Greetings from Brussels!

This week the EDPB adopted its opinion on the European Commission’s draft adequacy decision for South Korea. For background, the process toward adoption was launched by the European Commission back in June. The draft decision covers transfers of personal data to both commercial operators as well as public authorities. The adequacy decision is also intended to complement the existing EU-Republic of Korea Free Trade Agreement and boost bilateral trade, which is worth in the region of 90 billion euros presently. Striking an adequacy deal has important implications for the EU’s overall relationship with South Korea and Asia generally, particularly for the development of digital services.

Overall, the EDPB was positive in its assessment, finding the central aspects of South Korea’s data protection framework to be essentially equivalent to the European data protection framework. The EDPB reported focusing on general aspects of the GDPR, as well as access to personal data emanating from EEA countries for the purposes of law enforcement and national security. This also included an assessment of legal remedies available to EEA country citizens and jurisdictional safeguards under South Korean law.

It is worth noting that in South Korea, the processing of personal data is governed by the Personal Information Protection Act which, according to the European Commission, provides similar principles, rights and obligations as provided under EU law. One of the major factors in the advancement of the adequacy talks was last year’s reform of the PIPA, which reinforced the investigatory and enforcement powers of the South Korean Personal Information Protection Commission. The reform that went into force in August 2020 was seen by many as a demonstration of the authority’s enhanced independence, as well as a significant development in what concerns the global dialogue on convergence of shared principles for data protection in the modern era.  

EDPB Chair Andrea Jelinek said, “A high level of data protection is essential to support our long-standing ties with South Korea and to safeguard the rights and freedoms of individuals. While we underline that core aspects of the Korean data protection framework are essentially equivalent to those of the European Union, we call on the Commission to further clarify certain aspects and to closely monitor the situation.”

The EDPB called on the commission to clarify and monitor several aspects of the Korean data protection regime such as the binding nature, enforceability and validity of (breach) notifications (Notification 2021-1). Another reservation articulated by the EDPB — in relation to the PIPA — is the absence of limits on access to personal data by law enforcement agencies, in addition to the limited provisions governing data processing in what concerns national security issues. However, it was also noted South Korea’s constitution enshrines some essential safeguards and data protection principles, which are applicable to the public authorities in these areas.

In areas of more traditional data protection parlance, the EDPB also asked for clarifications on South Korean provisions for pseudonymized data, limitations to withdraw consent, reliance on consent for onward transfers and information provided to data subjects regarding such transfers.

While the EDPB’s opinion is non-binding, it does inform the commission adoption process for an eventual adequacy decision. The next step is for the EU member states to weigh in with their approval before the commission can put ink to the deal.