns that the above measures would not substantially help the service providers. In response, the Korean government and the National Assembly are currently making efforts to promote legislations where:
Artificial intelligence (AI) and machine learning are also widely used in the industries and most of the legal issues revolve around who should be held liable. While the discussions are mostly on how to interpret and apply the relevant laws and regulations to devices operated by AI and machine learning, the basis of such uncertainty stems from the issue of whether it is reasonable and justifiable to hold a certain individual responsible for machines operated by AI and machine learning.
Taking self-driving vehicles as an example, the Guarantee of Automobile Accident Compensation Act states that the operator of a motor vehicle is liable for damages caused by any operation of the vehicle and shall be obligated to subscribe to liability insurance, while the Motor Vehicle Management Act defines 'self-driving vehicles' as “a motor vehicle that can self-operate without any operation by its driver or passengers” and views the 'operator' as having control and interest of operation of a vehicle. Under the foregoing regulations, it is unclear who should be viewed as having control and interest of the self-driving vehicle, and there are even discussions on whether the manufacturer should be viewed as the 'operator'. There are similar discussions with respect to self-driving vehicles on the Project Liability Act and the Act on Special Cases Concerning the Settlement of Traffic Accidents.
See 3.2 Machine Learning, above.
The Internet of things (IoT) refers to the technology or environment in which sensors are attached to objects to exchange data on the Internet in real time (ie, various data must be first generated and collected through sensors). Since IoT services are mainly used in areas closely related to the daily lives of individuals such as household appliances, information collected for IoT services is highly likely to include personal information, and the collection and use of such information may be subject to the data protection regulations under the Personal Information Protection Act (PIPA). IoT services also involve applying wireless communication technologies (eg, Bluetooth, near field communication, and network for communications between objects), which means the Telecommunications Business Act (the TBA) may apply in connection to the regulation of communication licences and the Radio Waves Act (the RWA) may apply in connection to the use of radio waves.
Data Protection Regulations
Under PIPA, individual service providers collecting or using personal information of users with IoT devices as intermediaries must obtain prior consent from users and notify them of the purpose of each collected or used personal information, and the retention period.
There may also be potential security issues due to the incomplete security technologies for IoT. Thus, it would be prudent for IoT service providers to take technical and administrative measures to protect the personal information collected through IoT devices, which may include access/authority control, data encryption and a destruction policy.
Nevertheless, concerns remain that strict data protection regulations may undermine the revitalisation efforts of the industry and interests of users. To mitigate such point, there have been discussions to formulate data protection regulations befitting the IoT industry and, accordingly, more regulatory changes may come in the future.
Wireless Communication Regulations
The TBA classifies telecommunications businesses into different categories of telecommunications businesses, which are each subject to approval by (common telecommunications business), registration with (special-category telecommunications business), or report (value-added telecommunications business) to the Minister of Science and ICT, depending on the type of business. Accordingly, an IoT service provider may engage in any one of the business types regulated by the TBA and will need to obtain the appropriate licence. Note that a recent amendment to the TBA will come into effect on 12 June 2019, which would streamline and simplify such regulatory requirements, and IoT service providers in general are likely to benefit from more relaxed regulations.
The RWA allocates usable frequency ranges based on the use of frequency. The frequency ranges currently allocated for IoT and used by IoT service providers are 317.9875-318.1375 MHz, 319.1375-320.9875 MHz, 322-328.6 MHz, 898-900 MHz, 924.05625-924.45625 MHz and 938-940 MHz. Nevertheless, the Ministry of Science and ICT recently announced its 'Third Radio Waves Promotion Plan (2019-2023)', which plans to promote hyper-connected wireless infrastructure that may be used in 5G mobile telecommunications, IoT, etc. It is expected that the supply for IoT frequency is likely to increase further with the growth of the IoT industry.
As a general rule, IT service agreements, like other forms of commercial contracts, are regulated by the Monopoly Regulations and Fair Trade Act (the MRFTA). The Korea Fair Trade Commission (the KFTC), which is the competition authority that enforces the MRFTA, has been actively investigating and imposing administrative fines on foreign IT companies for non-compliance with the MRFTA, and, therefore, it is important to note some of the regulations which could be applied to IT service agreements with a Korean entity. The following is a general summary of notable regulations under the MRFTA:
It is important to note that the terms in the IT service agreements can constitute a violation of the abuse of superior bargaining position.
Furthermore, under Korean law, a boilerplate contract prepared in advance to govern the relationship between a company and multiple counterparties is viewed as a 'standardised contract' regulated under the Standardised Contract Regulations Act (the SCRA), which strictly restricts provisions that are unfavourable to customers (eg, provisions that are found unfair and violate the principle of good faith, or unreasonable or unfair to customers). Provisions that violate the SCRA can be deemed null and void by the courts, and the KFTC may issue a corrective recommendation or order to delete or revise such provisions.
Other than the general regulations on contracts, the following regulations could also be taken into consideration in executing IT service agreements:
Domestic regulations for data protection in the private sector can be classified into the following four categories by their functions:
Note that 'personal information' is not only subject to and protected by laws regarding general data protection but also laws specific for the protection of personal information.
The main regulation related to data security is the Act on Promotion of Information and Telecommunications Network Utilisation and Information Protection (the 'Network Act') which is applied to online service providers (OSPs). The Network Act aims to provide an environment in which users can safely utilise information and the telecommunications network. Some of the common legal obligations borne by OSPs under the Network Act are as follows:
In addition, more stringent regulations are applied to sectors where there is heightened importance on data protection (eg, finance or healthcare).
The Network Act governs the collection, use and transfer of personal information of online service users conducted by OSPs. For issues not addressed by the Network Act, the Personal Information Protection Act (the PIPA), which generally governs processing of personal information, will apply.
The term 'personal information' is defined under the Network Act as information pertaining to a living individual that contains information identifying such person such as name, address or similar in a form of an image (including information that does not, by itself, make it possible to identify a specific person, but that enables the identification of such person when easily combined with other information).
Principles Relating to the Protection of Personal Information
Key regulation on personal information under the Network Act can be summarised as disclosure/consent requirements and other mandatory measures. Failure to perform these legal obligations may result in both administrative and criminal penalties.
OSPs that process personal information must notify certain matters to users and obtain express consent prior to the collection, use, delegation and transfer of their personal information. PIPA defines 'process' as “collect, create, link, interlock, record, store, retain, refine, edit, search, print, correct, restore, use, provide, disclose, destroy and other similar act”. Both the Network Act and PIPA have strict rules that require separate consent from or disclosure to the data subject for each of the collection, third-party provision and delegation of personal information processing.
If any transfer is made to an overseas entity, the OSP must disclose, before obtaining the user’s consent, some specific matters including destination country, date/time/method of transmission and the name/contact information of the third party.
Other mandatory measures
With respect to processing of personal information, OSPs are also required to:
Under the Korean Constitution, individuals (including employees) have a general right to privacy. However, such right may be waived by consent of the relevant individual. Therefore, in order to monitor/limit any employee’s use of computer resources, the consent of the relevant employee under the Personal Information Protection Act (PIPA) and/or the Act on Promotion of Information and Telecommunications Network Utilisation and Information Protection ('Network Act').
Under the Enforcement Decree of PIPA, consent can be obtained through letter, phone call, website, e-mail or using a method equivalent to any of the methods described above. Korea is an opt-in jurisdiction and, therefore, the employer must obtain explicit consent from the employees. There is no required minimum retention period of the consent; however, evidentiary support of the consent should be kept for the duration of the retention period.
In connection with the monitoring activity itself, the employer needs to notify the employee of such activity. Although neither PIPA nor the Network Act specify what information needs to be provided to the employee, it is generally understood that the employer must notify at least the purpose, persons subject to the monitoring, criteria, specific acts and subject to consent. To the extent personal information is collected in the process of monitoring, the employer must obtain the consent of the employee after notifying the employee of:
If there is any change to the underlying information that is the subject of notification (eg, an additional purpose for the collection and use is added), the employer should notify such change and obtain consent again.
Furthermore, the Act on Promotion of Employee Participation and Co-operation requires any 'installation of monitoring equipment' to be discussed with the joint labour-management committee (although there are no restrictions on the procedures or timing).
Monitoring of any premises, property or resources of employer is not prohibited or restricted as long as the relevant legal requirements in relation to the privacy of employees are satisfied. Wiretapping (including intercepting e-mails, etc, during transmission) is also prohibited under the Communication Privacy Protection Act unless there is a warrant issued by the court. These restrictions also apply to communications that employees may send through Internet sites. However, it is questionable whether such requirement can be satisfied by obtaining consent from one party to such communication (eg, employee).
Classification of Telecommunication Service
The main law regulating the telecommunications and service industry in Korea is the Telecommunications Business Act (TBA). The TBA defines 'telecommunications service' as a “service to advocate a third party’s communications through telecommunications equipment and facilities or a service that provides telecommunications equipment and facilities for a third party’s communications”, and 'key service' as telecommunication service that sends or receives electronic signals of voice, data and video, etc, without changing the content and forms. The TBA classifies telecommunications service into the following three categories and applies different regulations for each:
Various telecommunications services are interpreted as constituting value-added telecommunication service due to the broad definition of the term. Central Radio Management Service, an authority in charge of various telecommunications services provider reports, also takes the position that various services such as PC communications, e-mail, search, game, shopping, Internet portal, online shopping mall, SNS and other exchange of electronic documents, data search, data processing, credit card inquiry, data service for video-on-demand (VOD) and others are all included in the types of value-added services.
Telecommunication service providers providing the three types of services as stated above are respectively called facilities-based service providers (FSPs), specific service providers (SSPs) and value-added service providers (VSPs). The following offers a brief summary based on the details of the method of service and delivery is as described in the table below.
The TBA prescribes licensing requirements together with general user protection obligations, and any person or entity that intends to engage in a telecommunication business is required to comply with one or more of the following requirements (depending on the type of business):
Changes to Classification and Regulation of Telecommunication Service Providers
The classification system of telecommunication service providers and the relevant licence/permit system are expected to undergo changes following the enforcement of the amendment to the TBA on 25 June 2019, when the classification of SSP will no longer exist and the requirements for FSPs will be relaxed. Furthermore, the ceiling on foreign shareholding applied to FSPs and restrictions applied to M&A activities thereby will be relaxed and amended so that only FSPs above a certain standard will be subject to such restrictions (but specific details will be determined by the Enforcement Decree to be enacted in the future).
In consideration of the public interest of broadcasting, the Broadcasting Act of Korea (the 'Broadcasting Act') categorises the broadcasting business into the following four categories and applies different regulation and licences for each:
To engage in the foregoing businesses, a service provider is required to obtain applicable licences from the Minister of Science and ICT or the Korea Communications Commission (the KCC), as well as comply with various regulations under the Broadcasting Act on merger, spin-off, change in largest shareholder and separate shareholding ceiling on the major shareholders. The Broadcasting Act also prohibits certain acts that may harm and undermine fair competition between service providers or interest of viewers, and any violation may lead to, among others, corrective orders and administrative fines. In particular, advertising is strictly regulated given the impact of broadcasting as opposed to other types of media (eg, the Broadcasting Act categorises the types of advertisement and regulates the scope, time, frequency or method therefore).
In general, the Broadcasting Act has a complex regulatory system involving different ministries and approval requirements for each relevant service provider. As such, service providers should take care of the applicable regulations when commencing broadcasting business in Korea or acquiring Korean broadcasting service providers.
Unlike broadcasting where the service types are categorised, the Broadcasting Act does not provide a specific definition for over-the-top (OTT) services (ie, broadcasting services over the open Internet that commence based on online value-added telecommunications services, such as YouTube channels and Netflix). Therefore, the regulations under the Broadcasting Act are not applicable to OTT services.
However, an amendment to the Broadcasting Act was proposed in August 2018, which provides a definition of OTT service providers and classifies them as 'value-added paid broadcasting service providers', granting them broadcasting service provider status. Under the proposed amendment, value-added paid broadcasting service providers must obtain approval from the Minister of Science and ICT, and shall be subject to certain reporting obligations, the deliberation regulation of the Korea Communications Standards Commission, the evaluation of competition status of the communications market and other prohibitions applicable to broadcasting service providers under the Broadcasting Act.
In addition to the above proposal, another amendment to the Internet Multimedia Broadcast Services Act has been proposed, which defines and classifies OTT service providers as 'Internet multimedia broadcast content providers' and imposes certain registration and reporting duties.
At the moment, given the two proposed amendments, it is difficult to predict how OTT will be regulated or the extent of regulation (eg, whether the regulation will be limited to live streaming services or include VOD services). It is likely such legislations were proposed as an effort to close the regulatory gap and impose certain level of regulation on domestic service providers or user interest providers. As such, regulations on OTT services are expected to be strengthened further in the future.
Article 28(1) of the Act on Promotion of Information and Telecommunications Network Utilisation and Information Protection (the 'Network Act') provides that a telecommunications service provider and the entity that is provided with personal information from a telecommunications service provider must take technical and administrative protective measures (eg, encryption of data) to safely store and transfer personal information.
The Korea Communications Commission (KCC) issued a specified guideline on the use of encryption technology in the Guidelines for Technical and Administrative Measures for the Protection of Personal Information (the 'Guideline'), which sets out the standard for encryption of personal information. Among the specific obligations set forth therein are as follows:
The KCC’s Manual on the Guideline published in December 2017 (the 'Manual') further stipulates the encryption standard stated in the Network Act and the Presidential Decree thereof as follows:
Given the rapid pace in which encryption and technology in general are developing, it is possible that the Korean regulations will evolve as well, so it would be advisable for companies to seek updated guidance going forward.