How South Korea became an adequate country in regards to data privacy
The 17th December 2021, South Korea became the newly member of a very select club of countries regarded by the European Union (EU) as adequate, in regards to personal data protection. Far from a simple badge of honour, this decision authorise European data to freely flow from the EU to South Korea, with little use of additional safeguards. At the root of this decision, the recent changes made by the South Korea legislators to the « Personal Information Protection Act » (PIPA) and the « Personal Information Protection Commission » (PIPC) were definitely the tipping point that made the European Commission consider this country as adequate.
The amended PIPA, a South Korean version of the GDPR
An adequacy decision doesn’t require the legislations of the third country to be identical to those in the EU, not even the GDPR. It only needs to guarantee a level of protection that is comparable to the EU. As such, the PIPA is not a carbon copy of the GDPR, but its core concepts and principles are vastly similar.
Among other things, this Act includes an obligation for the South Korean data handlers to collect and use data with fairness, lawfulness and transparency. They need to document which data are collected and/or used and justify their purpose. These data are subject to storage limitation and need to be destroyed once the aforementioned purpose is fulfilled.
Moreover, the persons whose data are being handled can give and withdraw their consent, and they need to be informed of the usage of their personal data, before they are collected by the respective data handlers.
A reinforced PIPC, detached from the executive branch
If the South Korean companies don’t comply with this regulation, they risk heavy sanctions from the PIPC.
This central administrative agency benefitted the most from the 2020 amendments. Its powers of investigation and enforcement were vastly improved, and its independence was strengthened.
Not unlike the French CNIL, or the European Data Protection Board, the main purpose of the PIPC is to oversee the application of the data protection regulation, to advise companies and the government on privacy issues and to take sanctions if the PIPA is not strictly followed.
Even if the PIPC is still established under the Prime Minister, its independency is assured by the PIPA, in order to be a neutral arbiter of the questions in relation to the protection of personal information.
Some additional safeguards for European personal data
Before an agreement between the European Commission and South Korea was reached, a few additional safeguards were specially given, in order to meet the level of safety needed to authorise the free flow of European data to South Korea.
Those safeguards, such as a reinforced obligation of transparency requiring South Korean data handlers to inform European citizen that their data is transferred to that country, can be enforced by the PIPC or by South Korean courts.
Thus, and unlike other countries, it seems that South Korea was able to work in good faith with the European Commission, in order to draft a well-thought agreement, permitting the safe transfer of personal data from the EU, an agreement which will benefit the companies of both countries, and bolster their digital markets.
Welcome to the club, South Korea, it will be our pleasure to do business with you.