EDPB opinion on the draft adequacy decision for South Korea confirms essential equivalence for cross-border transfers but requires further clarifications

In the Opinion, the EDPB confirmed that key aspects of the Korean data protection framework are essentially equivalent to the European data protection framework, and recognised the work of the European Commission and Korean authorities to further align two systems, including in the Notification No 2021-1 adopted by the Korean supervisory authority (Korean DPA).  

However, the EDPB has also concluded that, prior to adoption of the adequacy decision by the European Commission, certain aspects would require further assessment and clarification to ensure that the essentially equivalent level of protection is met. The key aspects the EDPB has asked to be clarified include:

• the binding nature, the enforceability and validity of Notification No 2021-1, which in essence only interprets various provisions of the Personal Information Protection Act (PIPA). The EDPB also wants assurance that the Notification will be applied not only by the Korean DPA but also by courts;
• the exemptions under Korean data protection law from a number of obligations when processing pseudonymised information (i.e. in relation to individual data subject rights and data retention); 
• that the adequacy decision will cover transfers from the EEA legal framework to “processors” in Korea, as well as “personal information controllers” falling under the scope of the PIPA;
• the impact of limited grounds to withdraw consent under Korean law and further assurances that an essential level of data protection is guaranteed at all times; 
• onward transfers, including:
  •  that individuals who have provided informed consent will be informed about the third country to which their data will be transferred, and the associated risks;
  • that personal data will not be transferred from Korean personal information controllers to a third country in any situation where valid consent under GDPR could not be provided (e.g. because of an imbalance of power);
  • whether onward transfers in the area of national security, in the absence of specific legislation on this issue,  will be sufficiently protected by the overarching constitutional framework (with its principles of necessity and proportionality) and the core data protection principles under the PIPA.
    
    
• access by public authorities to data transferred to the Republic of Korea: a number of aspects require clarification or raise concerns:
  •  data processing in the area of national security is subject to a more limited set of provisions enshrined in PIPA; 
  •  provisions of PIPA that telecom providers, when disclosing personal information to national security authorities voluntarily, must notify the concerned individual when they voluntarily comply with a request;  and
  • in relation to effective remedies and redress, the EDPB asks the European Commission to clarify whether a complaint with the Korean DPA or any action before a court is subject to substantive and/or procedural requirements, such as a burden of proof, and whether EEA individuals would be able to meet such precondition.

The EDPB also recommended that the European Commission closely monitor any developments on these and other key aspects of the adequacy decision.

A detailed overview of the Korean data protection framework and the Notification, as well as further clarifications on the position of the EDPB, are included in the Opinion, available here. The EDPB press release is available here. The draft adequacy decision of the European Commission is available here.