The meaning of ‘adequacy’: Implications of the draft Korea decision
Graham Greenleaf analyses what the EU is effectively looking for – it appears that the absence of some of the GDPR elements does not stand in the way of a positive finding.
The European Commission’s draft adequacy Decision concerning the Republic of Korea(1) will be the third such decision under the GDPR, once finalised. (It follows those concerning Japan (2019) and the United Kingdom (2021)). The decision is significant not only for its practical implications for Korea, but also for what it adds to our emerging understanding of how “adequacy” is being interpreted under the GDPR. The CJEU’s decision in Schrems II and the EDPB’s Adequacy Referential(2) must also be considered.
The draft Decision is positive, in that it “has the effect that transfers [from a controller or processor in the EU] to personal information controllers in the Republic of Korea may take place without the need to obtain any further authorisation” (Rec. 7 – indicating recital number of the draft Decision). The scope of the Decision is broad (Rec. 5), covering all information controllers in Korea bound by the Personal Information Protection Act (PIPA), with the exception of missionary activities, political party nominations, and most credit transactions.(3) So almost all processing of personal information by the private sector, and all processing by the public sector, is within the Decision. This contrasts with the Japan decision, which did not cover the public sector.
International Report subscribers please login to access the full article.
If you wish to subscribe please see our subscription information.