EDPB shows South Korea’s adequacy green light

The European Data Protection Board (EDPB), on 27 September, adopted an opinion on the draft South Korea Adequacy Decision by the European Commission. The Data Protection Authorities say that on the whole, they agree with the draft decision but have some additional comments to make.

EDPB Chair, Andrea Jelinek, said: “This adequacy decision is of paramount importance, as it will cover transfers in both the public and the private sector. A high level of data protection is essential to support our long-standing ties with South Korea and to safeguard the rights and freedoms of individuals. While we underline that core aspects of the Korean data protection framework are essentially equivalent to those of the European Union, we call on the Commission to further clarify certain aspects and to closely monitor the situation.”

The EDPB welcomes the efforts made by the European Commission and the Korean Authorities to ensure that the Republic of Korea provides a level of data protection essentially equivalent to that of the GDPR. The EDPB says, however, that it would like the European Commission to provide further information on some aspects, for example, effective remedies and rights of redress, pseudonymised information and withdrawing consent.

In relation to applying the adequacy decision, the EDPB notes that it will cover transfers from the EEA legal framework to both, public and private “personal information controllers” falling under the scope of the PIPA, Korea’s data protection law. The EDPB understands that entities acting as processors within the meaning of the GDPR are included in this term. However, in order to avoid misunderstandings, it invites the European Commission to make it clearer that the adequacy decision will also cover transfers to “processors” in Korea.

Regarding onward transfers, the EDPB acknowledges that a data subject’s informed consent will generally be used as a basis for data transfers from a Korean-based personal information controller to a third country-based recipient. The DPAs say that data subjects should also receive information on the possible risks of transfers arising from the absence of adequate protection in the third country. Also, the DPAs would like reassurances in the adequacy decision that personal data will not be transferred from Korean personal information controllers to a third country in any situation in which, under the GDPR, valid consent could not be provided, for example, because of an imbalance of power.

See: EDPB - Opinion 32/2021 regarding the European Commission Draft Implementing Decision pursuant to Regulation (EU) 2016/679 on the adequate protection of personal data in the Republic of Korea

See also an analysis on the draft decision by Professor Graham Greenleaf in PL&B International Report, August 2021.