Free and uncomplicated data flows are now possible between the EU and the Republic of Korea.
With its adoption of an adequacy decision pursuant to Art. 45 General Data Protection Regulation (GDPR) for the Republic of Korea on Dec. 17, 2021, the European Commission has declared that the country provides an adequate data protection level comparable with GDPR standards. The Republic of Korea joins Andorra, Argentina, commercial organisations in Canada, Faroe Islands, Guernsey, Isle of Man, Japan, Jersey, New Zealand, Switzerland, the UK under the GDPR and the Data Protection Law Enforcement Directive (LED), as well as Uruguay, as the countries or institutions for which such decisions have been passed by the Commission.
The decision has a high practical impact, as personal data may now flow from the EU (as well as Norway, Liechtenstein and Iceland) to the Republic of Korea without any further necessary safeguards pursuant to Chapter 5 of the GDPR.
Background
Pursuant to GDPR, the transfer of personal data outside the European Economic Area (EEA) requires one of the special safeguards provided in Chapter 5 GDPR to ensure that the data remains protected. Chapter 5 GDPR provides for a number of mechanisms in this regard: Standard Contractual Clauses (SCC), Binding Corporate Rules (BCR), approved certification mechanisms, approved codes of conduct, so-called “derogations” and – last but not least – an adequacy decision.
According to Art. 45 of the GDPR, the European Commission has the power to determine via a formal decision whether a country, territory, sector, or international organisation outside the EEA offers a level of data protection equivalent to that of the EU.
Adequacy Decision for the Republic of Korea
The Republic of Korea undertook reforms of its data protection legislation in 2020 with a special focus on ensuring it had an independent supervisory authority in place to enforce data protection rules.
The adequacy decision for Korea was initiated in June 2021 by the Commission. During the adequacy talks, the Commission placed, amongst others, requirements regarding onward transfer obligations of data recipients in South Korea and regarding transparent information about the processing of data. In addition, the problem of potential access of public authorities to personal data in South Korea was addressed, and changes were made to ensure that there are redress mechanisms for data subjects in the EEA in the event of unlawful requests. This includes the ability to raise complaints with the Korean data protection regulator, the Personal Information Protection Commission (PIPC).
Upon a final examination of the Korean legislation and particularly the Personal Information Protection Act (PIPA) as well as the investigatory and enforcement powers of the PIPC, the Commission concluded the level of data protection provided by Korean law was equivalent to the level guaranteed by the GDPR.
Having received the opinion of the European Data Protection Board (EDPB) and approval from representatives of EU countries, the decision was adopted by the Commission. The decision has no time limitation but will be reviewed against any changes in the laws of South Korea every four years.
Practical Consequences
The decision permits a cross-border data transfer to the Republic of Korea without further authorization from a national supervisory authority or other safeguards. For example, no SCC will need to be entered into in relation to data processing conducted by a South Korean processor on behalf of an EU controller.
It does not, however, affect the obligations of data controllers or processors in the Republic of Korea to enter into data processing agreements pursuant to Art. 28 GDPR, or other agreements potentially required for any transfer of data to the Republic of Korea. Also, to the extent Art. 3(2) GDPR applies, controllers or processors in the Republic of Korea continue to be obliged to comply with GDPR as provided therein.
Last but not least, the adequacy decision has an even wider impact because some countries (such as Argentina, Colombia, Israel and Switzerland) recognize that countries and territories whose level of data protection is considered adequate by the EU Commission also meet the requirements for data transfers under their own data protection laws.