On 17 December 2021, the European Commission (the Commission) adopted an adequacy decision for South Korea. This means that free transfers of personal data from the European Economic Area (EEA) to private and public entities in South Korea will be permitted from that date onwards (including remote access from South Korea).
The Commission’s adequacy decision recognises that South Korea has essentially equivalent levels of protection for personal data, and transfers to South Korea can be made as if they were transfers to another EEA country with no requirement for additional transfer tools or conditions or authorisations from data protection regulators in the EEA. The Commission has the power granted to it under Article 45 of the General Data Protection Regulation (GDPR) to adopt an adequacy decision in relation to a third country based on a comprehensive analysis of the third country’s laws and practices.
South Korea undertook reforms of its data protection legislation in 2020 to ensure it had an independent supervisory authority to enforce data protection rules. As part of the adequacy talks, additional requirements were imposed by the Commission in connection with transparency and onward transfer obligations of data recipients in South Korea. The issue of potential access of public authorities to personal data in South Korea was also addressed, and changes were made to ensure data subjects in the EEA have redress mechanisms available in the event of any unlawful requests, including an ability to lodge complaints with South Korea’s data protection regulator, the Personal Information Protection Commission.
The adequacy decision does not affect the obligations of the controllers or processors in South Korea that are directly subject to the GDPR. They will need to continue to ensure compliance with their obligations in line with the GDPR.
The adequacy decision does have limitations and excludes certain types of processing:
“The processing for missionary activities by religious organisations; for the nomination of candidates by political parties, or the processing of personal credit information pursuant to the Credit Information Act by controllers that are subject to oversight by the Financial Services”.
Unlike the adequacy decision granted to the UK, there are no sunset provisions in the adequacy decision for South Korea. Whilst the Commission will review its adequacy decision against any changes in the laws of South Korea every four years (with the first review to take place in three years), there is no time limitation to the adequacy decision as such.
The list of countries with the Commission’s adequacy decisions has now increased to 14: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Japan, Jersey, New Zealand, South Korea, Switzerland, the UK and Uruguay.
A lot of countries globally recognise the Commission’s adequacy decisions to allow free transfers of personal data. Following the UK’s departure from the EU, the UK adopted the Commission’s adequacy decisions that were in force at the time of Brexit. It remains to be seen whether the UK will recognise South Korea as an adequate territory following the Commission’s adequacy decision.