EU Commission issues draft adequacy decision on South Korea

The European Commission has today issued a draft adequacy decision which applies to data transfers to Korea’s private and public sector organisations. It concludes that South Korea ensures an essentially equivalent level of protection to the one guaranteed under the General Data Protection Regulation (GDPR).

The draft adequacy decision, which complements the EU-Republic of Korea Free Trade Agreement, has been forwarded to the European Data Protection Board (EDPB) for its opinion. Once the EU DPAs have issued their opinion, the draft decision still needs to be approved by a committee composed of representatives of the EU Member States. Only once these two steps are completed, can the Commission proceed to adopt the adequacy decision.

‘As part of the adequacy talks, the two sides agreed on several additional safeguards that will increase the protection of personal data processed in South Korea. These safeguards will provide for stronger protection with respect, for example, to transparency, sensitive data and onward data transfers. These rules will be binding and enforceable by the Personal Information Protection Commission,’ the EU Commission says.

Professor Graham Greenleaf, PL&B Asia Pacific Editor commented:

“A positive draft adequacy decision by the Commission is not surprising, given the earlier EU/Korean announcements concerning successful completion of discussions. Overall, Korea has the strongest data privacy law in Asia, both in terms of the range of GDPR-like principles included, and Korea's track-record of enforcement by various bodies. Its 2020 legislative reforms remedied the main problem from an EU adequacy perspective, that too much of the enforcement powers were held by a Ministry and by another agency, rather than being held by its main data protection authority, the Personal Information Protection Commission. However, the details of the Commission’s draft will be important in terms of indicating which aspects of the GDPR are most important in relation to a positive adequacy finding, and in how the Commission has gone about resolving some remaining problematic issues such as reuse of de-identified data, and onward transfer limitations. It is possible that the EDPB or the Parliament may raise such issues.”

Didier Reynders, EU Commissioner for Justice said: “Two years ago, we created the world's largest area of free and safe data flows with Japan. Soon the Republic of Korea should follow - another important partner in East Asia and another big achievement. The Republic of Korea has a strong track record in the area of data protection. The fact that the EU and the Republic of Korea have similar privacy standards is beneficial to both companies and citizens.”

See: European Commission press release

Professor Greenleaf will analyse the draft decision in depth in the next issue of PL&B International Report.

Bruno Gencarelli, Head of Unit – International Data Flows and Protection, European Commission, will discuss this and other international issues in his 5 July session at PL&B’s 34th Annual International Conference.