Category: Korea Data Protection

EU Adequacy Approach for Japan and South Korea

29. June 2018

These days the European Commission is focussing on talks with Japan and the Republic of Korea in order to advance the process towards mutual adequacy findings. Therefore,  the European Justice Commissioner Vera Jourová recently visited Japan’s Justice Minister, Yōko Kamikawa, and Commissioner of the Personal Information Protection, Haruhi Kumazawa, along with Korean Chairman of the Communications Commission Lee Hyo-seong to make progress on the approached adequacy deals. The engagement of all parties in allowing the free flow of personal data between the EU and Japan as well as the EU and South Korea started in 2017 by discussing to reaching an “adequacy decision“.

At the meeting in Tokyo, the two parties “took note of the significant progress achieved in the past month” referring, “in particular, [to] the agreement on solutions to bridging relevant differences between the two systems such as the Supplementary Rules, to be adopted by the Personal Information Protection Commission (PPC) following the public comment procedures, coupled with the Basic Policy on the Protection of Personal Information (Cabinet decision).” In addition, “they affirmed that the Personal Information Protection Commission and the European Commission will continue to consult each other with a view to finding mutually acceptable solutions whenever there is a need for cooperation with respect to personal data based on the framework for mutual and smooth transfer of personal data between Japan and the EU.”

In Seoul, Chairman Lee Hyo-seong and Commissioner Vera Jourová also held a very productive meeting, and “took note of the significant progress made since Korea submitted its request for partial adequacy and agreed that the two parties share very similar values with respect to human rights, with both sides recognising personal data protection as a fundamental right.” Furthermore, “they agreed to intensify their efforts to accelerate the pace of discussion.” The adequacy talks are very likely to be finalized in 2018, especially considering the fact that there are many similarities of South Korea’s “Personal Information Protection Act”  with the GDPR. However, concerning a final decision on the adequacy, another meeting in Brussels is planned later this year.

Currently the European Commission has recognised 12 countries for being able to ensure an adequate level of data protection, including Andorra, Argentina, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.

Korea updates its Data Protection Act

4. May 2016

Korea´s Personal Information Protection Act (“PIPA”) has been recently updated. The modifications reflect the increasing importance of privacy and data protection issues in this country. The most relevant amendments refer to the following points:

  • The legal grounds for the processing of RRN (Residence Registration Number) and the applicable security measures have been strengthened. It will be possible to process RRN data only in the cases stipulated by law. Moreover, it is mandatory to encrypt this data. However, this will be done gradually depending on the number of RRN held by the data controller. Inspections will be also carried out by the competent authorities.
  • The technical and organizational security measures that should be implemented have been also strengthened regarding sensitive information.
  • A notification obligation to data subjects regarding third party transfers has been also introduced. The notification should include the organization from which the data was received and the purposes for which the personal data will be used by the recipient. Previously, the data controller was the responsible for informing and obtaining consent from data subjects regarding data transfers to third parties, or the recipients upon the data subject´s request.
  • The amount of fines will increase considerably in cases of data breach (loss, theft, destruction, alteration etc.) and data subjects affected by the data breach will do not even have to prove actual damages.

Additionally, the Act on the Promotion of IT Network Use and Information Protection (IT Network Act) has been updated and will enter into force in September 2016. This Act relates to telecommunications service providers and the amendments aim at enforcing security of IT networks and of data protection