On September 18, 2018, Article 32-5 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. (the “Network Act”) was enacted to require certain overseas Internet service providers to appoint respective domestic agents responsible for personal information protection. Following this introduction, the Enforcement Decree to the Network Act (the “Enforcement Decree”) was enacted on March 19, 2019, setting the standards used to determine and identify which service providers are subject to the domestic agent requirement under the Network Act.
Details:
Overseas Value-Added Service Providers: Under the Enforcement Decree, telecommunications service providers and similar service providers, who do not have a domestic address or a place of business in Korea and satisfy one of the following standards listed below, are required to designate a domestic agent in writing. Accordingly, many overseas value-added service providers (such as one of the following) are likely subject to the aforementioned obligation.
- Persons/entities whose total revenue for the previous year was KRW 1 trillion or more;
- Persons/entities whose revenue for the previous year from the information and communications service sector was KRW 10 billion or more;
- Persons/entities who had one million or more average daily users whose personal information was under the custody/management of the persons/entities for the most recent three-month period, as of the end of the previous year; and
- Persons/entities who: (i) have committed, or have the risk of committing, personal information intrusion; and (ii) were requested by the Korea Communications Commission (“KCC”) to submit information pursuant to Article 64, Paragraph (1) of the Network Act.
Domestic Agents: They will be responsible for duties provided under the Network Act including, but not limited to: (i) duties of a person responsible for management of personal information; (ii) duty to inform, notify and explain to users of any loss, theft, leakage, forgery, or alteration of personal information; and (iii) duty to submit relevant items or documents pursuant to request from the Minister of the Ministry of Science and ICT (“MSIT”) or the KCC, on behalf of the entity it represents. In case a domestic agent fails to perform the above-mentioned obligations, the telecommunication service provider that has designated such an agent will be deemed to have violated the relevant regulations.
Meanwhile, in designating a domestic agent, an entity must include the name, address, phone number, and e-mail address of such an agent into its privacy policy. In designating a corporation as a domestic agent, the corporation’s name and its representative’s name must be included, and the location must be the address of the corporation’s business office.
A service provider that fails to designate a domestic agent, despite being obligated to do so, will be subject to an administrative fine of an amount not exceeding KRW 20 million.
Significance:
The operation and regulation of the domestic agent designation policy should be closely monitored, because while the KCC will initially provide a certain grace period to encourage business entities’ voluntary participation, it may later strictly enforce violations for not abiding by the new regulation.
Related Topics