Tag: PIPA

EU Commission publishes Draft Adequacy Decision for South Korea

25. June 2021

On 16 June 2021, the European Commission published the draft adequacy decision for South Korea and transmitted it to the European Data Protection Board (EDPB) for consultation. Thus, the Commission launched the formal procedure towards the adoption of the adequacy decision. In 2017, the Commission announced to prioritise discussions on possible adequacy decisions with important trading partners in East and South-East Asia, starting with Japan and South Korea. The adequacy decision for Japan was already adopted in 2019.

In the past, the Commission diligently reviewed South Korea’s law and practices with regards to data protection. In the course of ongoing negotiations with South Korea, the investigative and enforcement powers of the Korean data protection supervisory authority “PIPC” were strengthened, among other things. After the EDPB has given its opinion, the adequacy decision will need to be approved by a committee composed of representatives of the EU Member States.

The decision of an adequate level of protection pursuant to Art. 45 of the General Data Protection Regulation (GDPR) by the Commission is one of the possibilities to transfer personal data from the EU to a third-country in a GDPR-compliant manner. The adequacy decision will serve as an important addition to the free trade agreement and a strengthening of cooperation between the EU and South Korea. Věra Jourová, the Commission’s Vice-President for Values and Transparency, expressed after launching the formal procedure:

“This agreement with the Republic of Korea will improve the protection of personal data for our citizens and support business in dynamic trade relations. It is also a sign of an increasing convergence of data protection legislation around the world. In the digitalised economy, free and safe data flows are not a luxury, but a necessity.”

Especially in light of the Schrems II decision of the Court of Justice of the European Union, the adequacy decision for South Korea will be an invaluable asset for European and South Korean companies conducting business with each other.

Korea updates its Data Protection Act

4. May 2016

Korea´s Personal Information Protection Act (“PIPA”) has been recently updated. The modifications reflect the increasing importance of privacy and data protection issues in this country. The most relevant amendments refer to the following points:

  • The legal grounds for the processing of RRN (Residence Registration Number) and the applicable security measures have been strengthened. It will be possible to process RRN data only in the cases stipulated by law. Moreover, it is mandatory to encrypt this data. However, this will be done gradually depending on the number of RRN held by the data controller. Inspections will be also carried out by the competent authorities.
  • The technical and organizational security measures that should be implemented have been also strengthened regarding sensitive information.
  • A notification obligation to data subjects regarding third party transfers has been also introduced. The notification should include the organization from which the data was received and the purposes for which the personal data will be used by the recipient. Previously, the data controller was the responsible for informing and obtaining consent from data subjects regarding data transfers to third parties, or the recipients upon the data subject´s request.
  • The amount of fines will increase considerably in cases of data breach (loss, theft, destruction, alteration etc.) and data subjects affected by the data breach will do not even have to prove actual damages.

Additionally, the Act on the Promotion of IT Network Use and Information Protection (IT Network Act) has been updated and will enter into force in September 2016. This Act relates to telecommunications service providers and the amendments aim at enforcing security of IT networks and of data protection