On September 28, 2021, the European Data Protection Board (“EDPB”) issued its opinion on the European Commission’s (“Commission”) draft decision on the adequate protection of personal data in the Republic of South Korea.  Once the Commission approves the decision, it will allow for personal data to flow freely from the EEA to commercial operators and public authorities in South Korea, without the need to implement other transfer mechanisms provided in the General Data Protection Regulation (“GDPR”), such as standard contractual clauses.

The EDPB’s opinion is overall favorable with respect to the Commission’s finding that South Korea’s data protection laws offer a level of protection essentially equivalent to that provided by the GDPR.  In particular, the EDPB highlights that there are “numerous similarities” between the South Korean data protection laws (which include the Personal Information Protection Act (PIPA), its adjoining Enforcement Decree, and Notification No. 2021-1) and the European data protection framework, in particular the GDPR.

That said, while the EDPB shared the Commission’s overall affirmative adequacy view of South Korea, it added that “there are certain aspects that may require a closer look and clarification”.  For example, the EDPB asks for clarification on certain terms used in South Korea’s data protection laws, such as the meaning of “commercial organizations” that are subject to the South Korean Data Protection Authority’s oversight, as well as clarification on whether the adequacy decision covers transfers to processors in South Korea.

In addition, the EDPB asks the Commission to take a closer look at the special rules for processing pseudonymous data and for secondary processing, in order to assess the impact that these rules have on data subjects’ fundamental rights and freedoms.  The EDPB further points out that, in contrast with the GDPR, South Korea’s data protection laws do not provide for a general right to withdraw consent, nor do they include provisions on automated decision-making.  The EDPB therefore asks the Commission to evaluate how and to what extent these differences might impact its adequacy assessment.

The EDPB’s opinion includes a detailed assessment of the Commission’s findings with respect to access to personal data by South Korean public authorities.  In particular, the EDPB highlights the existing (legal?) safeguards that apply in the context of government interception of communications between and among South Koreans, as well as the restrictions that limit government interception of communications originating outside of South Korea.

Finally, similar to the UK adequacy decision, the EDPB highlights the importance of the Commission’s responsibility to continue to monitor the case law and legislative developments in South Korea after the adoption of the adequacy decision, and reassess its decision as necessary (the first reassessment will be due in 4 years from the date of the formal adequacy decision).

On September 28, 2021, the same day that the EDPB’s opinion was published, South Korea introduced a bill amending the PIPA, which, among others, includes provisions on automated decision-making and on transfers.  These amendments may help the Commission address some of the EDPB’s concerns.

Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.

She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).

Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.

Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.