EU – Republic of Korea Draft Adequacy Decision

The European Commission (EC) has signalled its intent to adopt a draft adequacy decision between the European Union (EU) and the Republic of Korea (Korea), thereby enabling data to flow freely from the EU to Korea.

Background

The processing of personal data in the European Economic Area (EEA) is governed through the General Data Protection (GDPR), whilst processing of personal data in Korea is governed by the Personal Information Protection Act (PIPA). Under the GDPR, personal data may only be transferred outside the EEA on the basis of an adequacy decision by the EC, or where additional safeguards have been put in place (e.g., standard contractual clauses)

In practice, putting in place additional safeguards often requires a significant amount of effort and cost. The additional requirements and uncertainty introduced by the Schrems II decision further complicates the exercise of international data flows. In this light, the draft adequacy decision is welcome for organisations wishing to transfer personal data from the EU to Korea, as it enables frictionless data flows.

Next Steps & Considerations:

The EC’s draft adequacy decision will launch the decision making procedure to adopt the adequacy decision in the coming months. This involves two items (i) an Opinion of the adequacy decision by the European Data Protection Board (EDPB) for any non-binding recommendations they have and (ii) approval by a Committee composed of EU Member State representatives.

Despite the recent updates to PIPA and the strengthened investigatory and enforcement powers of the Personal Information Protection Commission (PIPC), the EC press statement has highlighted a number of areas in PIPA that still need to be strengthened. The areas mentioned include transparency, sensitive data and onwards transfers, all of which will be binding and enforceable by the PIPC and the Courts. It should be noted that the above areas to be strengthened in PIPA were listed as examples in the EC press statement and are not exhaustive.

Provided that an adequacy decision is adopted, the journey does not end there. The adequacy decision will be subject to an ongoing periodic review by the EC to verify that the level of protection of personal data remains essentially equivalent to European standards. For Japan’s adequacy decision, the review period was set on a two year cycle.

Republic of Korea’s reaction and expectation

Korean organisations have welcomed this decision. To date, such organisations doing business in the EU have typically relied on standard contractual clauses (SCCs) for data transfers.  This has required them to conduct legal and local due diligence reviews followed by other administrative procedures, which can cost a hundred thousand dollars and can take from 3 months to 1 year according to PIPC press release. However, once this Decision is finalised, Korean organisations are expected to save time and money and reduce risks involving potential violations of GDPR when transferring data from EU to Korea.

However, the draft adequacy decision does not cover Korean financial institutions which are governed by Credit Information Use and Protection Act and thus financial institutions doing business in EU will still have to use SCCs or rely on other legal grounds under the GDPR to transfer personal data of EU citizens to Korea

Finally, it is worth noting that Korea does not have a reciprocal administrative to the EC adequacy decision. Principally, personally identifiable information of Korean nationals cannot be transferred out of Korea without their consents and this draft adequacy decision covers data flow from EU to Korea only.  According to the principle of reciprocity, Korea plans to include further provisions for the cross border transfer of Korean national’s personal data in the second revision of PIPA, the legislative notice for which has recently been announced.

What about the United Kingdom?

Organisation should be cognisant that the adequacy decision, if adopted, will not apply to the United Kingdom. The UK’s Data Protection Authority, the Information Commissioner’s Office (ICO) only recognises adequacy decisions made by the European Commission up until the 31 December 2020. As such, the general prohibition on transfers of personal data between the UK and Korea will continue, subject to any future adequacy decisions made by the ICO. However, the UK and South Korea signed a Free Trade Agreement (FTA) in 2019, part of which addresses data processing and data protection considerations. In particular, Article 7.43 (b) of the FTA states that Each Party, reaffirming its commitment to protect fundamental rights and freedoms of individual shall adopt adequate safeguards to the protection of privacy, in particular with regard to the transfer of personal data. It will be interesting to see whether the ICO recognises Korea as an adequate destination, or whether a divergent approach will be taken.

In the interim, organisations should continue to incorporate additional safeguards (e.g., UK Standard Contractual Clauses), to enable the flow of data from the UK to Korea.

Conclusion

Broadly speaking, the draft adequacy decision reflects a continued emphasis by the EU to deepen cooperation within the Asia-Pacific region. This has been highlighted by recent developments in this area, including:

  • EU – Korea Free Trade Agreement (Effective December 2015)
  • EU – Japan Adequacy Decision (Effective January 2019)
  • EU – Japan Partnership Agreement (Effective February 2019)

Practically speaking, for businesses based in the European Union, the adequacy decision, if adopted, will be regarded as a welcome decision, as it no longer requires organisations wishing to transfer personal data from the EU to Korea to implement additional safeguards. Conversely, businesses in Korea should be on the lookout for additional changes to PIPA, either through the areas identified by the EC, or by any recommendations made by the EDPB. 

As a result of the adequacy decision, it is expected that cooperation between the EU and Korea in data related sectors will expand and once the second revision of PIPA including outbound personal data transfers from Korea to the EU becomes effective, the cooperation in data related industries will become even stronger.

A&M: Leadership. Action. Results.

A&M’s privacy and data protection professionals have extensive operations and advisory experience together with a proven track record in leading businesses through tough, complex situations. To learn more about our expertise and to understand the full scope of our services, please get in touch with one of our authors.

Authors:

Robert Grosvenor, Managing Director

rgrosvenor@alvarezandmarsal.com

Kiyoung Nam, Director

knam@alvarezandmarsal.com

Christopher Woodhead, Associate

cwoodhead@alvarezandmarsal.com