On 24 September 2021, the European Data Protection Board (EDPB) issued its opinion on the European Commission’s (EC) draft adequacy decision in respect of South Korea.

On 16 June 2021, the EC launched the procedure for the adoption of an adequacy decision for South Korea under the General Data Protection Regulation (GDPR), which would allow free transfers of personal data from the European Economic Area (EEA) to South Korea’s commercial operators and public authorities.

Overall, the EDPB found the central aspects of South Korea’s data protection framework to be essentially equivalent to the European data protection framework. The EDPB’s review focused on both the general aspects of the GDPR (such as data protection concepts, transparency, data retention and grounds for lawful processing for a legitimate purpose) and also on the local laws allowing access by public authorities to personal data transferred from the EEA for law enforcement and national security purposes. The EDPB also reviewed the Notification adopted by the South Korean data protection authority that was designed to fill gaps between the GDPR and Korean framework (Notification).

The EDPB pointed out some areas that need to be further assessed. The EDPB called on the EC to clarify certain aspects of the Korean data protection regime, such as (a) the binding nature, enforceability and validity of Notification; (b) the concept of pseudonymisation and exemptions that apply from a number of data protection provisions; (c) restrictions regarding withdrawal of consent; and (d) information provided to individuals in case of onward transfers. As for the processing of personal data by public authorities for law enforcement and national security purposes, the EDPB pointed out that the draft decision should contain specific circumstances and conditions for onward transfers of personal data transferred from the EEA for national security purposes.

Once the EDPB’s concerns are addressed, the next step in the adoption of the adequacy decision for South Korea is the approval from a committee composed of representatives of the EU Member State countries.

Background: Adequacy decisions

The GDPR applies to controllers and processors within the EEA and restricts transfers of personal data to countries outside the EEA (third countries). Any transfers to third countries require taking adequate safeguards prescribed by the GDPR, for example, putting standard contractual clauses in place. However, the EC has the power to determine whether a country outside the EEA offers an adequate level of data protection to allow free transfers of personal data from the EEA.

The EC has so far recognised Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay. And earlier this year, it adopted two adequacy decisions for transfers of personal data to the United Kingdom.