On March 30, 2021, the European Commission, in a joint statement with the Commission for the protection of personal information, the data protection authority of the Republic of Korea (Korea), said that Korea provides a level of personal data protection similar to that provided in the European Union (EU) and, as such , is a jurisdiction deemed “adequate.” Following this joint declaration, the European Commission has completed its internal procedures and formally adopted the content of this joint declaration in a draft adequacy decision published on June 14, 2021. Once finalized, businesses will be allowed to freely transfer personal data from the EU and the European Economic Area (EEA) to Korea without being required to provide the additional guarantees required for ‘transfers to third countries ”within the framework of the EU General Data Protection Regulation 2016/679 (GDPR). Once adopted, the adequacy decision would cover transfers of personal data to business operators located in Korea, as well as to Korean public authorities. However, the transfer of personal credit information which is subject to the jurisdiction of Korea Financial Services Commission will be excluded from the scope of the adequacy decision.
The adequacy decision relates only to the transfer of personal data from the EU / EEA to a recipient in Korea, but it does not cover the general applicability of the GDPR. In this context, any business (even outside the EU / EEA) that directly collects personal data from EU residents in the course of offering goods or services or monitoring the behavior of residents of the EU will still have to comply with the obligations set out in the GDPR for its collection of personal data. In addition, significantly, the adequacy decision only covers the data flow in one direction, from the EU to Korea, but not in the opposite direction, i.e. from Korea to the ‘EEA. As noted below, unless further statutory changes, Korean privacy laws still require data handlers to obtain data subjects’ consent (as opposed to exclusion) before transferring their personal data. outside of Korea.
The conclusion of the adequacy talks between Korea and the European Commission is a major step in their ongoing four-year dialogue regarding the mutual recognition of personal data protection regimes. Korea has been preparing for this adequacy decision since 2015, when the Korean government established a joint public-private task force to conduct regulatory feasibility studies, self-assessments and benchmarking. data for the first cycle. adequacy negotiations with the EU in 2017. After two extensive rounds of adequacy negotiations between representatives of the European Commission and Korea ended without a conclusion of adequacy, Korea decided to bring significant changes to its data protection laws. These amendments were enacted by the National Assembly, Korea’s national legislature, in January 2020 and entered into force in August 2020, paving the way for the joint declaration of March 2021.
EU: GDPR framework
Since May 25, 2018, the framework for the protection of privacy in the EU has been governed by the GDPR, imposing strict obligations on public and private bodies that collect and process personal data, taking into account the fundamental principles of the civil rights of the EU. Since the GDPR only applies directly to those entities with an establishment in the EU or where a foreign entity offers services to people in the EU or monitors the behavior of people in the EU, the The applicability of the GDPR to organizations outside the EU is limited. In order to ensure that the level of protection of personal data cannot be circumvented by transferring personal data from the EU to third countries without a substantially comparable level of data protection, the GDPR requires additional guarantees for such data transfers. personal. This can be achieved either by an adequacy decision of the European Commission confirming that the legal framework of a third country provides for an adequate level of data protection (adequacy decision). Where such an adequacy decision does not exist, EU companies must implement additional bilateral guarantees (the most prominent example being the EU Standard Contractual Clauses – see our alert here), are based on ecosystem-wide rules (such as codes of conduct – see our alert here), or on certain regulatory exemptions. While such derogations only apply in very limited scenarios and the reliability of the EU standard contractual clauses has been called into question by the Schrems II decision of the Court of Justice of the European Union (see our alert here), an adequacy decision is the most reliable and transparent basis for companies intending to transfer personal data to a third country. However, the process of an adequacy decision can be long and complex, as the European Commission has to assess in detail the framework for the protection of privacy in the third country concerned as well as its implementation and enforcement in the convenient. So far, only a few countries have been able to obtain a respective decision, namely Andorra, Argentina, Canada (trade organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay. (process for the United Kingdom still in progress but expected before the end of June 2021). With Korea now entering this inner circle, data transfers between the EU and Korea will become much easier and strengthen trade relations between the two countries.
Korea: PIPA Framework
Prior to the conclusion of the adequacy talks, significant changes were made to Korea’s data privacy regime during the year 2020. In particular, on January 9, 2020, the National Assembly adopted amendments to the three major data privacy laws: the Privacy Act (PIPA), Law on the Promotion of the Use of Information and Communication Networks and the Protection of Information, and the Credit Information Use and Protection Act. The changes collectively led to the following changes to the country’s data privacy regime:
- Minimize the burden of redundant regulatory activities and confusion among regulatees resulting from overlapping data privacy regulations and multiple oversight bodies,
- Develop a “data economy” by introducing the concept of “pseudonymized data” and a legal basis on which the data can be used more flexibly to an extent reasonably related to the original purpose of the collection,
- Ultimately, making Korea’s data privacy regime more in line with GDPR principles in order to meet the requirements of an adequacy decision.
We repeat our note above that although the EU-Korea adequacy decision has a direct impact on data transfers from the EU to Korea, transfers of personal data of Korean data subjects from Korea to the EU (or any other jurisdiction) will remain limited and still be subject to Korean privacy laws, unless further statutory changes in Korea. The amended PIPA specifically requires data handlers to obtain consent from data subjects before transferring their personal data outside of Korea. Therefore, it will be important to closely monitor Korea’s changes to implementing regulations and related public notices in the foreseeable future, while also keeping abreast of the status of the final adequacy decision.
The European Commission will now begin the decision-making process, with the stated objective of adopting the EU / Korea adequacy decision in the coming months.
As each of the EU Member States has given their approval, the adoption of an adequacy decision will now require a first recommendation from the European Commission, an adequacy opinion from the European Commission. European Data Protection Board (expected later this summer or this year), and the final adoption of the decision by the European Commission. The Korean government hopes that a final adequacy decision can be reached in the second half of 2021.