On June 16, 2021, the European Commission (“EC”) launched the formal procedure to make the decision on the adequate protection of personal data in South Korea (the “adequacy decision”). That day, the EC requested the required opinion from the European Data Protection Board (“EDPB”) on the adequate protection of personal data in South Korea, which was finally published on September 24.
Under the General Data Protection Regulation (“GDPR”), all transfers of personal data to third countries-i.e., countries outside the European Economic Area (“EEA”)-must fulfill some of the conditions laid down in chapter V of the GDPR, with the aim of ensuring a level of protection for transferred data equivalent to that afforded by EU regulations.
Under article 45 GDPR, the EC has the power to issue adequacy decisions determining whether a country outside the EEA offers an adequate level of personal data protection. After the EC issues an adequacy decision, there can be transfers of personal data to third countries without any further guarantees.
Consequently, the decision-making procedure for the adequacy decision involves an assessment by the EC of the legislation and practices of South Korean authorities regarding data protection and access to personal data.
The formal decision-making procedure also requires an opinion by the EDPB, which was published on September 24. The EDPB’s opinion supported the adoption of the adequacy decision for the transfer of personal data to South Korea.
In its opinion, the EDPB concludes that the South Korean data protection framework is very similar to the GDPR, since it includes (i) extensive legislation covering both the public and private sector; and (ii) supplementing sector-specific provisions.
The EDPB also highlights the efforts of the EC and South Korean authorities to ensure that South Korea offers a level of protection equivalent to the GDPR through the adoption of binding resolutions by the South Korean data protection authority, with the aim of filling the gaps between the GDPR and the South Korean data protection framework.
However, the EDPB also concludes that some aspects of the South Korean framework require fine tuning or clarification to ensure an equivalent level of protection.
The EDPB underlines that some of the aspects that need clarification under South Korean law include the right to withdraw consent only in specific circumstances, so it suggests that the EC further assess the impact of not having a general right to withdraw consent under the South Korean regulatory framework.
The EDPB also asks the EC to clarify (i)whether the complaints before the South Korean data protection authority or any judicial actions in South Korea related to data protection are subject to substantive or procedural requirements (the EDPB cites, e.g., the burden of proof); and (ii) whether EEA citizens could meet these requirements. According to the EDPB, it is necessary to determine whether South Korean law provides an equivalent level of protection to that of article 47 of the Charter of Fundamental Rights of the European Union. This provision, when applied to data protection matters, requires that data subjects be able to take action before a competent body that (i) can determine whether the data processing is taking place and whether the processing is lawful; and (ii) has enforceable remedial powers in case of an unlawful processing.
However, despite the requested clarifications, the EDPB’s favorable opinion is a significant development in the adequacy decision procedure. If the EC finally adopts it, it will be in place for four years and will strengthen the commercial relationship between EU Member States and South Korea.