Archivos de la etiqueta: cloud computing service provider

01Nov/21

Act nº 13234, Mar. 27, 2015. Act on the Development of Cloud Computing and Protection of its Users.

Act nº 13234, Mar. 27, 2015, On the development of Cloud Computing and Protection of its users

CHAPTER I.- GENERAL PROVISIONS

Article 1 (Purpose)

The purpose of this Act is to contribute to improvement of citizens’ live and the development of the national economy by promoting the development and use of cloud computing and by creating an environment for safe use of cloud computing services.

Article 2 (Definitions)

The terms used in this Act shall be defined as follows:

1. The term “cloud computing” means an information processing system that makes it possible to flexibly use integrated and shared resources for information and communications (hereinafter referred to as “resources for information and communications”), such as devices for information and communications, information and communications systems, and software, through information and communications networks in accordance with changes in users’ requirements or demands;

2. The term “cloud computing technologies” means information and communications technologies specified by Presidential Decree as those for the establishment and use of cloud computing, including technologies for virtualization and distributed processing;

3. The term “cloud computing services” means the services specified by Presidential Decree as commercial services of providing resources for information and communications to others by utilizing cloud computing;

4. The term “user information” means the information (referring to the information prescribed in subparagraph 1 of Article 3 of the Framework Act on National Informatization) stored by a user of cloud computing services (hereinafter referred to as “user”) in the resources for information and communications of the person who provides the cloud computing services through a cloud computing system (hereinafter referred to as “cloud computing service provider“) and owned or managed by the user.

Article 3 (Responsibilities of State, etc.)

(1) The State and local governments shall formulate policies necessary for promoting the development and use of cloud computing and for creating an environment for safe use of cloud computing services.

(2) Cloud computing service providers shall endeavor to protect user information and provide reliable cloud computing services.

(3) Users shall not engage in any activity compromising the safety of cloud computing services.

Article 4 (Relationship to Other Acts)

This Act shall take precedence over other Acts with regard to promoting development and use of cloud computing and the protection of users: Provided, That, with regard to the protection of personal information, the provisions of the Personal Information Protection Act, the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc., and other relevant Acts shall apply.

CHAPTER II.- CREATION OF BASIS FOR DEVELOPMENT OF CLOUD COMPUTING

Article 5 (Formulation of Master Plans and Implementation Plans)

(1) The Minister of Science, ICT and Future Planning shall collect plans, policies, etc. formulated by central administrative agencies related to the promotion of development and use of cloud computing and the protection of users (hereinafter referred to “relevant central administrative agencies”), formulate a master plan every three years (hereinafter referred to as “master plan”), and finalize the plan after deliberation by the Information Communications Strategy Committee under Article 7 of the Special Act on the Promotion of Information and Communications, the Invigoration of Convergence, etc.

(2) Each master plan shall contain the following matters:

1. The basic direction-setting for policies for the promotion of development and use of cloud computing and the protection of users;

2. Matters concerning the creation of a basis for promoting the cloud computing industry and the use of cloud computing;

3. Matters concerning the introduction of cloud computing and the promotion of use;

4. Matters concerning the facilitation of research and development of cloud computing technologies;

5. Matters concerning the training of human resources specializing in cloud computing;

6. Matters concerning promoting the international cooperation and the development of overseas markets for cloud computing;

7. Matters concerning protecting information of users of cloud computing services;

8. Matters concerning improving the statutes and systems related to cloud computing;

9. Matters concerning the facilitation of convergence of technologies and industries related to cloud computing;

10. Other necessary matters concerning the development of cloud computing technologies and cloud computing services.

(3) The head of the relevant central administrative agency shall formulate and execute an implementation plan for the affairs under his/her jurisdiction (hereinafter referred to as “implementation plan“) in accordance with the master plan.

(4) The head of the relevant central administrative agency shall submit an implementation plan for next year and a report on the results of execution of the implementation plan for the preceding year to the Minister of Science, ICT and Future Planning, as prescribed by Presidential Decree, and the Minister of Science, ICT and Future Planning shall evaluate the results of execution of the implementation plan for each year.

(5) Except as otherwise expressly provided for in paragraphs (1) through (4), matters necessary for the formulation and execution of master plans and implementation plans and the submission and evaluation of reports on the results of execution shall be prescribed by Presidential Decree.

Article 6 (Cooperation from Relevant Agencies)

(1) The Minister of Science, ICT and Future Planning or the head of the relevant central administrative agency may request the head of a State agency, local government, or public agency defined by subparagraph 3 of Article 2 of the Electronic Government Act (hereinafter referred to as “State agency or other public authority“) to cooperate with him/her as necessary for the formulation and implementation of master plans or implementation plans.

(2) Each person in receipt of the request under paragraph (1) shall comply with the request, in the absence of good cause to the contrary.

Article 7 (Fact-Finding Survey)

(1) The Minister of Science, ICT and Future Planning may conduct fact-finding surveys in order to secure information and statistics about the current situation of industries as necessary for the effective formulation and implementation of policies on cloud computing.

(2) Where the Minister of Science, ICT and Future Planning deems it necessary for the fact-finding surveys under paragraph (1), he/she may request a cloud computing service provider or any other related institution or organization to submit data or express opinions.

(3) Upon receipt of a request from the head of the relevant central administrative agency, the Minister of Science, ICT and Future Planning shall notify him/her of the results of fact-finding surveys.

(4) Necessary matters concerning the fact-finding surveys under paragraphs (1) through (3) shall be prescribed by Presidential Decree.

Article 8 (Research and Development)

(1) The head of the relevant central administrative agency may implement a research and development project for cloud computing technologies and cloud computing services.

(2) The head of the relevant central administrative agency may outsource an enterprise or research institute to perform a research and development project under paragraph (1) and may fully or partially subsidize it for expenses incurred in the performance of the project.

Article 9 (Pilot Projects)

(1) The head of the relevant central administrative agency may implement a pilot project to promote the use and diffusion of cloud computing technologies and cloud computing services and may request local governments to cooperate with him/her in implementing the pilot project.

(2) The head of the relevant central administrative agency may provide financial assistance to the persons who participate in a pilot project under paragraph (1).

Article 10 (Assistance by Taxation)

The State and local governments may take necessary measures, such as full or partial exemption of taxes, as provided for in the Restriction of Special Taxation Act, the Restriction of Special Local Taxation Act, and other Tax-related Acts, in order to promote the development and use of cloud computing technologies and cloud computing services.

Article 11 (Assistance to Small and Medium Enterprises)

(1) The Government may provide assistance to small and medium enterprises (referring to the small and medium enterprises defined in Article 2 of the Framework Act on Small and Medium Enterprises; hereinafter the same shall apply) engaging in cloud computing as follows in order to promote the development and use of cloud computing and to protect users:

1. Provision of information about cloud computing services and consulting thereon;

2. Provision of technologies and subsidization of expenses as necessary for protecting user information;

3. Training of human resources specializing in cloud computing;

4. Assistance in other matters necessary for fostering small and medium enterprises engaging in cloud computing.

(2) Where the head of a relevant central administrative agency implements a research and development project under Article 8, he/she shall prepare measures to promote participation by small and medium enterprises engaging in cloud computing.

(3) Necessary matters concerning the entities eligible for assistance, the method for providing assistance, etc. under paragraphs (1) and (2) shall be prescribed by Presidential Decree.

Article 12 (Facilitation of Introduction of Cloud Computing to State Agencies and Other Public Authorities)

(1) The State agencies and other public authorities shall endeavor to introduce cloud computing.

(2) Where the Government formulates a budget necessary for the implementation of a policy or project for national informatization under the Framework Act on National Informatization, it shall give preference to the introduction of cloud computing.

Article 13 (Forecast on Demand for Cloud Computing Projects)

(1) The head of each State agency or other public authority shall submit a forecast on the demand for cloud computing projects from affiliated agencies to the Minister of Science, ICT and Future Planning, at least annually.

(2) The Minister of Science, ICT and Future Planning shall disclose the forecasts received on the demand for cloud computing under paragraph (1) to cloud computing service providers, at least annually.

(3) Necessary matters concerning the frequency, timing, method, procedure, etc. for the submission and disclosure of forecasts under paragraphs (1) and (2) shall be prescribed by Presidential Decree.

Article 14 (Training of Specialized Human Resources)

(1) The Minister of Science, ICT and Future Planning may formulate and implement policies necessary for training human resources specializing in cloud computing.

(2) The Minister of Science, ICT and Future Planning may designate the institutions that meet the requirements prescribed by Presidential Decree, from among educational institutions that conduct educational and training courses related to cloud computing, and may fully or partially subsidize such institutions for expenses incurred in engaging in such courses.

(3) In any of the following cases, the Minister of Science, ICT and Future Planning may revoke the designation of an educational institution designated under paragraph (2): Provided, That the designation shall be revoked in cases of subparagraph 1:

1. Where an educational institution has obtained the designation by fraud or other wrongful means;

2. Where an educational institution ceases to meet any of the requirements for designation under paragraph (2);

3. Where an educational institution has no record of providing education for at least one year from the date of designation of the educational institution.

(4) Necessary matters concerning the formulation of policies, the requirements for designating educational institutions, the procedure for designation and revocation of designation, the scope of assistance, etc. shall be prescribed by Presidential Decree.

Article 15 (Facilitation of International Cooperation and Development of Overseas Markets)

In order to facilitate international cooperation in cloud computing and the development of overseas markets for cloud computing technologies and cloud computing services, the Government may conduct the following activities:

1. International exchange of information, technologies, and human resources in relation to cloud computing;

2. Advertising and overseas marketing, including exhibitions related to cloud computing;

3. Joint research and development of cloud computing with other countries;

4. Collection, analysis, and provision of information for the development of overseas markets for cloud computing;

5. Mutual assistance with other countries to ensure effective international cooperation in cloud computing;

6. Other activities necessary to facilitate international cooperation in cloud computing and the development of overseas markets.

Article 16 (Assistance in Establishment of Integrated Information and Communications Facilities Based on Cloud Computing Technologies)

(1) In order to promote the development and use of cloud computing, the State and local governments may provide administrative, financial, technical assistance to persons who intend to establish information and communications facilities integrated by using cloud computing technologies.

(2) Necessary matters concerning the persons eligible for the assistance under paragraph (1), the method and procedure for such assistance, etc. shall be prescribed by Presidential Decree.

Article 17 (Creation of Industrial Complexes)

(1) The State and local governments may create industrial complexes to promote the cloud computing industry and facilitate the utilization of cloud computing through research and development of technologies for the cloud computing industry and training of specialized human resources.

(2) The industrial complexes shall be created in accordance with the procedure for the designation and development of national industrial complexes, general industrial complexes, and urban hi-tech industrial complexes under the Industrial Sites and Development Act.

(3) Where the Minister of Science, ICT and Future Planning deems it necessary for facilitating the creation of industrial complexes, he/she may request the Minister of Land, Infrastructure and Transport to designate them as industrial complexes.

Article 18 (Creation of Environment for Fair Competition, etc.)

(1) The Government shall create an environment for fair competition between large enterprises (referring to enterprises that do not fall into the category of either small and medium enterprises under Article 2 of the Framework Act on Small and Medium Enterprises or middle-standing enterprises under subparagraph 1 of Article 2 of the Special Act on the Promotion of Growth and the Strengthening of Competitiveness of Middle-Standing Enterprises) that provide cloud computing services and small and medium enterprises that also provide cloud computing services.

(2) No large enterprise that provides cloud computing services shall compel a small or medium enterprise that also provides cloud computing services to sign an unfair contract nor shall obtain unjust benefits, without any reasonable cause, taking advantage of its position.

(3) In order to create an environment for fair competition in the cloud computing industry, the Government may analyze and evaluate the current conditions of the environment for competitions in the cloud computing industry and may implement other programs necessary for creating an environment for fair distribution.

Article 19 (Designation of Exclusively Responsible Institution, etc.)

(1) Where the Minister of Science, ICT and Future Planning deems it necessary for promoting the cloud computing industry and facilitating the use of cloud computing, he/she may designate an exclusively responsible institution.

(2) The Minister of Science, ICT and Future Planning may fully or partially subsidize an exclusively responsible institution for expenses incurred in performing its business activities.

(3) Necessary matters concerning the designation, operation, etc, of an exclusively responsible institution shall be prescribed by Presidential Decree.

CHAPTER III.- FACILITATING USE OF CLOUD COMPUTING SERVICES

Article 20 (Facilitating Public Institutions’ Use of Cloud Computing Services)

The Government shall endeavor to encourage public institutions to use cloud computing services provided by cloud computing service providers for their work process.

Article 21 (Required Electronic Computer Systems, etc.)

Where electronic computer systems, equipment, facilities, etc. (hereinafter referred to as “electronic computer systems“) are expressly provided for in any other statute as requirements for authorization, permission, registration, designation, or any similar action, relevant electronic computer systems shall be deemed to include cloud computing services: Provided, That the foregoing shall not apply to any of the following cases:

1. Where the relevant statute expressly prohibits the use of cloud computing services;

2. Where the relevant statute requires the building of physical partitions between lines or facilities and actually restrict the use of cloud computing services;

3. Where cloud computing services are used but do not meet the requirements for electronic computer systems required by the relevant statute.

Article 22 (Securing of Interoperability)

Where the Minister of Science, ICT and Future Planning deems it necessary for securing the interoperability of cloud computing services, he/she may recommend cloud computing service providers to establish a cooperation system.

CHAPTER IV.- ENHANCEMENT OF RELIABILITY OF CLOUD COMPUTING SERVICES AND PROTECTION OF USERS

Article 23 (Enhancement of Reliability)

(1) Cloud computing service providers shall endeavor to enhance the quality and performance of cloud computing services and the level of protection of information.

(2) The Minister of Science, ICT and Future Planning shall determine and publicly notify the standards for the quality and performance of cloud computing services and the standards for the protection of information (including managerial, physical, technical measures for protection) and may recommend cloud computing service providers to observe the standards.

(3) Where the Minister of Science, ICT and Future Planning intends to publicly notify the standards for the quality and performance of cloud computing services under paragraph (2), he/she shall seek opinions from the Korea Communications Commission thereon.

Article 24 (Standard Agreement Forms)

(1) In order to protect users and establish public order for fair transactions, the Minister of Science, ICT and Future Planning may formulate or amend standard agreement forms related to cloud computing services, subject to consultation with the Fair Trade Commission, and may recommend that cloud computing service providers use such forms. In such cases, the Minister of Science, ICT and Future Planning may seek opinions of cloud computing service providers, users, and others.

(2) Where the Minister of Science, ICT and Future Planning intends to formulate or amend standard agreement forms pursuant to paragraph (1), he/she shall seek the opinion of the Korea Communications Commission thereon.

Article 25 (Notification, etc. of Intrusions, etc.)

(1) In any of the following cases, the cloud computing service provider shall notify the relevant user of the fact promptly:

1.  Where an intrusion defined by subparagraph 7 of Article 2 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. (hereinafter referred to as “intrusion”) occurs;

2. Where the relevant user information is leaked;

3. Where services are interrupted for a period at least the period specified by Presidential Decree (referring to the period stipulated by an agreement between the parties, if such agreement has been made) without prior notice.

(2) In case falling under paragraph (1) 2, the cloud computing service provider shall notify the Minister of Science, ICT and Future Planning of the fact immediately.

(3) Where the Minister of Science, ICT and Future Planning receives the notice under paragraph (2) or becomes aware of such fact, he/she may take measures necessary for preventing worsening of damage, preventing reoccurrence, and restoring damaged systems,

(4) Necessary matters concerning the notification and measures under paragraphs (1) through (3) shall be prescribed by Presidential Decree.

Article 26 (Disclosure of Information for Protection of Users, etc.)

(1) Any user may request a cloud computing service provider to inform him/her of the name of the country where the relevant user information is stored.

(2) Any person who uses information and communications services (referring to the information and communications services defined by subparagraph 2 of Article 2 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc.; hereinafter the same shall apply in paragraph (3)) may request an information and communications service provider (referring to the information and communications service provider defined by subparagraph 3 of Article 2 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc.; hereinafter the same shall apply in paragraph (3)) to inform him/her as to whether it uses cloud computing services and the name of the country where the relevant user information is stored.

(3) Where the Minister of Science, ICT and Future Planning deems it necessary for protecting users or the users of information and communications services, he/she may recommend that cloud computing service providers or information and communications service providers disclose the information referred to in paragraph (1) or (2).

(4) Where the Minister of Science, ICT and Future Planning intends to recommend the disclosure of information pursuant to paragraph (3), he/she shall seek opinions from the Korea Communications Commission thereon.

Article 27 (Protection of User Information)

(1) No cloud computing service provider shall provide user any information to a third party or use user information for any purpose other than for the purpose of providing services, without the relevant user’s consent, unless it is required by a court order to submit or a warrant issued by a judge. The foregoing shall also apply to a third party to whom a cloud computing service provider has provided user information.

(2) Where a cloud computing service provider intends to provide any user information to a third party or to use the user information for any purpose other than for the purpose of providing services, it shall notify the user of the following matters and shall obtain consent thereto. The same shall apply where a change occurs to any of the following matters:

1. The person to whom the user information is to be provided;

2. The purpose of use of the user information (referring to the purpose of use of the person to whom the information is provided, if it is provided);

3. A list of user information used or provided;

4. The period of holding and use of user information (referring to the period of possession and user information by the person to whom user information is provided, where such information is provided);

5. A statement that the user has a right to refuse to give consent and the details of disadvantages in such cases, if disadvantages are given against refusal to give consent.

(3) Where the contract made with a user terminates, the cloud computing service provider shall return the user information to the user and destroy the user information possessed by the cloud computing service provider: Provided, That the user information shall be destroyed, if it is actually impossible to return the user information, because the user does not accept the return of the user information or does not want to have the user information returned.

(4) Where a cloud computing service provider intends to close its business, it shall notify each user of the closure of business, return the user information before the date of closure of business, and destroy the user information possessed by the cloud computing service provider: Provided, That the user information shall be destroyed, if it is actually impossible to return the user information, because the user does not accept the return of the user information or does not wish to have the user information returned.

(5) Notwithstanding paragraphs (3) and (4), if a cloud computing service provider has expressly agreed on different conditions with users, such conditions shall apply.

(6) Matters concerning the methods and timing for the return and destruction of user information and the methods of notifying the termination of a contract or the closure of business shall be prescribed by Presidential Decree.

Article 28 (Deposit of User Information)

(1) A cloud computing service provider and users may deposit user information in an institution equipped with professional personnel and facilities (hereinafter referred to as “depository“) under an agreement entered into with the depository.

(2) Where an event specified in the agreement made under paragraph (1) occurs, a user may request the depository to provide user information.

Article 29 (Liability for Damages)

Where a user sustains an injury or loss caused by a cloud computing service provider’s violation of any provision of this Act, he/she may claim damages for such injury or loss against the cloud computing service provider. In such cases, the cloud computing service provider shall not be exempted from liability, unless it proves that such injury or loss has not been caused by its intentional conduct or negligence.

CHAPTER V.- SUPPLEMENTARY PROVISIONS

Article 30 (Fact-Finding Investigation and Corrective Measures)

(1) Where the Minister of Science, ICT and Future Planning has a reasonable ground to suspect that a cloud computing service provider has violated any provision of this Act, he/she may instruct public officials of the Ministry to conduct investigations as necessary to ascertain the violation.

(2) Where the Minister of Science, ICT and Future Planning deems it necessary for the investigation under paragraph (1), he/she may authorize public officials of the Ministry to enter the office or place of business of a cloud computing service provider to inspect books of accounts, documents, and other materials or articles.

(3) Where the Minister of Science, ICT and Future Planning intends to conduct an investigation under paragraph (1), he/she shall notify the relevant cloud computing service provider of the plan for investigation, including the period and scope of investigation, the grounds for the investigation, etc., by not later than seven days before the scheduled date of investigation: Provided, That the foregoing shall not apply to an emergency case or where it is deemed impossible to achieve the objectives of investigation if prior notice is given, because of destruction of evidence, etc.

(4) Any person who enters the office or place of business of a cloud computing service provider to conduct an investigation shall show a certificate of authority to persons involved and shall have the persons in the office or place of business attend at the scene of the investigation.

(5) The Minister of Science, ICT and Future Planning may order a cloud computing service provider who violates Article 25 (1) or 27 to cease the violation or to take corrective measures.

Article 31 (Delegation and Entrustment)

(1) The authority of the Minister of Science, ICT and Future Planning or the head of the relevant central administrative agency under this Act may be partially delegated to the heads of affiliated agencies, as prescribed by Presidential Decree.

(2) The affairs assigned to the Minister of Science, ICT and Future Planning or the head of the relevant central administrative agency under this Act may be partially entrusted to a specialized institution, as prescribed by Presidential Decree.

Article 32 (Duty of Confidentiality)

Any person who currently or formerly engaged in an affair entrusted under this Act shall not divulge a cloud computing service provider’s confidential information on business which becomes known to him/her in the course of executing the affair.

Article 33 (Legal Fiction of Deeming Public Officials for Application of Penalty Provisions)

Executive officers and employees of a specialized institution engaging in the affairs entrusted pursuant to Article 31 (2) shall be deemed public officials for the purpose of applying penalty provisions of Articles 129 through 132 of the Criminal Act to them.

CHAPTER VI.- PENALTY PROVISIONS

Article 34 (Penalty Provisions)

Any person who uses user information or provides user information to a third party, without the relevant user’s consent, or any person who obtains user information for profit or for any wrongful purpose, knowing that the relevant user has not consented thereto, in violation of Article 27 (1), shall be punished by imprisonment for not more than five years or by a fine not exceeding 50 million won.

Article 35 (Penalty Provisions)

Any person who divulges confidential information which becomes known to him/her in the course of executing an affair entrusted, in violation of Article 32, shall be punished by imprisonment for not more than three years or by a fine not exceeding 30 million won.

Article 36 (Joint Penalty Provisions)

Where the representative of a corporation or an agent, employee, or servant who works for a corporation or for an individual commits an offense in violation of Article 34 or 35 in connection with the business of the corporation or individual, not only shall such offender be punished accordingly, but the corporation or individual also shall be punished by the fine prescribed in the relevant Article: Provided, That the foregoing shall not apply where the corporation or individual has not neglected due care and supervision over the relevant business to prevent such offense.

Article 37 (Administrative Fines)

Any of the following persons shall be punished by an administrative fine not exceeding ten million won:

1. A person who fails to notify users of an intrusion, the leakage of user information, or the interruption of service, in violation of Article 25 (1);

2. A person who fails to notify the Minister of Science, ICT and Future Planning of the leakage of user information, in violation of Article 25 (2);

3. A person who fails to return or destroy user information, in violation of Article 27 (3) or (4);

4. A person who fails to comply with an order issued under Article 30 (5) to cease a violation or to take corrective measures.

(2) The administrative fines under paragraph (1) shall be imposed and collected by the Minister of Science, ICT and Future Planning, as prescribed by Presidential Decree.

ADDENDUM

This Act shall enter into force six months after the date of its promulgation.