Category: Korean Data Protection

European Commission adopts South Korea Adequacy Decision

30. December 2021

On December 17th, 2021, the European Commission (Commission) announced in a statement it had adopted an adequacy decision for the transfer of personal data from the European Union (EU) to the Republic of Korea (South Korea) under the General Data Protection Regulation (GDPR).

An adequacy decision is one of the instruments available under the GDPR to transfer personal data from the EU to third countries that ensure a comparable level of protection for personal data as the EU. It is a Commission decision under which personal data can flow freely and securely from the EU to the third country in question without any further conditions or authorizations being required. In other words, the transfer of data to the third country in question can be handled in the same way as the transfer of data within the EU.

This adequacy decision allows for the free flow of personal data between the EU and South Korea without the need for any further authorization or transfer instrument, and it also applies to the transfer of personal data between public sector bodies. It complements the Free Trade Agreement (FTA) between the EU and South Korea, which entered into force in July 2011. The trade agreement has led to a significant increase in bilateral trade in goods and services and, inevitably, in the exchange of personal data.

Unlike the adequacy decision regarding the United Kingdom, this adequacy decision is not time-limited.

The Commission’s statement reads:

The adequacy decision will complement the EU – Republic of Korea Free Trade Agreement with respect to personal data flows. As such, it shows that, in the digital era, promoting high privacy and personal data protection standards and facilitating international trade can go hand in hand.

In South Korea, the processing of personal data is governed by the Personal Information Portection Act (PIPA), which provides similar principles, safeguards, individual rights and obligations as the ones under EU law.

An important step in the adequacy talks was the reform of PIPA, which took effect in August 2020 and strengthened the investigative and enforcement powers of the Personal Information Protection Commission (PIPC), the independent data protection authority of South Korea. As part of the adequacy talks, both sides also agreed on several additional safeguards that will improve the protection of personal data processed in South Korea, such as transparency and onward transfers.

These safeguards provide stronger protections, for example, South Korean data importers will be required to inform Europeans about the processing of their data, and onward transfers to third countries must ensure that the data continue to enjoy the same level of protection. These regulations are binding and can be enforced by the PIPC and South Korean courts.

The Commission has also published a Q&A on the adequacy decision.

EU Commission publishes Draft Adequacy Decision for South Korea

25. June 2021

On 16 June 2021, the European Commission published the draft adequacy decision for South Korea and transmitted it to the European Data Protection Board (EDPB) for consultation. Thus, the Commission launched the formal procedure towards the adoption of the adequacy decision. In 2017, the Commission announced to prioritise discussions on possible adequacy decisions with important trading partners in East and South-East Asia, starting with Japan and South Korea. The adequacy decision for Japan was already adopted in 2019.

In the past, the Commission diligently reviewed South Korea’s law and practices with regards to data protection. In the course of ongoing negotiations with South Korea, the investigative and enforcement powers of the Korean data protection supervisory authority “PIPC” were strengthened, among other things. After the EDPB has given its opinion, the adequacy decision will need to be approved by a committee composed of representatives of the EU Member States.

The decision of an adequate level of protection pursuant to Art. 45 of the General Data Protection Regulation (GDPR) by the Commission is one of the possibilities to transfer personal data from the EU to a third-country in a GDPR-compliant manner. The adequacy decision will serve as an important addition to the free trade agreement and a strengthening of cooperation between the EU and South Korea. Věra Jourová, the Commission’s Vice-President for Values and Transparency, expressed after launching the formal procedure:

“This agreement with the Republic of Korea will improve the protection of personal data for our citizens and support business in dynamic trade relations. It is also a sign of an increasing convergence of data protection legislation around the world. In the digitalised economy, free and safe data flows are not a luxury, but a necessity.”

Especially in light of the Schrems II decision of the Court of Justice of the European Union, the adequacy decision for South Korea will be an invaluable asset for European and South Korean companies conducting business with each other.

EU and South Korea complete adequacy talks

6. April 2021

On March 30th, 2021, EU Justice Commissioner Didier Reynders and Chairperson of the Personal Information Protection Commission of the Republic of Korea Yoon Jong In announced the successful conclusion of adequacy talks between the EU und the Republic of Korea (“South Korea”). These adequacy discussions began in 2017, and there was already initially a high level of convergence between the EU and the Republic of Korea on data protection issues, which has been further enhanced by additional safeguards to further strengthen the level of protection in South Korea. Recently, South Korea’s Personal Information Protection Act (“PIPA”) took effect and the investigative and enforcement powers of South Korea’s data protection authority, the Personal Information Protection Commission (“PIPC”), were strengthened.

In the GDPR, this adequacy decision is based on Art. 45 GDPR. Article 45(3) GDPR empowers the EU Commission to adopt an implementing act to determine that a non-EU country ensures an “adequate level of protection”. This means a level of protection for personal data that is substantially equivalent to the level of protection within the EU. Once it has been determined that a non-EU country provides an “adequate level of protection”, transfers of personal data from the EU to that non-EU country can take place without further requirements. South Korea will be the 13th country to which personal data may be transferred on the basis of an adequacy decision. An adequacy decision covering both commercial providers and the public sector will enable free and secure data flows between the EU and the Republic of Korea and it will complement the EU-Republic of Korea Free Trade Agreement.

Until the free flow of data can occur, the EU Commission must initiate the procedure for adopting its adequacy finding. In this procedure, the European Data Protection Board will issue an opinion and a committee composed of representatives of the EU member states must agree. The EU Commission may then adopt the adequacy decision.

EU Adequacy Approach for Japan and South Korea

29. June 2018

These days the European Commission is focussing on talks with Japan and the Republic of Korea in order to advance the process towards mutual adequacy findings. Therefore,  the European Justice Commissioner Vera Jourová recently visited Japan’s Justice Minister, Yōko Kamikawa, and Commissioner of the Personal Information Protection, Haruhi Kumazawa, along with Korean Chairman of the Communications Commission Lee Hyo-seong to make progress on the approached adequacy deals. The engagement of all parties in allowing the free flow of personal data between the EU and Japan as well as the EU and South Korea started in 2017 by discussing to reaching an “adequacy decision“.

At the meeting in Tokyo, the two parties “took note of the significant progress achieved in the past month” referring, “in particular, [to] the agreement on solutions to bridging relevant differences between the two systems such as the Supplementary Rules, to be adopted by the Personal Information Protection Commission (PPC) following the public comment procedures, coupled with the Basic Policy on the Protection of Personal Information (Cabinet decision).” In addition, “they affirmed that the Personal Information Protection Commission and the European Commission will continue to consult each other with a view to finding mutually acceptable solutions whenever there is a need for cooperation with respect to personal data based on the framework for mutual and smooth transfer of personal data between Japan and the EU.”

In Seoul, Chairman Lee Hyo-seong and Commissioner Vera Jourová also held a very productive meeting, and “took note of the significant progress made since Korea submitted its request for partial adequacy and agreed that the two parties share very similar values with respect to human rights, with both sides recognising personal data protection as a fundamental right.” Furthermore, “they agreed to intensify their efforts to accelerate the pace of discussion.” The adequacy talks are very likely to be finalized in 2018, especially considering the fact that there are many similarities of South Korea’s “Personal Information Protection Act”  with the GDPR. However, concerning a final decision on the adequacy, another meeting in Brussels is planned later this year.

Currently the European Commission has recognised 12 countries for being able to ensure an adequate level of data protection, including Andorra, Argentina, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.

Korea updates its Data Protection Act

4. May 2016

Korea´s Personal Information Protection Act (“PIPA”) has been recently updated. The modifications reflect the increasing importance of privacy and data protection issues in this country. The most relevant amendments refer to the following points:

  • The legal grounds for the processing of RRN (Residence Registration Number) and the applicable security measures have been strengthened. It will be possible to process RRN data only in the cases stipulated by law. Moreover, it is mandatory to encrypt this data. However, this will be done gradually depending on the number of RRN held by the data controller. Inspections will be also carried out by the competent authorities.
  • The technical and organizational security measures that should be implemented have been also strengthened regarding sensitive information.
  • A notification obligation to data subjects regarding third party transfers has been also introduced. The notification should include the organization from which the data was received and the purposes for which the personal data will be used by the recipient. Previously, the data controller was the responsible for informing and obtaining consent from data subjects regarding data transfers to third parties, or the recipients upon the data subject´s request.
  • The amount of fines will increase considerably in cases of data breach (loss, theft, destruction, alteration etc.) and data subjects affected by the data breach will do not even have to prove actual damages.

Additionally, the Act on the Promotion of IT Network Use and Information Protection (IT Network Act) has been updated and will enter into force in September 2016. This Act relates to telecommunications service providers and the amendments aim at enforcing security of IT networks and of data protection