ACT ON THE DEVELOPMENT OF CLOUD COMPUTING AND PROTECTION OF ITS USERS
Act No. 13234, Mar. 27, 2015
Amended by Act No. 14839, Jul. 26, 2017
Act No. 17344, jun. 9, 2020
Act No. 18738, Jan. 11, 2022
CHAPTER I GENERAL PROVISIONS
The purpose of this Act is to contribute to improvement of quality of life and the development of the national economy by promoting the development and use of cloud computing and by creating an environment for safe use of cloud computing services.
The terms used in this Act are defined as follows: <Amended on Jun. 9, 2020>
| 1. | The term "cloud computing" means an information processing system that makes it possible to flexibly use integrated and shared resources for information and communications (hereinafter referred to as "resources for information and communications"), such as devices for information and communications, information and communications systems, and software, through information and communications networks in accordance with changes in users' requirements or demands; |
| 2. | The term "cloud computing technologies" means information and communications technologies specified by Presidential Decree as those for the establishment and use of cloud computing, including technologies for virtualization and distributed processing; |
| 3. | The term "cloud computing services" means the services specified by Presidential Decree as commercial services of providing resources for information and communications to others by utilizing cloud computing; |
| 4. | The term "user information" means the information (referring to the information prescribed in subparagraph 1 of Article 2 of the Framework Act on Intelligent Informatization) stored by a user of cloud computing services (hereinafter referred to as "user") in the resources for information and communications of the person who provides the cloud computing services through a cloud computing system (hereinafter referred to as "cloud computing service provider") and owned or managed by the user. |
| Article 3 (Responsibilities of the State) |
| (1) | The State and local governments shall formulate policies necessary for promoting the development and use of cloud computing, facilitating the use of cloud computing services, and creating an environment for safe use of cloud computing services. <Amended on Jan. 11, 2022> |
| (2) | Cloud computing service providers shall endeavor to protect user information and provide reliable cloud computing services. |
| (3) | Users shall not engage in any activity compromising the safety of cloud computing services. |
| Article 4 (Relationship to Other Statutes) |
CHAPTER II CREATION OF BASIS FOR DEVELOPMENT OF CLOUD COMPUTING
| Article 5 (Formulation of Master Plans and Implementation Plans) |
| (1) | The Minister of Science and ICT shall collect plans, policies, etc. formulated by central administrative agencies related to the promotion of development and use of cloud computing and the protection of users (hereinafter referred to "relevant central administrative agencies"), formulate a master plan every three years (hereinafter referred to as "master plan"), and finalize the plan after deliberation by the Information Communications Strategy Committee under Article 7 of the Special Act on the Promotion of Information and Communications, and the Invigoration of Convergence. <Amended on Jul. 26, 2017> |
| (2) | Each master plan shall contain the following matters: |
| 1. | The basic directions of the policies for promoting the development and use of cloud computing and protecting of users; |
| 2. | Matters concerning the creation of the infrastructure for promoting the cloud computing industry and the use of cloud computing; |
| 3. | Matters concerning the introduction of cloud computing and the promotion of use; |
| 4. | Matters concerning the facilitation of research and development of cloud computing technologies; |
| 5. | Matters concerning the training of human resources specializing in cloud computing; |
| 6. | Matters concerning promoting the international cooperation and the development of overseas markets for cloud computing; |
| 7. | Matters concerning protecting information of users of cloud computing services; |
| 8. | Matters concerning improving the statutes, regulations, and systems related to cloud computing; |
| 9. | Matters concerning the facilitation of convergence of technologies and industries related to cloud computing; |
| 10. | Other matters necessary for the development of cloud computing technologies and cloud computing services. |
| (3) | The head of the relevant central administrative agency shall formulate and execute an implementation plan for the affairs under his or her jurisdiction (hereinafter referred to as "implementation plan") in accordance with the master plan. |
| (4) | The head of the relevant central administrative agency shall submit an implementation plan for next year and a report on the results of execution of the implementation plan for the preceding year to the Minister of Science and ICT, as prescribed by Presidential Decree, and the Minister of Science and ICT shall evaluate the results of execution of the implementation plan for each year. <Amended on Jul. 26, 2017> |
| (5) | Except as provided in paragraphs (1) through (4), matters necessary for the formulation and execution of master plans and implementation plans and the submission and evaluation of reports on the results of execution shall be prescribed by Presidential Decree. |
| Article 6 (Cooperation from Relevant Agencies) |
| (1) | The Minister of Science and ICT or the head of the relevant central administrative agency may request the head of a State agency, local government, or public agency defined by subparagraph 3 of Article 2 of the Electronic Government Act (hereinafter referred to as "State agency or other public authority") to cooperate with him or her as necessary for the formulation and implementation of master plans or implementation plans. <Amended on Jul. 26, 2017> |
| (2) | Each person in receipt of the request under paragraph (1) shall comply with the request, in the absence of good cause to the contrary. |
| Article 7 (Fact-Finding Survey) |
| (1) | The Minister of Science and ICT may conduct fact-finding surveys in order to secure information and statistics about the current situation of industries as necessary for the effective formulation and implementation of policies on cloud computing. <Amended on Jul. 26, 2017> |
| (2) | Where the Minister of Science and ICT deems it necessary for the fact-finding surveys under paragraph (1), he or she may request a cloud computing service provider or any other related institution or organization to submit data or express opinions. <Amended on Jul. 26, 2017> |
| (3) | Upon receipt of a request from the head of the relevant central administrative agency, the Minister of Science and ICT shall notify him or her of the results of fact-finding surveys. <Amended on Jul. 26, 2017> |
| (4) | Matters necessary for the fact-finding surveys under paragraphs (1) through (3) shall be prescribed by Presidential Decree. |
| Article 8 (Research and Development) |
| (1) | The head of the relevant central administrative agency may implement a research and development project for cloud computing technologies and cloud computing services. |
| (2) | The head of the relevant central administrative agency may outsource an enterprise or research institute to perform a research and development project under paragraph (1) and may fully or partially subsidize it for expenses incurred in the performance of the project. |
| Article 9 (Pilot Projects) |
| (1) | The head of the relevant central administrative agency may implement a pilot project to promote the use and diffusion of cloud computing technologies and cloud computing services and may request local governments to cooperate with him or her in implementing the pilot project. |
| (2) | The head of the relevant central administrative agency may provide financial assistance to the persons who participate in a pilot project under paragraph (1). |
| Article 10 (Tax Subsidies) |
The State and local governments may take necessary measures, such as full or partial exemption of taxes, as provided for in the Act on Restriction on Special Cases concerning Taxation, Act on Restriction on Special Cases concerning Local Taxation, and other tax-related statutes, in order to promote the development and use of cloud computing technologies and cloud computing services.
| Article 11 (Assistance to Small and Medium Enterprises) |
| (1) | The Government may provide assistance to small and medium enterprises (referring to the small and medium enterprises defined in Article 2 of the Framework Act on Small and Medium Enterprises; hereinafter the same shall apply) engaging in cloud computing as follows in order to promote the development and use of cloud computing and to protect users: |
| 1. | Provision of information about cloud computing services and consulting thereon; |
| 2. | Provision of technologies and subsidization of expenses as necessary for protecting user information; |
| 3. | Training of human resources specializing in cloud computing; |
| 4. | Assistance in other matters necessary for fostering small and medium enterprises engaging in cloud computing. |
| (2) | Where the head of a relevant central administrative agency implements a research and development project under Article 8, he or she shall prepare measures to promote participation by small and medium enterprises engaging in cloud computing. |
| (3) | Matters necessary for the entities eligible for assistance, the method for providing assistance, etc. under paragraphs (1) and (2) shall be prescribed by Presidential Decree. |
| Article 12 (Facilitation of Introduction of Cloud Computing to State Agencies and Other Public Authorities) |
| (1) | The State agencies and other public authorities shall endeavor to introduce cloud computing. |
| (2) | Where the Government formulates a budget necessary for the implementation of policies or programs for intelligent informatization under the Framework Act on Intelligent Informatization, it shall give preference to the introduction of cloud computing. <Amended on Jun. 9, 2020> |
| Article 13 (Forecast on Demand for Cloud Computing Projects) |
| (1) | The head of each State agency or other public authority shall submit a forecast on the demand for cloud computing projects from affiliated agencies to the Minister of Science and ICT, at least annually. <Amended on Jul. 26, 2017> |
| (2) | The Minister of Science and ICT shall disclose the forecasts received on the demand for cloud computing under paragraph (1) to cloud computing service providers, at least annually. <Amended on Jul. 26, 2017> |
| (3) | Matters necessary for the frequency, timing, method, procedure, etc. for the submission under paragraph (1) and disclosure of forecasts under paragraph (2) shall be prescribed by Presidential Decree. |
| Article 14 (Training of Specialized Human Resources) |
| (1) | The Minister of Science and ICT may formulate and implement policies necessary for training human resources specializing in cloud computing. <Amended on Jul. 26, 2017> |
| (2) | The Minister of Science and ICT may designate the institutions that meet the requirements prescribed by Presidential Decree, from among educational institutions that conduct educational and training courses related to cloud computing, and may fully or partially subsidize such institutions for expenses incurred in engaging in such courses. <Amended on Jul. 26, 2017> |
| (3) | In any of the following cases, the Minister of Science and ICT may revoke the designation of an educational institution designated under paragraph (2): Provided, That the designation shall be revoked in cases of subparagraph 1: <Amended on Jul. 26, 2017> |
| 1. | Where an educational institution has obtained the designation by fraud or other improper means; |
| 2. | Where an educational institution ceases to meet any of the requirements for designation under paragraph (2); |
| 3. | Where an educational institution has no record of providing education for at least one year from the date of designation of the educational institution. |
| (4) | Matters necessary for the formulation of policies, the requirements for designating educational institutions, the procedure for designation and revocation of designation, the scope of assistance, etc. shall be prescribed by Presidential Decree. |
| Article 15 (Facilitation of International Cooperation and Development of Overseas Markets) |
In order to facilitate international cooperation in cloud computing and the development of overseas markets for cloud computing technologies and cloud computing services, the Government may conduct the following activities:
| 1. | International exchange of information, technologies, and human resources in relation to cloud computing; |
| 2. | Advertising and overseas marketing, including exhibitions related to cloud computing; |
| 3. | Joint research and development of cloud computing with other countries; |
| 4. | Collection, analysis, and provision of information for the development of overseas markets for cloud computing; |
| 5. | Mutual assistance with other countries to ensure effective international cooperation in cloud computing; |
| 6. | Other activities necessary to facilitate international cooperation in cloud computing and the development of overseas markets. |
| Article 16 (Assistance in Establishment of Integrated Information and Communications Facilities Based on Cloud Computing Technologies) |
| (1) | In order to promote the development and use of cloud computing, the State and local governments may provide administrative, financial, technical assistance to persons who intend to establish information and communications facilities integrated by using cloud computing technologies. |
| (2) | Matters necessary for the persons eligible for the assistance under paragraph (1), the method and procedure for such assistance, etc. shall be prescribed by Presidential Decree. |
| Article 17 (Creation of Industrial Complexes) |
| (1) | The State and local governments may create industrial complexes to promote the cloud computing industry and facilitate the utilization of cloud computing through research and development of technologies for the cloud computing industry and training of specialized human resources. |
| (2) | The industrial complexes shall be created in accordance with the procedure for the designation and development of national industrial complexes, general industrial complexes, and urban hi-tech industrial complexes under the Industrial Sites and Development Act. |
| (3) | Where the Minister of Science and ICT deems it necessary for facilitating the creation of industrial complexes, he or she may request the Minister of Land, Infrastructure and Transport to designate them as industrial complexes. <Amended on Jul. 26, 2017> |
| Article 18 (Creation of Environment for Fair Competition) |
| (2) | No large enterprise that provides cloud computing services shall compel a small or medium enterprise that also provides cloud computing services to sign an unfair contract nor shall obtain unjust benefits, without any reasonable cause, taking advantage of its position. |
| (3) | In order to create an environment for fair competition in the cloud computing industry, the Government may analyze and evaluate the current conditions of the environment for competitions in the cloud computing industry and may implement other programs necessary for creating an environment for fair distribution. |
| Article 19 (Designation of Specialized Agency) |
| (1) | Where the Minister of Science and ICT deems it necessary for promoting the cloud computing industry and facilitating the use of cloud computing, he or she may designate an exclusively responsible institution. <Amended on Jul. 26, 2017> |
| (2) | The Minister of Science and ICT may fully or partially subsidize an exclusively responsible institution for expenses incurred in performing its business activities. <Amended on Jul. 26, 2017> |
| (3) | Matters necessary for the designation, operation, etc., of an exclusively responsible institution shall be prescribed by Presidential Decree. |
CHAPTER III FACILITATING USE OF CLOUD COMPUTING SERVICES
| Article 20 (Facilitating Use of Cloud Computing Services by State Agency or Other Public Authority) |
| (1) | A State agency or other public authority shall endeavor to use cloud computing services provided by cloud computing service providers for performing their affairs. <Amended on Jan. 11, 2022> |
| (2) | In using cloud computing services under paragraph (1), a State agency or other public authority shall preferentially consider cloud computing services that obtained security certification under Article 23-2 (1). <Newly Inserted on Jan. 11, 2022> |
| (3) | The Minister of Science and ICT may select any of the following services (hereinafter referred to as "digital services") to enable a State agency or other public authority to use cloud computing services under paragraph (1) and may establish and operate a system for registering and managing selected digital services (hereinafter referred to as "usage support system"): <Newly Inserted on Jan. 11, 2022> |
| 1. | Cloud computing services; |
| 2. | Services that support cloud computing services; |
| 3. | Services that combine cloud computing technologies with other technologies and services, such as intelligent information technologies. |
| (4) | Other matters necessary for the selection of digital services and the establishment and operation of a usage support system shall be prescribed by Presidential Decree. <Newly Inserted on Jan. 11, 2022> |
[Title Amended on Jan. 11, 2022]
| Article 21 (Required Electronic Computer Systems) |
Where electronic computer systems, equipment, facilities, etc. (hereinafter referred to as "electronic computer systems") are expressly provided for in any other statute as requirements for authorization, permission, registration, designation, or any similar action, relevant electronic computer systems shall be deemed to include cloud computing services: Provided, That this shall not apply to any of the following cases:
| 1. | Where the relevant statute expressly prohibits the use of cloud computing services; |
| 2. | Where the relevant statute requires the building of physical partitions between lines or facilities and actually restrict the use of cloud computing services; |
| 3. | Where cloud computing services are used but do not meet the requirements for electronic computer systems required by the relevant statute. |
| Article 22 (Securing of Interoperability) |
Where the Minister of Science and ICT deems it necessary for securing the interoperability of cloud computing services, he or she may recommend cloud computing service providers to establish a cooperation system. <Amended on Jul. 26, 2017>
CHAPTER IV ENHANCEMENT OF RELIABILITY OF CLOUD COMPUTING SERVICES AND PROTECTION OF USERS
| Article 23 (Enhancement of Reliability) |
| (1) | Cloud computing service providers shall endeavor to enhance the quality and performance of cloud computing services and the level of protection of information. |
| (2) | The Minister of Science and ICT shall determine and publicly notify the standards for the quality and performance of cloud computing services and the standards for the protection of information (including managerial, and physical, technical measures for protection; hereinafter referred to as "security certification standards") and may recommend cloud computing service providers to observe the standards. <Amended on Jul. 26, 2017; Jan. 11, 2022> |
| (3) | Where the Minister of Science and ICT intends to publicly notify the standards for the quality and performance of cloud computing services under paragraph (2), he or she shall seek opinions from the Korea Communications Commission thereon. <Amended on Jul. 26, 2017> |
| Article 23-2 (Security Certification of Cloud Computing Services) |
| (1) | The Minister of Science and ICT may grant certification (hereinafter referred to as "security certification") to cloud computing services that meet the security certification standards, in order to improve and guarantee the level of protection of information, as prescribed by Presidential Decree. |
| (2) | The effective period of security certification shall be a period prescribed by Presidential Decree not exceeding five years, in consideration of certification services and other factors, and a person who intends to extend the effective period of security certification shall apply for the renewal of the effective period, as prescribed by Presidential Decree. |
| (3) | Cloud computing service providers may indicate security certification on the cloud computing services which have obtained security certification. |
| (4) | No person shall place a mark of security certification or a mark similar thereto on the cloud computing services that have not been granted security certification. |
| 1. | Assessment to verify whether the relevant service complies with security certification standards (hereinafter referred to as "assessment of certification"); |
| 2. | Deliberation on the results of assessment of certification; |
| 3. | Issuance and management of security certificates; |
| 4. | Follow-up management of security certifications; |
| 5. | Fostering and qualification management of security certification assessors; |
| 6. | Other affairs regarding security certification. |
| (6) | Where necessary to efficiently conduct the affairs regarding security certification, the Minister of Science and ICT may designate an institution that conducts assessment of certification (hereinafter referred to as "assessment institution"). |
| (7) | An assessment institution may collect fees from persons who intend to obtain security certification, as prescribed by Presidential Decree. |
| (8) | Matters necessary for the subject matters of security certification under paragraph (1), an extension of the effective period under paragraph (2), and the standards and procedures for, and the effective period, etc. of, designation of a certification institution and an assessment institution under paragraphs (5) and (6) shall be prescribed by Presidential Decree. |
[This Article Newly Inserted on Jan. 11, 2022]
| Article 23-3 (Revocation of Security Certification) |
| (1) | Where a cloud computing service that has obtained security certification under Article 14 falls under any of the following cases, the Minister of Science and ICT may revoke the security certification: Provided, That the Minister shall revoke such certification in cases falling under subparagraph 1: |
| 1. | Where the service has obtained security certification by fraud or other improper means; |
| 2. | Where it ceases to meet the security certification standards. |
| (2) | Where the Minister of Science and ICT intends to revoke security certification under paragraph (1), he or she shall hold a hearing. |
[This Article Newly Inserted on Jan. 11, 2022]
| Article 23-4 (Revocation of Designation of Certification Institutions and Assessment Institutions) |
| (1) | Where any of the following is applicable to a corporation or organization designated as a certification institution or assessment institution under Article 23-2 (5) or (6), the Minister of Science and ICT may revoke the designation of the institution or issue an order to suspend all or part of the relevant affairs for a specified period not exceeding one year: Provided, That the Minister shall revoke such designation in cases falling under subparagraph 1 or 2: |
| 1. | Where the institution is designated as a certification institution or assessment institution by fraud or other improper means; |
| 2. | Where the institution grants security certification or conducts assessment of certification during the relevant service suspension period; |
| 3. | Where the institution fails to grant security certification or conduct assessment of certification without good cause; |
| 4. | Where the institution grants security certification or conducts assessment of certification in violation of the security certification standards under Article 23-2 (1); |
| 5. | Where the institution ceases to meet the designation standards referred to in Article 23-2 (8). |
| (2) | Matters necessary for the revocation of designation, suspension of business affairs, etc. under paragraph (1) shall be prescribed by Presidential Decree. |
[This Article Newly Inserted on Jan. 11, 2022]
| Article 24 (Standard Agreement Forms) |
| (1) | In order to protect users and establish public order for fair transactions, the Minister of Science and ICT may formulate or amend standard agreement forms related to cloud computing services, subject to consultation with the Fair Trade Commission, and may recommend that cloud computing service providers use such forms. In such cases, the Minister of Science and ICT may seek opinions of cloud computing service providers, users, and others. <Amended on Jul. 26, 2017> |
| (2) | Where the Minister of Science and ICT intends to formulate or amend standard agreement forms pursuant to paragraph (1), he or she shall seek the opinion of the Korea Communications Commission thereon. <Amended on Jul. 26, 2017> |
| Article 25 (Notification of Intrusion Incidents) |
| (1) | In any of the following cases, the cloud computing service provider shall without delay notify the relevant user of the fact: |
| 2. | Where the relevant user information is leaked; |
| 3. | Where services are interrupted for a period at least the period specified by Presidential Decree (referring to the period stipulated by an agreement between the parties, if such agreement has been made) without prior notice. |
| (2) | In case falling under paragraph (1) 2, the cloud computing service provider shall notify the Minister of Science and ICT of the fact immediately. <Amended on Jul. 26, 2017> |
| (3) | Where the Minister of Science and ICT receives the notice under paragraph (2) or becomes aware of such fact, he or she may take measures necessary for preventing worsening of damage, preventing reoccurrence, and restoring damaged systems. <Amended on Jul. 26, 2017> |
| (4) | Matters necessary for the notification and measures under paragraphs (1) through (3) shall be prescribed by Presidential Decree. |
| Article 26 (Disclosure of Information for Protection of Users) |
| (1) | Any user may request a cloud computing service provider to inform him or her of the name of the country where the relevant user information is stored. |
| (3) | Where the Minister of Science and ICT deems it necessary for protecting users or the users of information and communications services, he or she may recommend that cloud computing service providers or information and communications service providers disclose the information referred to in paragraph (1) or (2). <Amended on Jul. 26, 2017> |
| (4) | Where the Minister of Science and ICT intends to recommend the disclosure of information pursuant to paragraph (3), he or she shall seek opinions from the Korea Communications Commission thereon. <Amended on Jul. 26, 2017> |
| Article 27 (Protection of User Information) |
| (1) | No cloud computing service provider shall provide user any information to a third party or use user information for any purpose other than for the purpose of providing services, without the relevant user's consent, unless it is required by a court order to submit or a warrant issued by a judge. The foregoing shall also apply to a third party to whom a cloud computing service provider has provided user information. |
| (2) | Where a cloud computing service provider intends to provide any user information to a third party or to use the user information for any purpose other than for the purpose of providing services, it shall notify the user of the following matters and shall obtain consent thereto. The same shall apply where a change occurs to any of the following matters: |
| 1. | The person to whom the user information is to be provided; |
| 2. | The purpose of use of the user information (referring to the purpose of use of the person to whom the information is provided, if it is provided); |
| 3. | A list of user information used or provided; |
| 4. | The period of holding and use of user information (referring to the period of possession and user information by the person to whom user information is provided, where such information is provided); |
| 5. | A statement that the user has a right to refuse to give consent and the details of disadvantages in such cases, if disadvantages are given against refusal to give consent. |
| (3) | Where the contract made with a user terminates, the cloud computing service provider shall return the user information to the user and destroy the user information possessed by the cloud computing service provider: Provided, That the user information shall be destroyed, if it is actually impossible to return the user information, because the user does not accept the return of the user information or does not want to have the user information returned. |
| (4) | Where a cloud computing service provider intends to close its business, it shall notify each user of the closure of business, return the user information before the date of closure of business, and destroy the user information possessed by the cloud computing service provider: Provided, That the user information shall be destroyed, if it is actually impossible to return the user information, because the user does not accept the return of the user information or does not wish to have the user information returned. |
| (5) | Notwithstanding paragraphs (3) and (4), if a cloud computing service provider has expressly agreed on different conditions with users, such conditions shall apply. |
| (6) | Matters necessary for the methods and timing for the return and destruction of user information and the methods of notifying the termination of a contract or the closure of business under paragraphs (3) and (4) shall be prescribed by Presidential Decree. |
| Article 28 (Deposit of User Information) |
| (1) | A cloud computing service provider and users may deposit user information in an institution equipped with professional personnel and facilities (hereinafter referred to as "depository") under an agreement entered into with the depository. |
| (2) | Where an event specified in the agreement made under paragraph (1) occurs, a user may request the depository to provide user information. |
| Article 29 (Liability for Damages) |
Where a user sustains an injury or loss caused by a cloud computing service provider's violation of any provision of this Act, he or she may claim damages for such injury or loss against the cloud computing service provider. In such cases, the cloud computing service provider shall not be exempted from liability, unless it proves that such injury or loss has not been caused by its intentional conduct or negligence.
CHAPTER V SUPPLEMENTARY PROVISIONS
| Article 30 (Fact-Finding Investigation and Corrective Measures) |
| (1) | Where the Minister of Science and ICT has a reasonable ground to suspect that a cloud computing service provider has violated any provision of this Act, he or she may instruct public officials of the Ministry to conduct investigations as necessary to ascertain the violation. <Amended on Jul. 26, 2017> |
| (2) | Where the Minister of Science and ICT deems it necessary for the investigation under paragraph (1), he or she may authorize public officials of the Ministry to enter the office or place of business of a cloud computing service provider to inspect books of accounts, documents, and other materials or articles. <Amended on Jul. 26, 2017> |
| (3) | Where the Minister of Science and ICT intends to conduct an investigation under paragraph (1), he or she shall notify the relevant cloud computing service provider of the plan for investigation, including the period and scope of investigation, the grounds for the investigation, etc., by not later than seven days before the scheduled date of investigation: Provided, That the foregoing shall not apply to an emergency case or where it is deemed impossible to achieve the objectives of investigation if prior notice is given, because of destruction of evidence, etc. <Amended on Jul. 26, 2017> |
| (4) | Any person who enters the office or place of business of a cloud computing service provider to conduct an investigation under paragraph (2) shall show a certificate of authority to persons involved and shall have the persons in the office or place of business attend at the scene of the investigation. |
| (5) | The Minister of Science and ICT may order a cloud computing service provider who violates Article 25 (1) or 27 to cease the violation or to take corrective measures. <Amended on Jul. 26, 2017> |
| Article 31 (Delegation and Entrustment) |
| (1) | The authority of the Minister of Science and ICT or the head of the relevant central administrative agency under this Act may be partially delegated to the heads of affiliated agencies, as prescribed by Presidential Decree. <Amended on Jul. 26, 2017> |
| (2) | The affairs assigned to the Minister of Science and ICT or the head of the relevant central administrative agency under this Act may be partially entrusted to a specialized institution, as prescribed by Presidential Decree. <Amended on Jul. 26, 2017> |
| Article 32 (Confidentiality) |
Any person who currently or formerly engaged in an affair entrusted under this Act shall not divulge a cloud computing service provider's confidential information on business which becomes known to him or her in the course of executing the affair.
| Article 33 (Legal Fiction as Public Officials for Purposes of Applying Penalty Provisions) |
CHAPTER VI PENALTY PROVISIONS
| Article 34 (Penalty Provisions) |
Any person who uses user information or provides user information to a third party, without the relevant user's consent, or any person who obtains user information for profit or for any wrongful purpose, knowing that the relevant user has not consented thereto, in violation of Article 27 (1), shall be punished by imprisonment for not more than five years or by a fine not exceeding 50 million won.
| Article 35 (Penalty Provisions) |
Any person who divulges confidential information which becomes known to him or her in the course of executing an affair entrusted, in violation of Article 32, shall be punished by imprisonment for not more than three years or by a fine not exceeding 30 million won.
| Article 36 (Joint Penalty Provisions) |
Where the representative of a corporation or an agent, employee, or servant who works for a corporation or for an individual commits an offense in violation of Article 34 or 35 in connection with the business of the corporation or individual, not only shall such offender be punished accordingly, but the corporation or individual also shall be punished by the fine prescribed in the relevant Article: Provided, That the foregoing shall not apply where the corporation or individual has not neglected due care and supervision over the relevant business to prevent such offense.
| Article 37 (Administrative Fines) |
| (1) | Any of the following persons shall be subject to an administrative fine not exceeding 10 million won: <Amended on Jul. 26, 2017; Jan. 11, 2022> |
| 1. | A person who places a mark of security certification or a mark similar thereto, in violation of Article 23-2 (4); |
| 2. | A person who fails to notify users of an intrusion, the leakage of user information, or the interruption of service, in violation of Article 25 (1); |
| 3. | A person who fails to notify the Minister of Science and ICT of the leakage of user information, in violation of Article 25 (2); |
| 4. | A person who fails to return or destroy user information, in violation of Article 27 (3) or (4); |
| 5. | A person who fails to comply with an order to cease a violation or to take corrective measures under Article 30 (5). |
| (2) | The administrative fines under paragraph (1) shall be imposed and collected by the Minister of Science and ICT, as prescribed by Presidential Decree. <Amended on Jul. 26, 2017> |
ADDENDA <Act No. 13234, Mar. 27, 2015>
This Act shall enter into force six months after the date of its promulgation.
ADDENDA <Act No. 14839, Jul. 26, 2017>
Article 1 (Enforcement Date)
This Act shall enter into force on the date of its promulgation: Provided, That the amended provisions of any Presidential Decree that was promulgated but has not entered into force before this Decree enters into force, among the Presidential Decrees amended under Article 5 of the Addenda, shall enter into force on the enforcement date of the Presidential Decree. Articles 2 through 6 Omitted.
ADDENDA <Act No. 17344, Jun. 9, 2020>
Article 1 (Enforcement Date)
This Act shall enter into force six months after the date of its promulgation. (Proviso Omitted.)
Articles 2 through 8 Omitted.
ADDENDUM <Act No. 18738, Jan. 11, 2022>
This Act shall enter into force one year after the date of its promulgation.