On December 9, 2021, the proposed amendment to the Act on Development of Cloud Computing and Protection of Its Users (the “Cloud Computing Act”) passed at the plenary session of the National Assembly (the “Proposed Amendment”).  The Proposed Amendment seeks to promote the use of cloud computing services by the national and local governments in addition to public sector customers. Now that the Proposed Amendment passed the final stage of legislative process at the National Assembly, we expect that it will be promulgated in the near future. 

The Proposed Amendment is in line with the “Third Master Plan for Cloud Computing” which was announced by the ICT Strategy Committee, that is presided by the Ministry of Science and ICT (the “MSIT”), last September, which was also designed to promote the use of commercial cloud services in the public sector, including the initiative to convert all information systems of the national and local governments and public institutions into cloud services by 2025. 

Please find below the key points of the Proposed Amendment:
 

1.   The national and local governments and public institutions are required to formulate action items to facilitate their use of cloud computing services (Article 3 (1) and Article 20 (1) of the Proposed Amendment)

While the current Cloud Computing Act generally requires public institutions to promote the development and use of cloud computing services in Korea, the Proposed Amendment imposes on the national and local governments and public institutions an affirmative duty to prepare action items to facilitate the use of cloud computing services within the national and local governments in particular. 
 

2.   The public sector customers are required to consider the use of cloud services that have been certified by the Cloud Security Assurance Program (“CSAP”) with priority (Article 20 (2) of the Proposed Amendment)

In general, obtaining the CSAP certification is not mandatory for commercial cloud service providers.  The Proposed Amendment, however, does encourage the national and local governments and public institutions to consider with priority the CSAP-certified cloud computing services when selecting cloud computing services.
 

3.   The MSIT can designate certain digital services that facilitate public sector customers’ use of commercial cloud services and also establish a central support system to manage such digital services (Article 20 (3) of the Proposed Amendment)

The Proposed Amendment allows the MSIT to designate services that facilitate the use of the cloud services by public sector customers, which include cloud computing services, services that supports cloud computing services, and services that combine cloud services and other technologies such as artificial intelligence (collectively, “Digital Services” as defined in the Proposed Amendment).  The MSIT may also establish and operate a support system so that the Digital Services are registered and managed through the support system.
 

4.   The Proposed Amendment introduces a legal basis for the MSIT to provide the CSAP certification for eligible cloud computing services (Articles 23-2, 23-3, and 23-4 of the Proposed Amendment)

Under the current Cloud Computing Act, the MSIT may publicly notify a set of standards for information security applicable to cloud computing services and may encourage cloud service providers to comply with such standards.  While the CSAP certification has been already available under the current regulatory regime, the Proposed Amendment introduced a statutory basis for the operation and procedures of the CSAP certification including the MSIT’s authority to grant the CSAP certification.
 

Please note that further details on the designation of the Digital Services, operation of the support system for the Digital Services, and the CSAP certification process will be prescribed by the Enforcement Decree, which is subordinate to the Cloud Computing Act.