Regulations on the provision of user information to third parties, including cookies
Under the Amendment, when certain telecommunication service providers (to be stipulated in a forthcoming MIAC ministerial order) intend to send user information falling under the new regulations to a third party, they will be obliged to give the user an opportunity for confirmation.
The scope of the user information subject to this requirement will also be defined in a future MIAC order. So-called third-party cookies are a conceivable example, while first-party cookies and information related to a user's OS, screen settings and language settings are expected to be excluded.
After the Amendment comes into effect, prior to transmitting regulated user information to third parties, a telecommunication service provider subject to the new regulations must: (1) notify the user or make information regarding transmission of user information to third parties readily accessible to all users, (2) obtain the user's consent or (3) take opt-out measures. The details of each measure will also be defined in a forthcoming MIAC order.
Obligations for the proper handling of Specific User Information
Under the Amendment, telecommunication service providers that exceed a certain size may be designated by MIAC as businesses that are obliged to properly handle information protected by communication secrecy and certain user identification information ("Specific User Information"). Designated service providers are required to:
- Create and notify users of information handling regulations for Specific User Information;
- Formulate and publish an information handling policy to indicate the contents of collected Specific User Information and the purpose and method of its use;
- Self-evaluate the status of information handling and revise the information handling regulations and information handling policy based on said evaluation; and
- Appoint and notify a general manager of Specified User Information.
The subject industry and carrier size have yet to be determined. However, a threshold of over 10 million users is currently being considered as a criterion.
In addition to the above, the Amendment also introduces the following new regulations:
- Telecommunication service providers will be required to report to the minister of MIAC in the event of a business suspension or leakage of certain information.
- Carriers that provide search services or equivalent intermediary telecommunication services (e.g., providers of online search engines and SNS networks) will be required to file notification of their telecommunication businesses.
- No carriers that provide certain wholesale telecommunication services (e.g., major mobile carriers and certain landline providers) may refuse a provision of their service in their business zone and a disclosure of information regarding conditions of service contracts without legitimate grounds.
Possible impact on businesses
Although the effective date of the Amendment will be determined in a MIAC order, it is expected to come into force no later than 16 June 2023. Telecommunication service providers should keep an eye on the enactment of the relevant ministerial orders and confirm whether they are in fact subject to the new rules under the Amendment.
Furthermore, subject telecommunication service providers will need to prepare for public announcements regarding the use of data — such as third-party cookies — in advance of the effective date. It is therefore essential that service providers closely monitor the MIAC orders enacted, determine whether they engage in any data processing subject to the Amendment and if so, update their current privacy policies and take other necessary measures.
Cookies and other information related to individuals which does not by itself identify a specific individual that can enable an individual to be identified when correlated with other information is regulated as personal information under the Act on the Protection of Personal Information (APPI). Also, if a business transfers such information to a third party that can then identify an individual even when the transferor cannot, the APPI applies and the transferor is required to confirm that the recipient has obtained the individual's consent. Therefore, in summary, even if data processing does not fall under the Amendment's new regulations, it may still be regulated under the APPI currently in effect.
When a telecommunication service provider is designated as subject to the Specific User Information regulations, it is required to take certain steps, including creating and notifying users of its information handling regulations. Accordingly, telecommunication service providers should pay close attention to the criteria for such designations to be issued by the minister of MIAC.