EU privacy watchdogs’ important caveats for data transfers with South Korea

A data adequacy decision recognises a level of data protection comparable of that provided by the European privacy law GDPR. [Shutterstock]

The EU data protection authorities issued a non-binding opinion on Monday (27 September) on the level of adequacy of South Korea’s privacy law compared to EU rules, providing an overall positive assessment that some analysts said fell short of expectations.

The European Data Protection Board (EDPB) considers the Asian country to be largely aligned with Europe in its data protection framework, notably in terms of key concepts, the grounds for lawful processing of personal data, the limitation of data processing to the declared purpose, the quality of data and how long it can be retained, transparency and confidentiality.

“The EDPB’s opinion gives an overall positive assessment of South Korea’s data protection regime. It looks likely that the adequacy decision will be adopted. But there are some caveats around national security exemptions and the remedies available to data subjects,” said Robert Bateman, an analyst and research director at GRC World Forums

A key area of reservation for the EDPB is that South Korea’s data protection law does not place any limits on access to personal data by law enforcement. The EDPB questions in particular the Notification No. 2021-1, the interpretation of Korean Privacy laws by the authorities seeking to provide some guarantees to transfers from the European Economic Area.

Charles-Albert Helleputte, head of the EU data and privacy at Steptoe law firm, and Diletta De Cicco, a Steptoe’s privacy associate, warned that the binding nature, enforceability and validity of the notification, especially before Korean courts, “has the potential for another safe harbour/privacy shield saga, on the other side of the world.”

By contrast, Bateman pointed to the fact that the Board is reassured that South Korea’s constitution provides some safeguards against unfettered law enforcement access to personal data.

The EDPB itself highlighted some deficiencies of the Korean privacy regimes, in particular the unparallel regime for pseudonymised data, limited ability to withdraw consent, reliance on consent for onward transfers, some definitional issues around ‘processors’, lack of protection in relation to automated decision making.

The EDPB also called on the European Commission to monitor any developments that might affect the independence of the South Korean supervisory authority, specifically in terms of the human and financial resources made available to it.

“It looks to me like there is still a lot of work to do by both the European Commission and the Korean authorities to align the Korean legal framework with the European one,” said legal expert Maciej Jankowski, who believes the adequacy procedure might last months or even years.

For Steptoe’s Helleputte and De Cicco, the EDPB’s opinion has fallen short of its mandate. “Tasked to identify proposals to remediate deficiencies, the EDPB mainly and primarily suggests to monitor the application of the rules in Korea,” the two lawyers told EURACTIV, suggesting this might lead to the EU Court of Justice to step in again.

The European Commission is now expected to seek the approval of EU member states before finalising the adoption of the adequacy decision.

Report: Europe may lose €2 trillion in 10 years if uncertainty over data transfers continues

Restricting data flows in Europe might lead to economic damage worth €2 trillion by 2030, roughly the size of Italy’s economy, and result in two million fewer new jobs, a new industry study has warned.

[Edited by Zoran Radosavljevic]

Subscribe to our newsletters