On 24 November 2022, the Data Protection (Adequacy) (Republic of Korea) Regulations were laid before the UK parliament for approval. The Regulations are due to come into force on 19 December 2022. From then onwards, transfers of personal data to South Korea by organisations in the UK may be made without the need to put UK International Data Transfer Agreements (UK versions of the Standard Contractual Clauses) or other transfer tools in place with recipients of personal data in South Korea.
How are the UK Regulations different from the European Commission’s adequacy decision?
The UK government’s decision follows the adequacy decision granted to South Korea by the European Commission in December 2021. The European Commission’s decision excludes certain types of processing from the adequacy decision, such as the processing of personal data for missionary activities by religious organisations, processing for the nomination of candidates by political parties, and the processing of personal credit information. This is because the adequacy decision applies to all organisations in South Korea that are subject to the Korean Personal Information Protection Act (PIPA). The processing activities described above are excluded from the scope of PIPA and therefore, may not benefit from the same protections as apply to personal data governed by PIPA. By contrast, the UK adequacy status expands the scope of allowed data transfers allowing the exchange of credit information to “help UK businesses with a presence in the Republic of Korea to boost credit, lending, investment and insurance operations in the Republic of Korea”.
Which countries are next in line for adequacy status?
The UK government announced its plans to extend adequacy status to the US, Australia, Singapore, Colombia, and the Dubai International Financial Centre in August 2021 and appears to be making progress. However, so far it is following in the footsteps of the European Commission and has not independently granted adequacy status to a new territory. The next most anticipated adequacy decision expected from the European Commission is regarding data transfers to the US based on the Trans-Atlantic Data Privacy Framework, which is predicted to be issued in spring 2023. The UK government is conducting its own independent talks with the US government and if it follows the steps of ‘evolution’ rather than ‘revolution’, it is likely to grant the US adequacy status promptly after the European Commission has done so.
As a reminder, one of the UK government’s announced reforms to the data protection regime in the UK covers how adequacy status will be granted. According to the Data Protection and Digital Information Bill, the Secretary of State will have the power to grant a data adequacy status to a country if the standards are “not materially lower” than the standard of the UK GDPR (Article 45B). This is different from the “essentially equivalent” standard set for adequacy decisions by the GDPR (see recital 104).
The Bill has been on hold since the recent change of Prime Ministers in the UK. So, it remains to be seen whether we will see the lowering of the thresholds for adequacy assessments in the UK. There is a risk that such lowering of standards may impact the UK’s own adequacy status by the European Commission for transfers of personal data from the EU to the UK and onwards. The UK Information Commissioner assured the public that the decision-makers in the UK would like to retain the adequacy status. It remains to be seen whether the UK data protection laws remain within the strict boundaries of the EU’s adequacy decision.