Data privacy statute amended to tighten data security oversight and indemnity-related requirements

Changes will, from May 2019, require online service providers, meeting certain thresholds, to employ qualified person in exclusive role of chief information security officer, and to maintain insurance or similar allowance against data breach or mishandling.

Other provisions signal heightened scrutiny of mobile applications, and will facilitate certain kinds of customer requests to verify billings.

Korea has passed amendments to the Act on Promotion of Information and Communications Network Utilization and Information Protection (IT Network Act) that, among other things, will require online businesses and other “IT service providers”, meeting certain criteria of scale (to be later designated), to maintain a suitably qualified chief information security officer (CISO), serving in that capacity alone, (whereas current law, while already requiring a CISO, permits the person to hold other posts as well and does not specify eligibility standards). The amendments will also require such IT service providers to maintain a level of insurance or reserve (or contribution in a cooperative) for potential liability in case of a violation of data protection rules. Other requirements clarify government authority to investigate mobile data collection, and add to online customer rights to verify billing.

Effective dates: Among the amendments, passed on May 28, 2018, the new rules relating to the CISO position and liability cover will take effect in 12 months, i.e. in May 2019, but in other respects the amended statute will take effect in 6 months, November 2018. Parts of the rules remain to be determined, and will be promulgated at some point before those effective dates, under supplemental decree(s) and regulations.

General scope of application: The new rules will affect, subject to thresholds of scale, online businesses in Korea, and may affect some scale of offshore companies as well. The statute applies in general to “IT service providers”, a broad concept that can include virtually any online business with customers in Korea, and is not necessarily confined to enterprises having a local physical presence. The statute can apply to foreign IT service providers doing business here, and, among them, those with a large customer base in Korea are particularly susceptible to scrutiny by the regulator, the Korea Communications Commission (KCC).

The CISO-related restrictions, and the new requirement of liability cover, will apply, not across the board, but only to IT service providers of a minimum scale. The CISO restrictions, in particular, might well be set at a threshold lower than (and so apply also to businesses smaller than) for example the existing “Information Security Management System” certification requirement under the IT Network Act (which applies to any company with (i) IT service-related annual revenue exceeding KRW 10 billion (about USD 9.3 million), or (ii) more than 1 million daily users). Specific criteria must await further announcements, however.

Restrictions on CISO position: The CISO position, newly required from May 2019 to be the person’s exclusive post, will also be subject to professional or technical eligibility standards. (Currently there are no standards of that kind.) The new standards are yet to promulgated, but seem likely to include some years of data protection or IT industry experience. As to exclusivity of the role, it is clear that a CISO must not at the same time, serve as, say, a non-IT administrator at the company (let alone any position with an affiliate or other company), but it is uncertain whether the CISO might simultaneously fill the role of another data privacy officer required under the IT Networks Act, namely the Chief Privacy Officer (CPO), charged with general IT administration. A conservative reading would, initially, suggest that one individual should not fill both such positions. (In contrast to the CISO, a CPO remains permitted to hold other positions, under the amended statute.)

Liability cover requirement: Affected IT service providers will have to purchase insurance, or participate in (i.e. contribute to) a cooperative association, or maintain a reserve, to better ensure payout of damages in case of a violation of data protection rules. The required levels of cover and related standards are not specified in the amendment itself, and will follow later.

KCC investigative authority clarified: The amended IT Network Act, with effect from November 2018, expressly authorizes the KCC to investigate compliance by IT service providers in obtaining users’ consents to access and gather access stored on mobile devices. This amendment does not necessarily constitute an expansion of underlying KCC authority, but is seen as a signal of the regulator’s intent to continue heightened scrutiny of this area, already exemplified in its March 2018 investigation of call, text and other personal data harvesting.

Customer right to demand reconfirmation of their identifying data from sellers: From November 2018 an individual buyer of goods or services will be entitled to demand a reconfirmation of his/her name and birthdate from any IT service provider (such as an online service or seller) that seeks to bill the buyer through a Korean “telecom billing service”. The idea behind this somewhat oblique rule is that, for example, a customer will be able to swiftly double-check a credit card settlement message with any online business that uses a Korean online payment gateway.