Successful Conclusion of Adequacy Talks between the Republic of Korea and the European Union

On March 30, 2021, the Personal Information Protection Commission (PIPC) and the European Commission jointly announced the successful conclusion of adequacy talks between the Republic of Korea (Korea) and the European Union (EU).  

By obtaining recognition from the EU that it can provide an ‘adequate level of protection’ for personal information, Korea will be joining other countries such as Canada, Israel, Japan, and Switzerland which have already received an adequacy finding.  The European Commission, which is the executive branch of the EU, confirmed that it will now launch the decision-making process to formally adopt the adequacy finding in the coming months by obtaining an opinion from the European Data Protection Board and approval from representatives of the EU Member States.  Once formally adopted, the finding of adequacy is expected to greatly facilitate the flow of personal information from the EU to Korea which will be able to take place without further safeguards (e.g., standard contractual clauses, binding corporate rules, etc.) being necessary.

Supplementary Rules for Data Processing Related to the Adequacy Decision

In parallel to the adequacy talks, the PIPC promulgated a set of special regulations (Supplementary Rules) to come into effect once the adequacy decision is formally adopted by the EU.  The Supplementary Rules aim to bridge various differences between the respective data protection regimes of Korea and the EU by clarifying the interpretation of Korean data protection laws in regards to the processing of data in Korea after its transfer from the EU on the basis of the adequacy decision.  Some notable aspects of the Supplementary Rules have been summarized below.

1. The purpose limitation principle (i.e., data must not be processed beyond specified purposes) under the Personal Information Protection Act (PIPA) will apply to the processing of all personal information which takes place in Korea irrespective of the nationality of the data subjects of such personal information.
2. In principal, controllers in Korea who receive the personal information of data subjects in the EU must notify such data subjects of certain information when their personal information is (i) initially transferred from the EU to Korea on the basis of the adequacy decision and (ii) transferred again to another third party (either in Korea or a third country) following initial transfer from the EU except in several exceptional cases including when the data subjects already have such information.
3. Data handlers which process pseudonymized personal information without consent for purposes including statistical compiling, scientific research, and record preservation for the public interest, must either destroy or anonymize such information if they continue to process such information data even after the specific purposes for which the pseudonymized personal information is processed is achieved.
4. Article 3 (Principles for the Protection of Personal Information), Article 4 (Rights of Data Subjects), and Article 62 (Data Breach Reporting) of the PIPA to clearly apply even in cases where personal information needs to be processed for purposes related to national security.

Implications

The finding of adequacy by the EU will facilitate the exchange of personal information between the EU and Korea.  It should be noted, however, that financial information and credit information processed by financial institutions will be outside the scope of the adequacy finding because the processing of such information will be supervised by the Financial Services Commission, which is a separate supervisory authority from the PIPC.

Also, to gain a fuller picture of possible data transfers between the EU and Korea in the future, it would be worth reviewing the recently announced amendments to the PIPA proposed by the PIPC. Among other things, the proposed amendments seek to expand the legal bases pursuant to which data handlers in Korea may conduct cross-border transfers of personal information without consent – including in cases where such cross-border transfers are to jurisdictions/international organizations that have been specifically recognized by the PIPC as having essentially equivalent levels of data protection as Korea.  If the aforementioned portion of the proposed amendments become law then the cross-border transfer of personal information, both to and from Korea, can be expected to take place more freely based on a reciprocal finding of adequacy for the EU by the PIPC. Therefore, companies which are likely to be affected by these latest changes are advised to continue monitoring related legislative developments.

If you have any questions regarding this article, please contact below:

Kwang Bae PARK (kwangbae.park@leeko.com)

Sunghee CHAE (sunghee.chae@leeko.com)

Jaeyoung CHANG (jaeyoung.chang@leeko.com)

For more information, please visit our website: www.leeko.com