On September 27, 2021, the European Data Protection Board (“EDPB”) announced that it had adopted an opinion on the European Commission’s draft adequacy decision for the Republic of Korea (the “Opinion”).
In March 2021, the European Commission announced the successful conclusion of adequacy talks with the Republic of Korea, thereby launching the formal adoption process of the adequacy decision. As part of this process, the European Commission asked for the opinion of the EDPB.
In the Opinion, the EDPB concluded that there are key areas of alignment between the EU and Korean data protection frameworks, including on core provisions such as data protection, legal grounds for processing, purpose limitation, data retention, transparency, and security and confidentiality of personal data. The EDPB also identified certain aspects of the Korean data protection framework that require further examination and clarification. Among others, the EDPB made the following observations and recommendations to the European Commission:
Korean law exempts pseudonymized data from a number of provisions. Conversely, the EU General Data Protection Regulation (“GDPR”) provides exemptions for pseudonymized data only in limited circumstances, such as where the data is processed for statistics, scientific research or archiving in the public interest. The EDPB invited the European Commission to further assess the impact of pseudonymization and how it may affect the fundamental rights and freedoms of individuals whose personal data is transferred to the Republic of Korea under the adequacy decision.
Korean law provides a right to withdraw consent in specific circumstances only. The EDPB invites the European Commission to further assess the impact of this limited consent withdrawal right on the level of data protection provided by Korean law.
Korean law allows onward transfers from a Korea-based controller to a third country-based recipient with the data subject’s consent. The EDPB invites the European Commission to ensure that data subjects are appropriately informed about the third country to which their data will be transferred before consent is collected.
The EDPB shared concerns about the disclosure of personal data by telecommunication providers to national security authorities, as this may impact data subjects’ rights. The EDPB also recommended that the European Commission clarify that the interception of telecommunication data in bulk is not permitted (in light of recent case law of the European Court of Human Rights).
The EDPB also asked the European Commission to clarify the requirements to file a complaint with the Korean data protection authority, to ensure that individuals are provided with effective remedies and right of redress.