It has been confirmed that Coupang, which caused a personal data leak affecting about 33 million people in Korea, conveyed to the Office of the United States Trade Representative (USTR) its view that "localization rules requiring servers or infrastructure to be installed and operated in each country must be avoided." The point is to let corporations freely decide where to place data and servers that store personal information and other data.
Some say Coupang, which suffered a personal data breach, should establish protection and compensation systems before demanding autonomy.
According to ChosunBiz reporting compiled on the 23rd, Coupang submitted an opinion to the USTR in Apr. 2022 ahead of the launch of the Indo-Pacific Economic Framework (IPEF), calling for the guarantee of free cross-border data flows and the exclusion of obligations to localize servers and infrastructure.
IPEF is an economic security platform and international organization for the Indo-Pacific region created under the leadership of the Biden administration. Fourteen countries, including Korea, the United States, Japan, and Australia, are participating.
China, Russia, Vietnam, and others are implementing rules that require corporations to store data locally. Korea, as well as the European Union (EU) and Japan, do not explicitly mandate server localization. However, they impose strict consent, protection, and accountability requirements for the transfer of personal data overseas. This is because personal information and transaction data are important assets, and the government must be able to intervene quickly in investigation and oversight when incidents occur. That is why keeping servers domestically has become common.
Tech corporations such as Google and Microsoft argue that corporations, rather than governments, should manage server locations. Coupang likewise submitted to the USTR the view that country-by-country localization requirements for servers and other infrastructure should be avoided and that corporations should be able to operate them autonomously.
If servers and the like must be installed and operated in each country, the expense is high, and differences in outage response and regulatory systems make management difficult.
In particular, services that need to use large-scale data in real time, such as algorithm-based product recommendations or logistics optimization, may suffer reduced operating efficiency when data are dispersed by country. For this reason, Coupang told the USTR that mandatory localization of servers and infrastructure by country could constrain the operation and expansion of services.
The issue is trust in server management of personal data and the like. After a recent incident at Coupang in which more than 33 million items of personal data were leaked in Korea, questions have been raised about whether the underlying security capabilities and fulfillment of accountability were sufficient.
An IT security expert said, "Coupang should not demand autonomy in server management while failing to apply 'passkeys,' a strong secure login mechanism, consistently in countries where it operates," and added, "It would not be too late to call for easing server localization after building high-level security, incident response, and investigation-cooperation systems."
Coupang customers' personal data are currently stored in Korea. Coupang CEO Herald Rogers said at a hearing of the National Assembly Science. ICT. Broadcasting. and Communications Committee on the 17th, "Information currently defined as personal data is stored in the AWS (Amazon Web Services) Korea Region (regional data center), and I understand that backup data are stored in the Singapore Region."
Choi Kyung-jin, a professor of law at Gachon University and president of the Korea Artificial Intelligence Law Association, said, "More important than whether to relax server localization is the will and practice to protect users," and added, "(Coupang) must first show a promise and build trust that it has systems to restore service when it is disrupted, and that it will maintain availability, stability, and security above a certain level."