In 2018, South Korea’s digital policy landscape came under scrutiny. Policies like the Network Act and the VAT Act were revamped to better accommodate national and global technological trends. Several of these changes come into effect in 2019 while new regulations like the Guidelines for Network Utilisation are also expected to be released.
These changes have not been limited to any single aspect of South Korea’s digital economy. In the past year, the South Korean government has made several steps towards greater data protection, bandwidth in the use of pseudonymous personal data, compliance requirements for large foreign digital service providers and government oversight on illegal online content.
As the South Korean government continues to reshape its digital policy landscape, it is imperative that a right balance is struck, for instance between encouraging greater data usage and ensuring adequate data protection. In an attempt to hold larger foreign digital companies accountable, the South Korean government should also be careful not to enact overly protectionist policies that could reduce the competitiveness of its domestic market.
Act on the Promotion of Information and Communications Network Utilisation and Information Protection (Network Act)
The most prominent change was made to the sector-specific Network Act. Coming into force in 2019, the amendments focus largely on the country’s data protection standards, which the government has been keen to raise. South Korea has been engaging with the European Union (EU) to figure out if it has adequate data privacy provisions to meet the General Data Protection Regulation. Below are some key changes:
Local Representation
Foreign offshore information and communication service providers (ICSPs) meeting requirements outlined in Article 32-5 must appoint a local representative responsible for domestic data privacy compliance. Offshore service providers should not take this requirement lightly as failure to appoint local representation would result in a fine of KRW20m (USD17,700), with no threshold on the number of violations.
Cross-Border Data Transfer
In addition to the transfer of domestic information overseas, prior consent must be sought, and protective measure duly taken, for onward transfers of domestic information to a second foreign location. In light of possible multiple penalties, KRW10m (USD8,800) per violation, up to KRW30m (USD26,500), companies should be vigilant in verifying that consent is sought for onward transfers of domestic data and that the process is adequately protected.
Chief Information Security Officer (Effective as of 13 June 2019)
Stricter requirements have been set for the Chief Information Security Officer (CISO) role in larger service-providing companies.
– All ICSPs, excluding SMEs with less than KRW500bn (USD441m) in total assets and providers with less than KRW100m (USD88,300) in capital, have to designate a CISO who reports to the Ministry of Science and ICT.
– For ICSPs with KRW5tn (USD4.42bn) or more assets, an information security system that analyses and evaluates vulnerabilities must be established, and the CISO should avoid holding other positions in order to be dedicated to information security. CISOs should also have relevant knowledge and practical experience in information security or IT – at least five years of work experience, of which a minimum of four years in the field of information security.
Liability Insurance (Effective as of 13 June 2019)
Larger ICSPs must be supported by liability insurance or an accumulated reserve, of minimum KRW500m (USD441,000) and maximum KRW1bn (USD883,000), depending on number of users and quantity of sales. This revision strengthens service providers’ liability to compensate users in the event of financial losses.
However, while failure to implement such protection measures would be met with a fine of KRW20m (USD17,700), this one-time and relatively low-cost penalty could prove weak in eliciting compliance, especially for larger service providers.
Personal Information Protection Act
Amendments have been proposed to the all-encompassing Personal Information Protection Act. Legislators have been pushing for greater bandwidth in the use of pseudonymous personal data, including: i) the release of such data to third parties without prior consent of data subjects, and ii) the use of such data for purposes other than originally intended.
A draft was submitted to the National Assembly in February 2019, but no further update has been published. The amendment is likely to be passed, as it aligns with Article 6(4)(e) of the GDPR, placing South Korea in a better position to receive the adequacy decision from the EU, and be allowed easier access to EU citizens’ data.
VAT Act
In December 2018, an amendment to the 2015 VAT Act was passed, requiring all digital platforms providing B2C services in South Korea to be levied with a 10% tax from July 2019. This expands the scope of the VAT Act which previously required foreign ICT firms to pay VAT on a limited number of B2C services. Domestic providers have claimed that their larger tax burden created an uneven playing field against them, hindering their ability to compete against foreign players.
Foreign digital service providers like Google, Facebook, YouTube and Netflix would now be subject to more similar tax standards as domestic providers. While the expansion of the VAT Act is a good starting point to address the discrimination, B2B services have still been left out of the Act. B2B sales is the primary profit-generating business for foreign service providers. Foreign service providers may no longer get away with paying minimal taxes in comparison to their large revenues, but it remains to be seen if this first step is sufficient to dampen the discrimination discourse,
Guidelines for Network Utilisation
Net neutrality was highly contested in 2018. Despite President Moon Jae-in being a supporter, the South Korean government played with the idea of repealing net neutrality. The government has since retained its policy of net neutrality, but indicated that it will continue to review the situation. The government’s willingness to change its stance still remains.
In an attempt to reverse the discrimination against domestic companies, the government has also proposed to release Guidelines for Network Utilisation by June 2019. Meant to create a fairer playing field for both domestic and foreign digital service providers, the guidelines could appease domestic ISCPs but it has yet to be released.
Server Name Information Surveillance
The Korea Communications Commission announced that it will restrict the spread of illegal information on overseas HTTPS websites through the Server Name Information (SNI) field. While blacklisted sites have thus far been limited to those offering illegal gambling services, child pornography and North Korean propaganda, the SNI method of surveillance is controversial as it effectively allows the government and service providers to eavesdrop and identify websites frequented by all users.
Access to information of such depth and scope is highly susceptible to abuse and could be tantamount to a national violation of users’ privacy. Significant criticism has been raised by the public and industry stakeholders, but the government appears bent on maintaining its stance.
Photo by Steven Roe
