A New Framework for Transfers of Personal Data – EU and Korea Conclude Adequacy Decision Talks
On 30 March 2021, the European Commission, in a joint statement with the Personal Information Protection Commission, the data protection authority of the Republic of Korea (Korea), declared that Korea ensured a level of protection for personal data that is similar to the level provided in the European Union (the EU) and, as such, is a jurisdiction deemed “adequate.” Further to this joint declaration, the European Commission completed its internal procedures and formally adopted the substance of this joint statement in a draft adequacy decision published on 14 June 2021. Once finalized, businesses will be allowed to transfer personal data freely from the EU and European Economic Area (EEA) to Korea without being required to provide further safeguards as required for “third country transfers” under the EU General Data Protection Regulation 2016/679 (GDPR). Once so adopted, the adequacy decision would cover transfers of personal data to commercial operators located in Korea, as well as Korean public authorities. However, the transfer of personal credit information that is subject to jurisdiction of Korea’s Financial Services Commission will be excluded from the coverage of the adequacy decision.
The adequacy decision only relates to the transfer of personal data from the EU/EEA to a recipient in Korea, but it does not cover the general applicability of GDPR. In this context, any company (even outside the EU/EEA) that directly collects personal data from EU residents in connection with offering goods or services or monitoring of behavior of EU residents will still need to comply with the obligations set out in the GDPR for its collection of personal data. Also, significantly, the adequacy decision only covers data flow in one direction, from the EU to Korea, but not in the opposite direction, i.e., from Korea to the EEA. As noted below, barring any further statutory amendments, Korean privacy laws still require data handlers to obtain the consent of data subjects (as opposed to an opt-out) prior to transferring their personal data outside of Korea.
The conclusion of adequacy talks between Korea and the European Commission is a major step in their ongoing four-year dialogue regarding mutual recognition of personal data protection regimes. Korea has been preparing for this adequacy decision since 2015, when the Korean government established a joint public-private sector task force, which was charged with conducting data regulation-related feasibility studies, self-assessments, and comparative analyses in preparation for the first round of adequacy negotiations with the EU in 2017. After two extensive rounds of adequacy negotiations between the representatives of the European Commission and Korea ended without an adequacy finding, Korea decided to make significant amendments to its data protection laws. Such amendments were enacted by the National Assembly, Korea’s national legislature, in January 2020 and became effective in August 2020, thus paving the way for the March 2021 joint statement.
EU: GDPR Framework
Since 25 May 2018, the privacy framework in the EU has been governed by GDPR, imposing strict obligations on public and private bodies collecting and processing personal data, taking into account EU core civil rights principles. As GDPR only applies directly to such entities with an establishment in the EU or where a foreign entity offers services to individuals in the EU or monitors the behavior of individuals in the EU, applicability of GDPR to bodies outside the EU is limited. To ensure that the level of protection for personal data cannot be circumvented by transferring personal data from the EU to third countries without a substantially comparable standard of data protection, GDPR requires additional safeguards for such transfers of personal data. This can either be achieved by a so-called adequacy decision by the European Commission confirming that the legal framework in one third country provides for an adequate level of data protection (Adequacy Decision). Where such an Adequacy Decision does not exist, EU companies need to implement additional bilateral safeguards (the most prominent example being the EU Standard Contractual Clauses – see our alert here), rely on ecosystem-wide rules (such as Codes of Conduct – see our alert here), or on certain statutory derogations. While such derogations only apply in very limited scenarios and the reliability of the EU Standard Contractual Clauses has been questioned by the Schrems II Decision of the Court of Justice of the European Union (see our alert here), an Adequacy Decision forms the most reliable and seamless basis for companies intending to transfer personal data to a third country. However, the process for an Adequacy Decision can be long and complex as the EU Commission has to assess in detail the privacy framework in the respective third country as well as its implementation and enforcement in practice. So far, only a few countries were able to obtain a respective decision, namely Andorra, Argentina, Canada (commercial organizations), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay (process for the United Kingdom still pending but expected before the end of June 2021). With Korea now entering this limited circle, data transfers between the EU and Korea will become much easier and boost up commercial relationships between both countries.
Korea: PIPA Framework
Prior to the conclusion of adequacy talks, there were significant changes made to Korea’s data privacy regime during the year 2020. In particular, on 9 January 2020, the National Assembly passed amendments to the three major data privacy laws: the Personal Information Protection Act (PIPA), the Act on the Promotion of Information and Communications Network Utilization and Information Protection, and the Act on the Use and Protection of Credit Information. The amendments collectively led to the following changes to the country’s data privacy regime:
Minimizing the burden of redundant regulatory activities and confusion among regulated persons stemming from previously overlapping data privacy regulations and multiple supervisory bodies,
Developing a “data economy” by introducing the concept of “pseudonymized data” and a legal basis on which data may be used in a more flexible way to an extent reasonably related to the original purpose of collection,
Ultimately bringing Korea’s data privacy regime more in line with the tenets of GDPR in order to meet the requirements of an Adequacy Decision.
We repeat our note above that, while the EU-Korea Adequacy Decision directly impacts data transfers from the EU to Korea, transfers of personal data of Korean data subjects from Korea to the EU (or any other jurisdiction) will remain restricted and still be subject to Korean privacy laws, barring further statutory amendments in Korea. The amended PIPA specifically requires data handlers to obtain the consent of data subjects prior to transferring their personal data outside of Korea. Therefore, it will be important to closely monitor changes in Korea to the related implementing regulations and public notices for the foreseeable future while also keeping abreast of the status of the final Adequacy Decision.
The European Commission will now commence the decision-making procedure, with the stated goal of adopting the EU/Korean Adequacy Decision in the upcoming months.
Since each of the EU member states have given their approval, the adoption of an Adequacy Decision will now require an initial recommendation by the European Commission, an adequacy opinion from the European Data Protection Board (expected later this summer or this year), and final adoption of the decision by the European Commission. The Korean government is said to be hopeful that a final Adequacy Decision can be obtained in the second half of 2021.