European Commission Adopts Adequacy Decision for the Republic of Korea
On 17 December 2021, the European Commission announced in a joint statement with the Personal Information Protection Commission (the data protection authority in the Republic of Korea, “PIPC”) that it had adopted an adequacy decision for the Republic of Korea, also known as South Korea. The adequacy decision is effective from 17 December 2021 and means that personal data can flow freely between the EU and South Korea without the need for further authorisations or additional tools, such as the Standard Contractual Clauses. The European Commission believes the decision “builds on the strong protections for Europeans under Korean law when their data is transferred”. Along with the joint statement, the European Commission also published a set of Q&As.
A key element of the adequacy discussions was the reform of the South Korean privacy legislation, i.e. the Personal Information Protection Act (“PIPA”). The reform of PIPA, amongst other things, strengthened the investigatory and enforcement powers of PIPC and confirmed the importance of an independent data protection authority vested with effective powers as a central component of a modern data protection system. Independent and effective authorities are a key pillar of ensuring protection of personal data in the EU.
In addition to the reform of PIPA, in order to agree the adequacy decision, the European Commission and PIPC also negotiated several safeguards that will increase the protection of personal data processed in South Korea. These safeguards provide for stronger protection of personal data, for example with respect to transparency and onward data transfers. A further key point agreed in the adequacy decision relates to the redress rights of EU individuals: the adequacy decision makes it possible for EU individuals to lodge complaints before the PIPC with the support of their national data protection authorities. Whilst showing support for individuals, this move also demonstrates the collaborative approach that has been taken by the data protection authorities.
It is worth noting that the UK’s data protection authority, the Information Commissioner’s Office (“ICO”), has not yet publically commented on the adequacy decision. However, if the ICO responds as is expected based on its approach to existing adequacy decisions, it will most likely recognise the adequacy decision as with regards transfers from the UK to South Korea and engage in discussions with PIPA to ensure transfers between the UK and South Korea can take place efficiently and in accordance with the UK GDPR.
As the list of adequacy decisions continues to grow, with South Korea and the UK both being added in just one year, it highlights the question of whether this is something we will continue to see more frequently in coming years. Given the enhancements to privacy laws being considered globally and the scrutiny around international transfers from the EU, it is quite possible that other countries will be looking to agree adequacy decisions in the near future with a view to ensuring the continued flow of data from the EU.