Skip Navigation
KO EN JP CN
Intellectual Property Careers
Menu
Intellectual Property Careers
Locations Contacts
Close
Search
Newsletters

Amendment to Privacy-Related Provisions of the Enforcement Decree of the Network Act

2019.03.13
Audio Print

Scope of foreign businesses required to appoint a local privacy representative (enforcement date: March 19, 2019) 
 

  • Foreign businesses required to appoint a local privacy representative are: (i) foreign businesses whose total sales revenue in the preceding year was KRW 1 trillion or more; (ii) foreign businesses whose sales revenue associated with information and telecommunications services in the preceding year was KRW 10 billion or more; (iii) foreign businesses who store or manage personal information of 1 million or more users on a daily average basis; or (vi) foreign businesses who were requested to submit materials for alleged legal violations.  The Proposed Amendment imposes a fixed administrative fine of KRW 20 million on those who fail to appoint a local privacy representative. 

  • For your information, we understand that the competent authority is internally discussing whether the 
    "sales revenue" in (i) and (ii) above should be global sales revenue or domestic sales revenue.  Also, while it is not explicitly stated, it would be reasonable to interpret the number of daily average users in (iii) to mean the number of domestic users. 


Exceptions to the CISO appointment requirement and the scope of application of the prohibition on concurrent office holding (enforcement date: June 13, 2019) 
 

  • The Proposed Amendment exempts small businesses from having to appoint an executive level CISO and to report the appointment to the Ministry of Science and ICT.  However, among small businesses, those required to obtain certification of information security management system ("ISMS") and online service providers ("OSPs") will be required to appoint a CISO and file the report. 

  • Among the OSPs, those with total assets of KRW 5 trillion or more and those required to obtain ISMS certification and with total assets of KRW 500 billion or more will not be allowed to have their CISOs to hold concurrent offices.  However, this prohibition on concurrent office holding will only apply to the CISOs appointed and reported after the enforcement date of the Proposed Amendment. 


Qualifications for CISOs (enforcement date: June 13, 2019) 
 

  • According to the Proposed Amendment, a CISO must have sufficient expert knowledge or work experience in information protection or information technology necessary to perform the duty. 

  • However, a CISO of an OSP subject to the prohibition on concurrent office holding will be required to satisfy the following additional requirements: 

    (i) The CISO must be a full-time employee who is not an officer or employee of another company; and 
    (ii) The CISO must have at least four years of experience in information protection or at least five years of experience in information technology (including two years of experience in information protection). 

  • The above qualifications for CISOs will apply to the CISOs appointed and reported after the enforcement date of the Proposed Amendment. 


Scope and standards for liability insurance and reserves (enforcement date: June 13, 2019) 
 

  • The Proposed Amendment specifies "OSPs who have stored or managed personal information of 1,000 or more daily average users during the last three months as of the end of the preceding year" as the OSPs who are required to subscribe to a liability insurance or set aside a reserve fund as protection against liability that may arise for violation of personal information protection requirements under the Network Act.  It is our understanding that the number of daily average users refers to the number of domestic users only. 

  • Also, according to the Proposed Amendment, the minimum insurance subscription amount (or the minimum reserve amount) will depend on the number of users whose information is stored and managed by the OSP and the OSP's sales revenue.  According to the Proposed Amendment, the amount will range from the minimum of KRW 50 million to the maximum of KRW 1 billion. 

  • Under the Proposed Amendment, failure to subscribe to liability insurance or set aside reserves will be subject to a fixed administrative fine of KRW 20 million regardless of the number of violations. 


Method to verify consent from the legal guardian of a child (enforcement date: June 25, 2019) 
 

  • Under the Proposed Amendment, starting from June 25, 2019, OSPs will be required to verify whether the legal guardian has given his/her consent when collecting, using, and/or providing personal information of a child under the age of 14. 

  • The Proposed Amendment lists the following methods for such verification: 

    (i) Showing a checkbox for the legal guardian's consent on the consent screen and verifying consent via text messages or using credit card information; 
    (ii) Delivering written consent form to the legal guardian via hand delivery, mail, or fax for the legal guardian to affix his/her signature or seal and return the form; 
    (iii) Sending an email with the consent form to the legal guardian to expressly give his/her consent by return email; 
    (iv) Informing the legal guardian of the content of the consent form or the website address where the legal guardian can check the consent form over the phone and obtaining express consent over the phone; or 
    (v) Informing the legal guardian of the content of the consent form and obtaining his/her consent by means similar to the above. 

Related Topics

#Network Act #Privacy & Data Security #Legal Update

List

Share

Close

Professionals

CLose

Professionals

CLose
Korea Legal Insight 2024