Skip to main content

South Korean Data Localization: Shaped by Conflict

February 28, 2018

Author:

Julia Yoon

Feature Series

Data Localization Laws & the International Movement of Information

The rapid growth of digital data stores and the increasing vulnerability in intellectual property challenges governments around the world to find ways to protect and regulate the flow and storage of data. Multiple countries, including the Republic of Korea (ROK), have enacted domestic data localization laws to limit the movement of data to specific jurisdictions.[1] Each government adopts data localization for different purposes such as to protect citizens’ privacy and security, to develop economies, or to enforce domestic laws.[2] For the South Korean government, data localization laws are meant to protect national security and South Korean users’ privacy. However, the fact that South Korea is technically still at war with North Korea adds uniqueness to South Korea’s data localization laws.

In addition to the Personal Information Protection Act (PIPA), South Korea has two more major laws that regulate strictly on spatial and location information–the Act on the Protection Location Information and the 1961 Korean Land Survey Act.[3] Unlike other countries, South Korean data localization regulations on data not only are meant to protect the privacy and security of citizens, but also put strict limitations on geographical data for national security reasons. While these three major laws are necessary for the South Korean government to protect and regulate valuable data within the nation, they are also a new barrier to global digital trade.[4]

Korean Land Survey Act

The purpose of the Korean Land Survey Act was to prevent anyone who is threat to national security from stealing the country’s maps during the post-war period.[5] ROK government enacted the law in 1961 and it concerned the establishment and management of spatial data — it has subsequently been amended in 2009.[6] The Article 16 of the act states strict regulation on taking maps, photos, the results of a survey, or any land surveillance data abroad, because of the likelihood that it could harm South Korean national security interests.[7]

The act mainly targeted physical materials when it was first enacted, but now has been expanded to digital data, prohibiting foreign companies from using South Korean domestic resources. For example, Alphabet Inc.’s Google requested government approval to use South Korean map data in early 2016, but permission was denied because the South Korean government thought it might exacerbate security issues with North Korea.[8] Google then argued that the national security laws in South Korea unfairly benefited domestic companies such as Naver Corp. over foreign IT companies. However, Korean government said they would provide Google with an export license if the company used a version of maps that blurred-out anything that was deemed sensitive — removing the country’s power plants, government accommodations, military installations, and any other facilities that had strategic value, much like Naver Corp does.[9] Google refused to the South Korean government’s conditions.

The US government has been highly critical of this act as well. At commerce summit meetings since 2008, the US government has complained about unfair treatment of foreign IT companies.[10] Thus, ROK’s spatial data protection measures bring new challenges to Korean government in context of relationship with foreign companies and serves as a type of data localization based in South Korea’s conflict with the North.

Act on the Protection of Location Information

The Act on the Protection of Location Information focuses on regulating collection of location information without consent from the owner of that location. Article 15(1) of the Act states that, “No one shall collect, use, or provide the location information regarding an individual or mobile object without the consent of the individual or the owner of the mobile object.”[11] No other country has the same legal strictness around on location information nor have separate law regulating the collection of such information.[12]

Personal Information Protection Act

On 30 September 2011, South Korea government enacted the Personal Information Protection Act (PIPA) as a general guideline for companies, persons, and organizations to follow prior to exporting data subjects’ data for business purposes.[13] PIPA Article 1 states that, “The purpose of this Act is to provide for the processing of the personal information for the purpose of enhancing the right and interest of citizens, and further realizing the dignity and value of the individuals by protecting their privacy from the unauthorized collection, leak, abuse or misuse of personal information.”[14]

The PIPA generally regulates the collection, use, storing, outsourcing, and provision of personal information.[15] Starting in March 2012, after a six month of grace period, the Act became the most likely data law to be enforced law.[16] Previous to PIPA, South Korea had a Public Agency Data Protection Act and an Act on the Promotion of IT Network Use and Information Protection (Network Act), which were limited to businesses utilizing telecommunications services in the private sector and covered all public agencies in the public sector. Replacing the whole Public Agency Data Protection Act and a part of the Network Act, PIPA covers both public and private sectors, creating common criteria and principles.[17] PIPA does not clearly states whether the regulation applies to foreign entities, but discusses steps foreign companies need to take handing South Korean citizens’ data.

Article 17(3) of PIPA states that, “When a personal information manager provides a third person at any overseas location with personal information, he/she shall notify a subject of information of the matters referred to in each sub paragraph of paragraph (2) and obtain the consent thereto, and shall not enter into a contract concerning the trans border transfer of personal information stipulating any details contravening this Act”[18]

Under this article, in January 2014, the Korea Communications Commission (KCC) fined Google $212 million and won about $200,000, for collecting South Korean users’ personal information without the required consent.[19]

Sector Specific Laws

Other than PIPA, there are some specific laws that regulate specific parts of data protection. The Network Act, the second active Act after PIPA, regulates electronic and online data privacy issues, protecting the personal information of the people using telecommunications services provided by online service providers.[20] Following the Network Act, there are the Use and Protection of Credit Information Act (Credit Information Act), the Communications Secrecy Act, and the Promotion of Information and Communications Network Utilization and Information Protection.[21]

Businesses take compliance requirements very seriously and South Korea has a good track record for the enforcement of data protection laws. However, heavy regulations on data transfers can directly influence the free flow of information across borders and the global supply chains.

The South Korea government has used data localization requirements to protect local e-commerce and online payment operators and these restrictions do place some burdens on organizations that intend to send data across boarders. The purpose of the policies is to mainly to protect user’s data from possible malicious act, but some data security experts argue that storing data within the country is ineffective against foreign surveillance and creates a “honeypot” for criminals to practice data breaches and abuse.[22]

As data is an increasing raw material for many industries, constraints in cross-border data flows in South Korea hurt Korea’s economy by 1.1 percent of Korea’s GDP in 2014, equaling a loss of about 13 billion dollars.[23] More extensive data localization laws would likely lower Korean GDP by 0.4%, and the expanded influence of data localization measures could lower Korean GDP by 1.1%.[24]

Cloud computing is area that directly impacted by South Korean data localization measures.[25] The move to clouding computing includes benefits such as job creation, business creation, macroeconomic performance, and financial savings for public finances such as hospitals, healthcare, and government agencies[26], limiting data flow can negatively impact overall South Korean economy. In response to this, the South Korea government enacted the Act on Promotion of Cloud Computing and Protection of Users in 2015, which “require data localization as cloud computing networks serving public agencies have to be physically separate from networks serving the general public.”[27] The Act is meant to serve as a foundation for promoting computing in ROK by modifying barriers in existing laws.[28]

Conclusion

South Korea data localization measures focus on personal information, location information, and spatial data. ROK’s data localization policies are a special case internationally because the country is still at war. Strict management of location information and spatial data is meant to provide security, but this management must be balanced with the need for free cross-border data flows for South Korea’s economic performance.

Endnotes

[1] Jonah Force Hill. The Growth of Data Localization Post-Snowden: Analysis and Recommendations for U.S. Policymakers and Business Leaders (Cyber Governance, 2014), 3.

[2] Taekyung Koh. Digital commerce in international trade relations; focusing on data localization (Seoul National University, 2017), 10.

[3] Ibid., 13.

[4] Nigel Cory, Cross-Border Data Flows: Where Are the Barriers, and What Do They Cost? (Information Technology & Innovation Foundation, May 1, 2017).

[5] Yoonryung, Eom,. A Study on the Geolocation Data Protection Act – Focusing on Anonymous Geolocation Data (Yonsei Medicine, Science Technology and Law, 2014), 54.

[6] Taekyung Koh. Digital commerce in international trade relations; focusing on data localization (Seoul National University, 2017), 16.

[7] Act on the Establishment, Management, etc. of Spatial Data Article 16.

[8] Eun-Young Jeong. Lost Seoul: South Korea Blocks Google From Expanding Local Maps (The Wall Street Journal, Nov 18, 2016).

[9] Jonathan Cheng. Google Challenges South Korea Over Mapping Restrictions (The Wall Street Journal, May 17, 2016).

[10] “Chance is low that Google would like to reapply for mapping data exportation to Korean government” (June 4 2016)

[11] Act on the Protection, Use, Etc. of Location Information. Article 15(1).

[12] Taekyung Koh. Digital commerce in international trade relations; focusing on data localization (Seoul National University, 2017), 16.

[13] Jin Hwan Kim, Brian Tae-Hyun Chung, Jennifer S. Keh and In Hwan Lee. “Data protection in South Korea: overview.”

[14] Personal Information Protection Act. Article 1.

[15] Jin Hwan Kim, Brian Tae-Hyun Chung, Jennifer S. Keh and In Hwan Lee. “Data protection in South Korea: overview.”

[16] Graham Greenleaf, Won-il Park. Korea’s New Act: Asia’s Toughest Data Privacy Law (Privacy Laws & Business International Report, 2012).

[17] Ibid.

[18] Personal Information Protection Act Article 17(3).

[19] Sean Hayes. Korea Incease Penalties For Data Breach and Unauthorized Transfer of Data: Korea Communications Commission (The Korean Law Blog, 2016).

[20] Jin Hwan Kim, Brian Tae-Hyun Chung, Jennifer S. Keh and In Hwan Lee. “Data protection in South Korea: overview.”

[21] Ibid.

[22] Data localization doesn’t compute (Korea Joongang Daily, 2014).

[23] Ibid.

[24] Erik Van der Marel, Hosuk Lee-Makiyama and Matthias Bauer. The Costs of Data Localisation: A Friendly Fire on Economic Recovery (ECIPE Occasional Paper, 2014), 2.

[25] Taekyung Koh. Digital commerce in international trade relations; focusing on data localization (Seoul National University, 2017), 21.

[26] Federico Etro, “The Economics of Cloud Computing,” in Cloud Computing Service and Deployment Models Layers and Management (Pennsylvania: Business Science Reference, 2013).

[27] Nigel Cory, Cross-Border Data Flows: Where Are the Barriers, and What Do They Cost? (Information Technology & Innovation Foundation, May 1, 2017).

[28] Dong Shink Choi, Young Joon Kim. National Assembly Passes the Cloud Computing Act (Technology, Media & Telecommunications, 2015).

References

ACT ON THE ESTABLISHMENT, MANAGEMENT, ETC. OF SPATIAL DATA. Accessed 15 Nov. 2017.

ACT ON THE PROTECTION, USE, ETC. OF LOCATION INFORMATION. Accessed 15 Nov. 2017.

“Chance Is Low That Google Would like to Reapply for Mapping Data Exportation to Korean Government.” Huffingtonpost. Accessed 15 Nov. 2017.

Cheng, Jonathan. “Google Challenges South Korea Over Mapping Restrictions.” Wall Street Journal, 18 May 2016. www.wsj.com.

Cory, Nigel. “Cross-Border Data Flows: Where Are the Barriers, and What Do They Cost?” Information Technology & Innovation Foundation. Accessed 15 Nov. 2017.

“Data Localization Doesn’t Compute.” Korea JoongAng Daily. Accessed 15 Nov. 2017.

Eom, Yoonryung. “A Study on the Geolocation Data Protection Act -Focusing on Anonymous Geolocation Data and Definition of Geolocation.” Yonsei Journal of Medical and Science Technology Law, vol. 5 No.2, 2014.

Etro, Federico. Cloud Computing Service and Deployment Models: Layers and Management. 2012.

Greenleaf, Graham, and Whon-il Park. Korea’s New Act: Asia’s Toughest Data Privacy Law. SSRN Scholarly Paper, ID 2120983, Social Science Research Network, 19 July 2012. papers.ssrn.com.

Hayes, Sean. “Korea Increases Penalties For Data Breach and Unauthorized Transfer of Data: Korea Communications Commission.” The Korean Law Blog, 23 June 2016.

—. “Korea Increases Penalties For Data Breach and Unauthorized Transfer of Data: Korea Communications Commission.” The Korean Law Blog, 23 June 2016.

Hill, Jonah. The Growth of Data Localization Post-Snowden: Analysis and Recommendations for U.S. Policymakers and Business Leaders. SSRN Scholarly Paper, ID 2430275, Social Science Research Network, 1 May 2014. papers.ssrn.com.

Jeong, Eun-Young. “Lost Seoul: South Korea Blocks Google From Expanding Local Maps.” Wall Street Journal, 18 Nov. 2016. www.wsj.com.

Kim, Jin Hwan, et al. Data Protection in South Korea: Overview | Practical Law. Accessed 15 Nov. 2017.

Koh, Taekyung. Digital Commerce in International Trade Relations; Focusing on Data Localization. Seoul National University, Aug. 2017.

Marel, Erik Van der, et al. The Costs of Data Localisation: A Friendly Fire on Economic Recovery. Accessed 15 Nov. 2017.

“National Assembly Passes the Cloud Computing Act.” Kim & Chang, Aug. 2015.

This publication was made possible in part by a grant from Carnegie Corporation of New York. The statements made and views expressed are solely the responsibility of the author.