South Korea’s New Cloud Computing Act and New Rules on Outsourcing of Data Processing by Financial Institutions

New Cloud Computing Act

The Act on the Development of Cloud Computing and Protection of Users (Cloud Computing Act), which was promulgated March 27, was scheduled to take effect Sept. 28 61 Privacy Law Watch, 3/31/15, 14 PVLR 617, 4/6/15.

Some of the major provisions of the Cloud Computing Act, which has been designed to provide a framework for promoting the use of cloud computing and protect users of cloud services, are summarized below.

Installation of Computing Facilities Not Required (Article 21)

Under the Cloud Computing Act, companies that use cloud computing services provided by another company are eligible to obtain business licenses and permits required under other laws, even if they do not have their own computing facilities installed within their place of business. This is because they will be deemed to be equipped with the computing facilities stipulated by such laws.

Therefore, once the Cloud Computing Act takes effect, companies will find it to be more cost-effective and less time-consuming to obtain the necessary licenses and permits. Additionally, they will also be able to save costs relating to the operation of the computing facilities.

However, Article 21 will not apply in certain cases, such as where the subject law explicitly prohibits the use of cloud computing services.

Protection of Users’ Cloud Data (Articles 4, 25, 26, 27)

The Cloud Computing Act stipulates that, fundamentally, the Personal Information Protection Act and the Act on Promotion of Information and Communications Network Utilization and Information Protection apply with respect to protecting the data (e.g., documents, pictures, memos) of users stored on clouds (Cloud Data) (Article 4).

However, it also includes separate provisions on the protection of Cloud Data.

Cloud computing service providers (CCSPs) are required to notify users of any cybersecurity incidents, Cloud Data leakages, and service interruptions, and also notify the Minister of Science, ICT & Future Planning (Minister of SIP) in the event Cloud Data is leaked (Article 25).

Users may demand from the CCSP the names of any countries in which their Cloud Data is stored, and, if the Minister of SIP finds that such disclosure is necessary for user protection, he may recommend that the CCSP provide the said country information to its users (Article 26).

The provision of Cloud Data to third parties by CCSPs is also strictly limited, and, upon expiration of the service agreement between the CCSP and the user or the termination of cloud services, the CCSP shall return the user’s Cloud Data to the user or destroy such data if returning it is impossible (Article 27).

New Rules on Financial Institutions’ Outsourcing of Data Processing

In order to make it easier for financial institutions and electronic financial service providers to outsource the processing of their data to third parties, the Financial Services Commission (FSC) announced the Regulations on Financial Institutions Outsourcing Data Processing Tasks (New Outsourcing Regulations ) July 22. They became effective on the same day.

The New Outsourcing Regulations amend the previous Regulations on Financial Institutions Outsourcing Data Processing and Electronic Data Processing Systems (Old Outsourcing Regulations).

Some of the key changes that were made pursuant to this amendment are summarized below.

Approval for Outsourcing Computing Equipment No Longer Required (Article 7)

Under the New Outsourcing Regulations, financial institutions no longer have to obtain the FSC’s approval for outsourcing the operation and management of their electronic data processing systems (EDPS) (e.g., a data center) to third parties. As such, financial companies are required only to report to the FSC any outsourcing of the processing of their data.

The Old Outsourcing Regulations included separate provisions applicable to the outsourcing of EDPS, as opposed to the outsourcing of data processing. However, the New Outsourcing Regulations remove all provisions relating to the outsourcing of EDPS, and focus solely on regulating the outsourcing of data processing.

Financial companies that outsource the data processing to third parties are required to report such fact to the FSC. In principle, the report is to be made ex post facto, i.e., after the outsourcing occurs, unless the data whose processing is to be outsourced involves the financial transaction data of an individual customer, in which case the report should be made to the FSC prior to outsourcing the data.

If the outsourced provider that will be receiving the financial transaction data of an individual customer is located overseas, the report to the FSC needs to be made at least 30 business days before the financial institution and the outsourced provider execute the outsourcing agreement.

Restriction on Scope of Eligible Outsourced Providers Lifted; Re-Outsourcing Permitted (Article 4)

Under the Old Outsourcing Regulations, the overseas outsourcing of data processing was permitted only if the outsourced provider was a foreign affiliate or head or branch office of the financial institution. However, this restriction is lifted under the New Outsourcing Regulations, thereby allowing for the outsourcing of the data processing to third party IT specialty firms as well.

Also, outsourced providers are allowed to re-outsource the data processing that they were entrusted to handle, as long as they comply with the same outsourcing standards applicable to financial institutions that initially outsource the data processing.

Use of Standard Form Contract No Longer Required (Article 4)

The New Outsourcing Regulations no longer require financial institutions to use standard form contracts (drafted by the regulator) when entering into outsourcing agreements with third party providers for data processing. The New Outsourcing Regulations set forth only the basic matters that are to be included in an outsourcing agreement, so that the contracting parties are able to reflect the unique qualities of the financial company or industry in the agreement.

Observations

With the New Outsourcing Regulations already in effect, once the Cloud Computing Act take effects on September 28, 2015, financial institutions will be allowed to outsource the processing of their customer data to domestic and foreign IT specialty firms providing cloud computing services, which in turn means that financial institutions will no longer have to install their own computing facilities to directly process the data of their customers.

Despite these new regulations, in order for companies to be able to fully utilize cloud computing for providing financial services to customers and carrying out their ordinary business, laws such as the Use and Protection of Credit Information Act, the Act on Real Name Financial Transactions and Confidentiality, the Regulations on the Supervision of Electronic Financial Activities, and the Personal Information Protection Act will likely require additional amendments, or the regulatory authorities responsible for enforcing the said laws will need to more leniently interpret the provisions included in such laws that address the protection of personal (credit) information and outsourcing of data processing.

However, given the South Korean government’s commitment to vitalizing the cloud computing service business, which was evident from its decision to enact the Cloud Computing Act and amend the Old Outsourcing Regulations, it is likely that the laws and regulations mentioned above will gradually undergo changes. Therefore, companies and institutions that currently are or plan on providing cloud computing services or utilizing such services should constantly monitor any legislative developments.

Kwang Bae Park is a partner and Head of the Technology, Media & Telecommunications Practice Group at Lee & Ko, Seoul. Hwan Kyoung Ko is a prtner in the firm’s Technology, Media & Telecommunications Practice Group. The authors may be contacted at kwangbae.park@leeko.com and hwankyoung.ko@leeko.com.