INSIGHTS

Newsletters
FSC Announced Plans to Improve Cloud Computing Regulations and Network Separation Requirements On April 14, 2022, the Financial Services Commission (the ″FSC″) issued a press release announcing plans to improve cloud computing and network separation regulations (the ″Plan″), which have been an obstacle to financial institutions and electronic financial business operators (collectively ″financial service providers″) in their efforts to develop and use new digital technologies. The Plan will significantly relax the relevant regulations that have been criticized as impediments to innovations in the financial sector. The details of the Plan, and their implications to financial service providers and cloud service providers (″CSPs″), are as follows: Changes to Cloud Regulations 1. Clarification of standards for assessing significance of cloud computing service use Under the current regulations, cloud systems used by financial service providers are considered to be ″significant systems″ when they either (i) process personal credit information or unique identification information or (ii) perform tasks that significantly impact the security and reliability of electronic financial transactions (systems that do not handle the above tasks are considered “non-significant systems”). When financial institutions utilize cloud as a significant system, it would be subject to stricter obligations, including the need to file cloud use reports to the Financial Supervisory Service (the ″FSS″). However, as there are no clear standards for assessing whether a particular system ″significantly impacts the security and reliability of digital financial transactions″, a financial service provider is at risk of sanction for using cloud computing services that it deemed a non-significant system when it should have been classified as a significant system. The FSC has stated that the Plan will provide a more detailed set of standards for assessing the significance of systems and clarify the processes that financial service providers need to take to use cloud systems. This change is expected to reduce the risk of financial service providers being sanctioned for failing to file the cloud use report for significant systems, as well as reduce instances of unnecessary cloud use reports being filed for non-significant systems. 2. Differentiation of processes for using cloud services based on significance Under the current regulations, the process and requisite documentation for using cloud services as a non-significant system are identical to those for using cloud services as a significant system, except for the cloud use report filing (Electronic Financial Transactions Supervisory Regulations, Articles 14-2(1), (2), (5)). Different procedural requirements are expected for the use of cloud computing in a clearer manner under the Plan. For example, separate standards for non-significant systems in terms of business continuity plan and security measures are expected. 3. Ex post facto reporting in lieu of prior reporting and simplified documentation requirements for use of cloud services Under the current regulations, if financial service providers use cloud services for significant systems, they must report to the FSS seven business days prior to such use. However, in practice, as it is difficult to submit such reports on time, financial service providers faced frequent delays in using cloud services. The reporting requirement will be changed to submitting an ex post facto report within three months of the commencement date of the cloud services, which will enable financial service providers to start using cloud services in a more timely manner. The supporting documents required to be attached to the cloud use report will also be simplified to eliminate similar and redundant requirements under the current regulations, which will reduce the administrative burden on financial service providers. 4. Simplification of CSP assessment criteria The CSP soundness and stability assessment (″CSP Assessment″), which has been the heaviest burden on financial service providers among the steps necessary for using cloud services, will be simplified from 141 fields to 54 (16 essential fields and 38 alternative fields)1. Accordingly, this will significantly lessen the burden on financial service providers in undertaking the CSP Assessment. 5. Establishment of a different set of assessment criteria for SaaS The current CSP Assessment criteria are designed for Infrastructure-as-a-Service (″IaaS″) which utilize servers and storage devices. Accordingly, such criteria have been criticized as being unsuitable for assessing Software-as-a-Service (″SaaS″). The FSC stated that it would prepare a separate set of assessment criteria for SaaS similar to the Cloud Security Assurance Program (″CSAP″), which will allow for more appropriate assessments of cloud services. 6. Introduction of a representative assessment system Under current regulations, CSPs must be assessed by each financial institution that uses their services. To reduce the redundancy in the evaluation process, the joint assessment system was adopted in June 2021, in which financial institutions intending to use cloud services of the same CSP can elect a representative company to undertake the CSP Assessment (with the support of the Financial Security Agency) that would apply to all other financial institutions intending to use their cloud services. The Plan will introduce the representative assessment system, in which the Financial Security Agency assesses CSPs and financial institutions are able to utilize the assessment results. This will greatly reduce the burden on financial institutions regarding assessing CSPs. Changes to Network Separation Requirements 1. Exemptions from network separation regulations for development and testing While a connection to the Internet is a prerequisite to using new technologies and open-source resources, the current network separation regulations restrict such connection and has hindered financial institutions from developing innovative services. The FSC intends to amend the Regulations on Supervision of Electronic Financial Transactions (″RSEF″) to relax regulations on physical network separation for development and testing servers, which do not store personal credit information and handle relatively less important digital financial transactions. This change aims to allow financial institutions to use new technologies and open-source resources more effectively. However, new security obligations such as prohibition on using customers′ personal credit information or transaction information on development and testing servers, and implementation of internal standards on access and use of open-source resources, will be established. 2. Exemptions from network separation regulations for non-financial functions and SaaS Network separation regulations also apply when financial institutions use SaaS for back-office functions such as human resource management. Because SaaS are often web-based, they could only be used for types of work exempt from the network separation requirement. According to the Plan, the FSC intends to establish a regulatory sandbox to exempt network separation regulations for non-financial functions and SaaS. However, continued monitoring of relevant developments is necessary as the types of SaaS and methods of accessing SaaS that are permitted are subject to change depending on how the regulatory sandbox system is implemented. 3. Deregulation of network separation regulations in phases The FSC has stated that it will pursue a phased approach to deregulation of network separation regulations over a mid- to long-term period, such as reducing the scope of work subject to the network separation requirement and allowing financial institutions to choose between physical or logical network separation for different types of work, albeit along with measures to safeguard against security risks such as securing accountability from financial institutions and strengthening the security oversight of the Financial Security Agency. Financial institutions will likely be able to choose the application of network separation regulations depending on their circumstances and the importance of the work, which will enable them to operate more effective internal control systems. We recommend to closely monitor how the relevant laws and regulations are amended to determine further details. Future Plans To ensure the improvements announced in the Plan are smoothly rolled out as policy, the FSC will publish a draft of the amended Enforcement Decree of the Electronic Financial Transaction Act (the ″EFTA″) and the RSEF that incorporate the changes sometime in April 2022, and revise the ″Guidelines for Using Cloud Computing Services in the Financial Industry″ issued by the Financial Security Agency in January 2019 by the end of 2022 to provide the finance sector with detailed procedures and standards that can serve as practical references. Implications The Plan is meaningful in that it lays the grounds for relaxing cloud and network separation regulations that have obstructed the adoption and utilization of new digital technologies in the finance industry. The contemplated improvements are expected to facilitate the use of new technologies in the development and testing fields, and make it easier for financial institutions to use cloud services. Since the FSC has stated that it will implement the policy changes in stages, it will be necessary to closely monitor the amendment of the Enforcement Decree of the EFTA and the RSEF, as well as other relevant laws and regulations. Meanwhile, deregulation of network separation rules for non-financial work and SaaS will be achieved not through legislative amendment but through a regulatory sandbox, which makes it necessary to monitor the development and implementation of the sandbox. 1 If the CSP has obtained domestic or foreign security certification (e.g., CSAP), fields that were included in the certification process may be omitted. Even under current regulations, CSPs that have obtained and maintained domestic or foreign security certification do not have to be evaluated on the basic protection measure fields (109 in total) if they were part of the certification process. [Korean version]
2022.04.25

Newsletters VIEW MORE
Newsletters
Labor Relations Commission’s Remedial Procedures for Gender Discrimination in Employment and Sexual Harassment in the Workplace The amendment of the Equal Employment Opportunity and Work-Family Balance Assistance Act ("Equal Employment Act") introduced the Labor Relations Commission's remedial procedures for gender discrimination in employment and sexual harassment in the workplace. Under the current Equal Employment Act, there is a provision that penalizes an employer's failure to perform its obligation to take measures in the event of sexual discrimination in employment or sexual harassment in the workplace. However, since there is no procedure in the Act that allows an employee to apply to the Labor Relations Commission for a correction order or other remedy, it has been noted that it is difficult for employees to obtain sufficient relief or remedies after suffering from sexual discrimination and sexual harassment. Considering the foregoing, the newly amended Equal Employment Act sets forth a procedure that allows a victimized employee to directly seek correction of gender discrimination in employment and sexual harassment in the workplace ("discriminatory treatment, etc.") from the Labor Relations Commission as follows: The employee may file a correction request with the Labor Relations Commission within six months from the date the discriminatory treatment, etc. occurred (if there is a pattern of discriminatory treatment, etc., then six months from the date such treatment stops). Upon receiving this correction request from an employee, the Labor Relations Commission must conduct the necessary investigation and interrogation of the relevant parties without delay. In the course of the Labor Relations Commission’s investigation, mediation procedures may be commenced upon the request of one or both parties, or ex officio. Furthermore, the parties may also agree to have the Labor Relations Commission arbitrate the matter. If discriminatory treatment, etc. is recognized as a result of the investigation by the Labor Relations Commission, the Labor Relations Commission may impose corrective measures on the employer such as ordering (i) the suspension of discriminatory treatment, etc., (ii) the improvement of working conditions, such as wages, (including an order to improve systems, such as the rules of employment. In particular, an order to pay compensation must be determined based on the amount of damages suffered by the employee, in principle; provided, however, that if the employer is found to have acted intentionally in carrying out its discriminatory treatment, etc. or if discriminatory treatment, etc. is repeated, a compensation order of up to three times the amount of actual damages may be issued. In resolving disputes related to discriminatory treatment, etc., the focus is on the following matters: (i) the burden of proof lies with the employer; and (ii) if a corrective order is finalized, the Ministry of Employment and Labor may investigate whether there has been discriminatory treatment against other employees who are not subject to the corrective order and, if such discriminatory treatment is found, it will issue a request for correction. Considering the foregoing, it is highly likely that requests for correction of discriminatory treatment, etc. from the Labor Relations Commission will increase after May 19, 2022, the effective date of the amended Equal Employment Act. We recommend that each business place review their work processes before this effective date to prevent discriminatory treatment, etc. and familiarize themselves with the amendments to the Equal Employment Act so they may take appropriate measures in the event of any future disputes. [Korean version]
2022.04.25

Newsletters VIEW MORE
Newsletters
Amended Location Information Protection Act Enters into Force On April 20, 2022, the amended Location Information Protection Act (“LIPA”) and the amended LIPA Enforcement Decree entered into force. The amendment introduces a number of new rules for business operators, as well as changes to existing rules. Below are the key takeaways. 1. Shift from license system to registration system for personal location information business Previously, operating a location information business involving personal location information required a license from the Korea Communications Commission (“KCC”). Under the amended LIPA, such businesses only need to register with KCC upon satisfying certain requirements (Article 5 LIPA). 2. Matters subject to registration/report of change Prior to the amendment, changes in the location information system did not require a new license or filing a change report if the change did not lower the level of protection of personal location information. Under the amended LIPA, any changes made to details of the location information system included in the KCC registration of a personal location information business provider or KCC report of a location-based service business provider or object location information business provider, must be registered or reported if there is a change in major facilities (e.g., servers) (Articles 4, 5-2 and 9 Enforcement Decree). 3. Consent to the purpose and period of retention of personal location information If a location information business provider intends to collect personal location information or a location-based service business provider intends to use or provide personal location information to a third party, they are required to include specific terms in their terms and conditions and obtain consent from individuals. The amended LIPA adds the "purpose and retention period of personal location information" to these mandatory terms (Articles 18(1) and 19(1) LIPA). 4. Establishment and disclosure of personal location information policy The amended LIPA adds a new requirement to establish and disclose a personal location information policy to ensure that individuals can learn about the processing of their personal location information at any time. If personal location information business providers and location-based service business providers have a privacy policy under the Personal Information Protection Act, this policy must include: (i) purposes of processing personal location information and period of retention; (ii) grounds for and period of retention of materials confirming the collection, use and provision of personal location information; (iii) procedures and methods of destruction of personal location information; (iv) provision of personal location information to third parties; (v) if personal location information is provided to a third party designated by the individual, matters concerning immediate notification to the individual of the recipient, the date and time of provision, the purpose of provision, etc.; (vi) the rights and obligations of the legal guardian of a child under the age of eight, etc. and the method of exercising such rights; (vii) name and contact information of the person or department in charge of managing location information, and handling complaints (Article 21-2 LIPA and Article 25-2 Enforcement Decree). 5. Destruction of personal location information Before the amendment, the LIPA only provided that, in principle, personal location information must be immediately destroyed when the purpose of collection, use or provision of personal location information is achieved, but did not specify the method or procedure of destruction. Under the amended LIPA and the Enforcement Decree, personal location information may be retained if required by law or if the individual separately consents to the retention of his/her personal location information (Article 23(1) LIPA and Article 26-2(2) Enforcement Decree). Further, when destroying personal location information, necessary measures, such as measures to prevent restoration or recovery of personal location information, must be taken (Article 23(2) LIPA and Article 26-2(1) Enforcement Decree). The amended LIPA introduces criminal penalties for failure to properly destruct personal location information and grants KCC the power to inspect compliance (Articles 23(3) and 40-2 LIPA). 6. Inspection of personal location information business Under the amended LIPA, the KCC will inspect personal location information businesses on a regular basis, and at least once a year (former part of Article 36(3) LIPA). The inspection includes, among other things, the trade name of a personal location information business provider, changes in the location of the principal office or the location information system, the terms and conditions of use, the personal location information policy and the disclosure thereof, the organizational and technical measures taken for location information, and the retention and destruction of personal location information and data confirming the collection, use and provision thereof (Article 35(1) Enforcement Decree). For such inspection, the KCC may request the relevant personal location information business provider to submit necessary materials, such as relevant goods and documents (latter part of Article 36(3) LIPA), and the inspection will be conducted by means of a written investigation, on-site inspection, etc., but electronic methods, such as information and communications networks or e-mails, may be used (Article 35 (2) Enforcement Decree). 7. Imposition of administrative fine for violations of the LIPA Prior to amendment, the KCC could only issue administrative fines as a substitute for business suspension orders. The amended LIPA now allows the KCC to impose administrative fines of up to 3% of the relevant sales revenue (or up to KRW 400 million if there is no sales revenue or if it is difficult to calculate the sales revenue) on business operators who commit certain violations, such as collecting, using, or providing personal location information without the consent of the individual, or using or providing personal location information to third parties beyond the scope specified in the terms and conditions (Article 14 LIPA). [Korean version]
2022.04.22

Newsletters VIEW MORE
Newsletters
MOEL’s 2022 Occupational Safety Supervision Plan Following the Enforcement of the SAPA Following the enforcement of the Serious Accidents Punishment Act (the “SAPA”), the Ministry of Employment and Labor (the “MOEL”) has set the regulatory target as settlement of the SAPA and substantial reduction of industrial fatalities. In this regard, the MOEL recently announced the 2022 Comprehensive Plan on Supervision of Occupational Safety and Health (the “Plan”), which revised the previous supervision subjects and methods specifically to facilitate businesses’ fulfillment of their obligation to secure safety and health under the SAPA. The key details of the Plan are as follows: Special management of high-risk workplaces The MOEL will specially manage high-risk workplaces for serious accidents. ① High-risk workplaces will be selected from those businesses with 50 or more employees or construction businesses with construction cost of KRW 5 billion or more (i.e., those businesses subject to the SAPA this year). In doing this, the MOEL will comprehensively consider multiple risk factors such as industrial accident status and possession of dangerous machinery for the past five years. ② The selected workplaces will be subject to regular preventive actions through close cooperation among the Regional Labor Office, the Occupational Safety and Health Agency, and private accident prevention agencies. ③ Workplaces with poor safety management will be subject to strict supervision under the principle of “zero” tolerance. Focused supervision on key risk factors of deaths The MOEL will focus on the reduction of fatalities through preemptive supervision over key risk factors. To this end, the MOEL will conduct on-site inspection and various supervisions. ① On the on-site inspection, the MOEL will intensively inspect the compliance status of the top three safety measures (falling accidents, jams, and wearing of protective gears) and provide necessary supervision at the same time. ② Based on the result of the inspection, the MOEL will conduct joint inspection or supervision in connection with local governments and private accident prevention agencies. ③ Further, actively promoting cooperation with local governments, the MOEL will identify industries with frequent fatalities in each region and focus on supervising the compliance with relevant key safety measures. Strengthening of the preventive supervision of head office and service recipient companies The MOEL will strengthen the supervision of head office and service recipient companies in order to fundamentally improve the on-site work safety. ① Through service recipient company-centered supervision, companies with frequent fatalities will be forced to take measures to prevent accidents at all of their sites, including the sites where accidents previously occurred. ② The MOEL will focus on supervising whether sufficient safety measures have been taken for workers of service providing company, with the focus on the service recipient company. ③ In the case of supervision after the occurrence of an accident, for the purpose of preventing additional accidents rather than punishment, the MOEL plans to provide an opportunity for self-correction through safety and health improvement planning, and will conduct random inspections to check whether the plan is properly implemented. However, for companies that have faced public criticism (e.g., for large-scale accidents, frequent occurrences of serious accidents, etc.), the MOEL will pursue strong “planning and supervision” on a quarterly or semi-annual basis, which will be conducted at a degree equivalent to special supervisions. ④ The special supervision will be conducted when there is (i) the death of two or more persons, (ii) the death of three or more persons for one year, or (iii) the occurrence of a serious accident due to violation of a work suspension order, etc., and the inspection will be conducted on the head office and all sites. Providing support for establishment and implementation of safety and health management system The quality of the MOEL supervision will be further improved to provide systematic support to companies for the establishment and implementation of their safety and health management system. The MOEL will (i) check key points of the safety and health management system and present directions for their improvement; and (ii) supplement the safety and health checklist to check whether the Occupational Safety and Health Act and its subordinate statutes are complied with to the extent that it is possible to prevent industrial accidents at workplaces. The MOEL also plans to expand the period of supervision. With the enforcement of the SAPA, the Occupational Safety and Health Labor Inspectors’ Work Regulations were also partially amended on January 28, 2022. The key details of the amendment, including the scope of work performed by labor inspectors, are as follows: Classified the “supervision” into regular/occasional/special supervisions to intuitively clarify the types of supervision. Added the head of the Gyeonggi-do branch, which has a “Wide-Area Serious Accident Management Division”, as a special inspector, and clarified the subjects of the special supervision. Deleted the provision on private outsourcing of inspection and investigation, which lacks legal bases. Established a legal basis on jurisdiction for investigation of serious accidents under the SAPA. Established a legal basis for the establishment of investigation review committee composed of external experts, to minimize controversy over whether to commence an investigation of serious industrial accident caused by an occupational disease and the appropriateness thereof. Amended the inspection checklist to reflect all amendments to the Occupational Safety and Health Act effective as of January 16, 2020. Amended the accident (investigation) report form as serious industrial accidents were added as a type of accident. [Korean version]
2022.03.30

Newsletters VIEW MORE
Newsletters
Kim & Chang Legal Newsletter (2022 Issue 1) This is a quaterly update of legal developments in Korea from Kim & Chang. This issue includes: Recent Developments in Derivative Actions and Director’s Obligations and Liabilities The KFTC’s 2022 Enforcement Plan Introduction of K-Taxonomy Guideline The Amendments to the Notification on Detailed Standards for Imposition of Administrative Fines FSS Proposes Changes to Audit and Sanctions Procedures Legislative Developments in the Regulation of Virtual Assets in Korea New Regulations on Foreign Currency Insurance Policies and Zero/Low Surrender-Value Insurance Policies Amendments to the FSCMA Streamline Add-on License Process 2022 Amendments to HS Codes RCEP and Its Key Provisions Korean Trademark Act Amended to Cover Online Distribution of "Digital Goods" Bearing Trademarks Korea Enacts Special Act to Protect and Foster National High-Tech Strategic Industry Introduction of New PILA, Fully Amended in 20 Years European Commission Formally Proposes Complementary Delegated Act of EU Taxonomy Regulation Covering Certain Gas and Nuclear Activities for Legislation Updates on Important HR/Labor Law Amendments in 2022 and the MOEL’s Change of Administrative Interpretation Concerning Annual Paid Leave Amended Commercial Building Lease Protection Act Concerning Lessee’s Right to Terminate Lease Agreement Early in Case a Business Closes Down Due to Prolonged Imposition of Tough Virus Curbs Key Tax Law Amendments of 2022 2022 Plans of the Korea Communications Commission, the Ministry of Science and ICT, and the Personal Information Protection Commission To view the newsletter, please click the link below. Kim & Chang Legal Newsletter (2022 Issue 1) .content_view .view_area a { color: #2c3e50; text-decoration: none; }
2022.04.13

Newsletters VIEW MORE

김·장 홍보

118 Selected as National Leaders in WWL: Korea

118 attorneys, patent attorneys, and certified public accountants across 23 fields from Kim & Chang were selected as “National Leaders” in WWL: Korea 2022. We had the most listings out of all Korean law firms this year as well, demonstrating the expertise and extensive capabilities of our members.
VIEW MORE
“South Korea National Law Firm of the Year” at the Chambers Asia-Pacific Awards

Kim & Chang won the title of “South Korea National Law Firm of the Year” at the Chambers Asia-Pacific & Greater China Region Awards 2022. This year is the third consecutive year since 2020 in which we have won this award.
VIEW MORE
Kim & Chang Introduces Russia Sanctions Task Force Team

Korean and foreign companies are seeking advice on various legal issues related to sanctions and export controls imposed on Russia. Kim & Chang is introducing a large-scale Russian Sanctions TF, consisting of attorneys specializing in sanctions, export control, finance, and overseas disputes.
VIEW MORE

웹접근성

김∙장 법률사무소는 장애인 및 비장애인 누구나 편리하게 웹서비스를 이용하실 수 있도록 웹접근성 준수 및 개선을 위하여 노력하고 있습니다.

김∙장 법률사무소는 앞으로도 모든 사용자들이 편리하게 서비스를 이용할 수 있도록 최선을 다하겠습니다.
불편사항은 lawkim@kimchang.com으로 연락주시면 친절하게 안내해드리겠습니다

레이어 닫기

Disclaimer

The material on the Kim & Chang website is for general informational purposes only and should not be regarded as legal advice.

The transmission or receipt of any information from this site is not intended to create nor constitute an attorney-client relationship. Kim & Chang does not assume and disclaims any liability to any person for any loss or damage caused by said person's use of or reliance upon the materials on this website, regardless of whether said loss or damage was directly or indirectly caused by inaccurate statements therein. On-line viewers should consult with competent and professional legal counsel before acting upon any information provided by this website. All of the contents on this site are copyrighted by Kim & Chang. Any reproduction, distribution or retransmission of any materials posted on the Kim & Chang website without prior written permission from Kim & Chang is strictly prohibited. Although we provide several links to other websites, please be advised that we have no control over the content of those sites.

레이어 닫기