Korean Privacy Law Updates: Adequacy Decision for Korea and Essential Equivalence with GDPR

The European Data Protection Board (EDPB) announced that it had adopted an opinion on the European Commission (EC)’s draft adequacy decision for the Republic of Korea (Korea) in September 2021. 

This established the essential equivalence of Korea’s data protection framework and practice to the European data protection regime. The EDPB’s review focused on the general aspects of the General Data Protection Regulation (GDPR). 

The key aspects of alignment between the EU and Korea include basic concepts of data protection (e.g., personal information, processing, data subject), grounds for lawful processing for legitimate purposes, data retention and transparency.


The significance of this change

The EDPB’s adoption of the opinion also meant that Korea moved a step closer towards the final adoption of the adequacy decision by the EC. Such adoption of the adequacy decision by the EC would allow the Korean businesses to transfer personal data from the European Economic Area (EEA) by compliance with the Korean data protection laws without separate compliance with the GDPR.


Changes and Limits to be in the future

Since the GDPR became effective in May 2018, the Korean businesses needed to review the data protection policies and practices to ensure compliance with both the Korean law and the GDPR where applicable. The GDPR provides for the regulations of transfers of personal data from the EEA to the countries outside the EEA. This includes requiring adequate safeguards, such as the standard contractual clauses. The violation of the GDPR could result in fines of up to €20 million (about $24 million) or 4% of annual global turnover whichever is higher. With that, the EC was empowered to recognize any country as providing an adequate level of data protection and to allow such countries free transfers of personal data from the EEA without additional safeguards which were otherwise required. 

Korea, therefore, has been seeking the adequacy decision and engaged in the process for a number of years. While the EC already recognized certain countries around the world, including Japan, the EU-US Privacy Shield Framework which had served the same purpose has been challenged and declared invalid by the Court of Justice of the European Union.


Conclusion

Although Korea has been making notable efforts and progress towards the adoption of the adequacy decision, there are some areas that require further assessment and clarification. 

For example, the EDPB pointed out that Korean law lacks limits on access to personal data by public authorities for law enforcement and national security purposes. The EDPB also noted that there were some exemptions from the obligations for processing pseudonymised information. 

The next steps in the adoption of the adequacy decision for Korea may be further policy alignment by the Korean authorities to be followed by approval from a committee composed of the representatives of the EU Member States.

Copyright ©2022 SEUM Law.