Epic Games v. Apple on App Store Payment Systems in South Korea

By: Inyoung Cheong

Why Did Epic Games’ CEO Claim to be South Korean?

As a South Korean, it felt surreal to see Oli London, a British YouTube influencer, claiming to be Korean following multiple plastic surgeries. Although Korean culture has been well-promoted by the band BTS (and more recently by the Netflix show, Squid Game), I never imagined that a non-Korean would ever want to be Korean. Soon after, more astonishing news came out. Tim Sweeney, the CEO of Epic Games, one of the most influential video game companies in the world, tweeted “I am a Korean!” Why is this high-profile figure so thrilled about my home country? 

How Epic Games Was Treated in the U.S.

Epic has been involved in a serious dispute with Apple since 2015 when Tim Sweeny questioned the necessity of digital marketplaces, like Apple’s App Store for iOS devices and Google Play, taking 30% of app-generated revenue. To avoid the 30% charge, Epic released an installer in mid-2020 for its massively popular video game, Fortnite “Season 4,” with a feature, codenamed “Project Liberty,” that offered a 20% discount for in-game money when users chose to directly purchase the game from Epic. Apple took down the app Fortnite for violating its App Store’s terms of service within hours, leaving iOS and macOS users unable to update their video game. Apple has claimed that in-app purchase policies “ensure that iOS apps meet Apple’s high standards for privacy, security, content, and quality.” However, app developers view this system as monopolistic and exploitative, one that allows companies like Google and Apple to make a quick profit without providing value to developers or consumers. 

Interview with Tim Cook on Sway, April 5 2021

In the United States, the U.S. District Court for Northern California did not fully agree with antitrust claims brought by Epic Games against Apple regarding this issue. While Judge Yvonne Gonzalez Rogers issued a permanent injunction in this case in September 2021 that requires Apple to allow app developers to communicate with users about alternative payment systems, Epic Games suffered a pyrrhic victory. Judge Rogers rejected the allegation that Apple’s App Store is a monopoly and ordered Epic Games to pay Apple 30% of all revenue collected through the system since it was implemented for breach of contract. This award amounts to a sum of more than $3.5 million. On Twitter, Tim Sweeney expressed his disappointment, saying “[t]oday’s ruling isn’t a win for developers or for consumers.” 

It’s important to also note that while the lawsuit was still ongoing, Apple lowered its commission from 30% to 15% for developers that make under one million U.S. dollars per year. 

The World’s First Law Directly Regulating In-App Purchase Systems 

In contrast to the United States District Court for the Northern District of California, South Korean lawmakers turned out to be more empathetic to app developers. In an exceptional move, South Korean lawmakers made the practice of forcing app purchases through particular virtual storefronts illegal. In August 2021, South Korea’s National Assembly enacted amendments to the country’s Telecommunications Business Act that commits the Korea Communications Commission (KCC) to preventing online platforms from requiring certain payment methods, unfairly delaying the review of mobile content, and unfairly deleting mobile content from the app market. In Apple’s case, an app-developer whose app was removed from Apple’s App Store can simply file a complaint with the KCC and seek an administrative penalty against the App Store instead of bringing a time-consuming lawsuit. Currently, it appears that South Korea is the only country on the planet to enforce this type of legislation, hence Time Sweeney’s jubilant cry, “I am a Korean!”

Debates Over the New Law in the South Korea’s National Assembly 

Predictably, both Google and Apple recently worked with local major law firms in appealing to the legislature to block passage of the bill. Global business organizations including the American Chamber of Commerce in Korea, NetChoice, Asian Trade Center, and Asia Internet Coalition also filed objections to the bill. All of these groups argued that compliance with in-app purchase policies contributes to creating safe, secure, and credible digital platforms that have enabled developers to sell their products abroad. 

Affected tech companies even turned to the U.S. government and accused the bill of being a non-tariff trade barrier in violation of a joint trade agreement, but the Biden administration did not take official action other than briefly mentioning the issue in the U.S. Trade Representative National Trade Estimate Report in March 2021. According to the New York Times, this inaction reflects the Biden administration’s critical attitude towards these tech giants’ incredible power over commerce.

In addition, legislative documents demonstrate disagreement between various Korean government agencies. The Korea Fair Trade Commission (Korea FTC) initially opposed this bill because “forcing payment systems” could be regulated by antitrust authorities as predatory conduct without introducing new telecommunication regulations. In the end however, Korea FTC reluctantly agreed to the KCC’s jurisdiction into this area after weathering President Moon and lawmakers’ relentless concerns and rebuke concerning the current disparity in app markets. 

Google and Apple Took Different Approaches 

Just after the enactment of the new law, Epic Games requested that Apple restore Fortnite to operational condition in South Korea, but Apple declined. Apple said, “we would welcome Epic’s return to the App Store if they agree to play by the same rules as everyone else.” The KCC then requested that Apple and Google submit compliance plans by October 2021. Both companies’ initial plans were, however, turned down by the KCC. 

Before submitting a new plan, Wilson L. White, Google’s public policy and government relations senior counsel, had a conference with a KCC chairman on November 4th. White committed to giving developers “the option to add an alternative in-app billing system alongside Google Play’s billing system for their users in Korea.” 

In contrast to Google’s move, Apple remains resistant. Apple is holding its ground, stating that its current policy is already compliant with the law, even though a KCC official made it clear that Apple’s position “goes against the law.” The South Korean local newspaper ETNEWS reported that Apple CEO Tim Cook ordered “we should not step back in South Korea.” It was also announced that Apple’s Korea unit chief Brandon Yoon resigned from his position. A South Korean lawmaker, Jo Seung-rae, opined that neither Apple nor Google are doing enough to comply with South Korea’s new law and called Apple’s claim that it complied with the law “nonsensical.”

Tim Sweeney’s Push and KCC’s Remaining Tasks 

Tim Sweeny gave a speech in South Korea on November, 15, 2021, saying “Apple is ignoring laws passed by Korea’s democracy. Apple must be stopped.” He also expressed his strong support for South Korea’s anti-monopoly push during a video conference with the Korea Communications Commission’s Chair, Han Sang-hyuk, on November 17. Chair Han said, “[f]or a platform ecosystem where everyone coexists, not only the government, but also platform companies, content producers, creators, and users need to participate in making changes.”

Last month, the KCC initiated notice-and-comment rulemaking procedures. The KCC notified the public about the implementation of an ordinance that allows the KCC to impose monetary penalties of up to two percent of a company’s revenues on companies that do not comply, although the precise definition of “revenues” has not been settled and it remains to be seen whether “revenues” applies to South Korea alone or the global market. While there are still shortcomings in the law and complexities to iron out, it is undeniable that this new Korean law has ignited meaningful policy discussions over mobile app market practices around the world.

Inyoung Cheong is a Ph.D. Candidate at the University of Washington School of Law and former Deputy Director of the Korea Communications Commission. 

Your Employer Can Monitor You While You Work From Home—Should They?

By: Joshua Waugh

Since “pandemic life” began, as many as 40% of American workers have worked from home. If you’ve been lucky enough to trade the crowded bus or the gridlocked highway for the shorter bedroom-to-laptop commute, chances are you’ve wondered just how closely your employer is watching you. The truth is that telework, for all its benefits, also has a major downside: near limitless opportunity for high-tech surveillance. And while it is clear that employers have the legal capability and the technology to monitor their employees, it’s less clear that employee surveillance is actually a good idea at all.

Can my employer really monitor me?

It is no secret that American privacy and technology laws are often lacking. At the federal level, the primary law dealing with electronic privacy is the Electronic Communications Privacy Act (ECPA), which was passed in 1986. The law is so old that Title I of the Act only contemplates a third party’s “interception” of a message sent by “wire, oral, or electronic communication”; the law doesn’t address the possibility of accessing stored communications, such as email, post-transmission.

Furthermore, Title I of the ECPA has been interpreted to include a carveout specifically allowing employers to monitor employees as long as the employer can show a legitimate business purpose. The ECPA also permits employers to electronically surveil employees upon their consent, which, given often imbalanced employee-employer power dynamics, is not great for the ordinary employee.

Title II of the ECPA, or the Stored Communications Act (SCA), provides more protection to employees, though the law is still just as dated as Title I. Under the SCA it is fairly well established that your employer can’t log in to your personal email without your permission. So rest assured, your employer cannot see the thousands of unread advertising emails in your inbox unless you give them access.

All of that said, there is not much legislation on electronic privacy at the federal level. That may seem surprising considering we’ve seen privacy controversy after privacy controversy from practically every big tech company in recent years, but electronic privacy regulation seems to be generally left to the states. The end result is that only Californians (and to a lesser extent Coloradans and Virginians) enjoy broad statutory protections against electronic employer surveillance. In most of the other states, as long as you are using an employer’s device or network, your employer may surveil you as much as they’d like. And surveillance software is readily available, including keyloggers that record every keystroke you make, activity monitors, and even software that records every website or app you access on the device. In fact, if your workplace is using the Microsoft Office 365 Suite, your employer is already able to monitor and analyze your work activity.

Where do we go from here?

If you’re concerned about your general lack of privacy rights living in America, you are not alone. Researchers have published studies showing that extensive employer surveillance can breed distrust among employees and such surveillance can be a significant hindrance on worker productivity and other positive performance outcomes. The feelings of distrust are even stronger when employees discover that they were being surveilled without their knowledge.

Despite evidence suggesting employee surveillance may have negative effects, surveys show that 62% of executives planned to use monitoring software in 2019, and that number is certain to have grown during the pandemic work-from-home era. Meanwhile, we’re also in the midst of a radical transformation in the labor force—the U.S. Bureau of Labor Statistics reported that 2.9% of the entire U.S. workforce, 4.3 million people, quit their jobs in August 2021. By all appearances, the Great Resignation is accelerating as 4.4 million workers went on to quit during September 2021, topping August’s record numbers. At a time when people are rethinking their relationship with work, struggling with burnout, and dealing with burdensome household issues such as child- and elder-care, employers should spend less time secretly surveilling their employees, and instead put effort into employee engagement. Essentially the opposite of paranoid surveillance, companies should engage with their workers by providing flexibility and building trust. Employee engagement is more likely to boost productivity than surveilling, and more importantly, in today’s climate, has been shown to increase employee retention. Ultimately, under current U.S. law, your employer can surveil you to its heart’s content in most states—but you can also resign if you feel your privacy rights have not been respected. As more and more in the labor force decide to do so, we’ll just have to wait and see how legislators respond.

The FTC Takes on Health and Fitness Apps’ Rampant Privacy Problems

By: Laura Ames

More and more Americans are turning to mobile health and fitness applications, but many worry about the lack of regulations would ensure that developers of these products keep user information secure and private. The Federal Trade Commission (“FTC”) recently addressed this concern with a policy statement (“Statement”) including app developers among the entities who must follow certain notification procedures after security breaches. However, many question the Statement’s practical effects and whether the FTC had the authority to issue it.  

Health App Trends

Mobile health and fitness apps have gained popularity in recent years, and the COVID-19 pandemic only accelerated this growth. In fact, the United States led the world in health and fitness app downloads as of October 2020 with 238,330,727 downloads that year alone. Even with this increased usage, a recent poll showed that over 60% of U.S. adults felt at least somewhat concerned regarding the privacy of their health information on mobile apps. These worries appear to be well-founded. Flo Health Inc., the developer of a menstrual cycle and fertility-tracking app, currently faces a consolidated class action alleging the company disclosed users’ health information to third parties without users’ knowledge. This is not an isolated concern. A recent study of over 20,000 health and fitness apps found that a third of these apps could collect user email addresses and more than a third transmitted user data to third parties such as advertisers.

The Original Health Breach Notification Rule

Congress enacted the Health Information Technology for Economic and Clinical Health (“HITECH”) Act as an investment in American health care technology. Subtitle D of this Act delegated authority to the FTC to promulgate breach notification requirements for breaches of unsecured protected health information. In 2009, the FTC issued its Health Breach Notification Rule (“HBNR”) covering vendors of personal health records (“PHR”) and PHR-related entities who experienced a security breach. The HBNR requires these entities to notify affected individuals and the FTC. Crucially, the HITECH Act defines a PHR as an electronic record that can be drawn from multiple sources.

The FTC has never enforced the HBNR, but the possibility for changes to the rule has been on the horizon for some time. In 2020, the FTC requested public comments on the HBNR, which functions as a part of their rulemaking process, saying that it was merely a periodic review of the rule. However, before that comment period ended, the Commission issued a policy statement that turned heads.

The FTC Makes a Bold Move

On September 15, the FTC issued a statement with two of the five Commissioners dissenting. The FTC’s stated goal was to clarify the HBNR and put entities on notice of their security breach obligations. The FTC explained that the HBNR is triggered when “vendors of personal health records that contain individually identifiable health information created or received by health care providers” experience a security breach. The first major revelation was that the FTC considers developers of health apps or connected devices as health care providers because they provide health care services or supplies.

Additionally, the FTC stated that it interprets the rule as covering apps that are capable of drawing information from multiple sources, like through a combination of consumer inputs and application programming interfaces (“APIs”). The statement gave two examples of apps that are covered under this understanding. First, an app that collects information directly from users and has the capacity to draw information through an API that enables syncing with a user’s fitness tracker. Second, an app is implicated if it draws information from multiple sources even if the health information only comes from one source. For example, if a consumer uses a blood sugar monitoring app that draws health data only from that consumer’s inputs but also draws non-health data from the phone’s calendar, that app is covered by the HBNR.

Additionally, the FTC sought to remind entities that a breach is not limited to cybersecurity intrusions but also includes unauthorized access to information. Under this interpretation, companies that share information without a user’s authorization would also be subject to the Rule. Although the FTC had not previously enforced the Rule, this Statement also served as signaling the FTC’s willingness to do so. It mentions that businesses could face potential civil penalties of $43,792 per violation per day.

Obviously, these clarifications could subject many app developers and other companies to the FTC’s rule. However, in the eyes of some, including the two dissenting Commissioners, this statement is not a mere clarification but a fundamental policy change. It could not only lead to potential confusion but could also be a breach of the FTC’s statutory authority and rulemaking process.

Critiques and Larger Questions

Some legal experts argue that this statement represents an expansion of the HBNR that could lead to further confusion for app companies and others. The two dissenting FTC Commissioners go further than potential confusion in their statements.

Commissioner Christine S. Wilson argued that this Statement both short-circuits the FTC’s rulemaking process and also improperly increases its statutory authority by expanding the definitions of terms without legislative approval. Commissioner Noah Joshua Phillips agreed that this statement’s first problem is its issuance in the middle of a request for public comment. Wilson pointed out that the FTC’s own business guidance for dealing with the HBNR directly contradicted the statement by saying that “if consumers can simply input their own” health data on a business’ site, for example, a weekly weight input, then the business is not covered by this rule. Wilson also expressed concerns that this interpretation of “health care provider” was a potentially slippery slope. For instance, does Amazon qualify as a health care provider given that users can purchase Band-Aids and other medical supplies through its phone app?

In the coming months, we might see the FTC forcing app developers to notify customers of data disclosures, but the debate around this statement also reveals larger questions concerning health care at the moment. Fundamental questions that once might have seemed easy to answer, such as who qualifies as a health care provider, are growing murkier. In the wake of COVID-19’s effects on telehealth and health technology in general, it seems unlikely that health care will phase out of this continued intermingling with technology. If that is the case, then legislation and regulations surrounding health care will continue to have to scramble to catch up with this rapid technological evolution.