WIREDGOV

The Commission yesterday launched the process towards adoption of the adequacy decision for the transfer of personal data to the Republic of Korea. It will cover transfers of personal data to the Republic of Korea's commercial operators as well as public authorities. If adopted, this decision would provide Europeans with strong protections of their personal data when it is transferred to the Republic of Korea. At the same time, it would complement the EU-Republic of Korea Free Trade Agreement (FTA) and boost cooperation between the EU and the Republic of Korea as leading digital powers. The trade agreement has led to a considerable rise in bilateral trade of goods and services. Ensuring the free flow of personal data to the Republic of Korea through an adequacy decision based on a high level of data protection will support this trade relationship worth nearly € 90 billion.

The draft adequacy decision was published and transmitted to the European Data Protection Board (EDPB) for its opinion. In the past months, the Commission has carefully assessed the Republic of Korea's law and practices on personal data protection, including the rules on access to data by public authorities. It concludes that the Republic of Korea ensures an essentially equivalent level of protection to the one guaranteed under the General Data Protection Regulation (GDPR).

Věra Jourová, Vice-President for Values and Transparency, yesterday said:

“This agreement with the Republic of Korea will improve the protection of personal data for our citizens and support business in dynamic trade relations. It is also a sign of an increasing convergence of data protection legislation around the world. In the digitalised economy, free and safe data flows are not a luxury, but a necessity.”

Didier Reynders, Commissioner for Justice yesterday said:

”Two years ago, we created the world's largest area of free and safe data flows with Japan. Soon the Republic of Korea should follow – another important partner in East Asia and another big achievement. The Republic of Korea has a strong track record in the area of data protection. The fact that the EU and the Republic of Korea have similar privacy standards is beneficial to both companies and citizens.”

Key elements

In the Republic of Korea, the processing of personal data is governed by the Personal Information Protection Act (PIPA), which provides similar principles, safeguards, individual rights and obligations as EU law. A major step in the adequacy talks was the recent reform of PIPA, which strengthened the investigatory and enforcement powers of the Personal Information Protection Commission (PIPC), the independent data protection authority of the Republic of Korea. This reform entered into force in August 2020. It confirms the importance of an independent data protection authority vested with effective powers as a central component of a modern data protection system as well as a key element of the growing international convergence in privacy standards.

As part of the adequacy talks, the two sides also agreed on several additional safeguards that will increase the protection of personal data processed in the Republic of Korea. These safeguards will provide for stronger protection with respect, for example, to transparency, sensitive data and onward data transfers. These rules will be binding and enforceable by the PIPC.

As regards possible access to data by public authorities of the Republic of Korea, in particular for law enforcement and national security purposes, the framework established under the adequacy decision will notably rely on the strong oversight role of the PIPC and facilitate EU individuals' access to redress.

Click here for the full press release