#Korean Company A having a branch office in Europe is running a Korean merchandise shopping agency targeting European consumers. Since they had difficulties in analyzing consumer information required for selecting desirable products, they requested an analysis from their head office in Korea. However, the Standard Contractual Clauses (SCC) need to be utilized to transfer European consumer information to Korea. As infringements of any local law is subject to administrative fines up to 4% of the total sales, they feel the burden in terms of time and costs.

Five years after the EU GDPR adequacy decision was launched in January 2017, the Republic of Korea was certified for the system. As a result, enterprises like Company A can now easily obtain European consumer information.

On December 17, 2021 at 6 PM (KST), adequacy decision for the Republic of Korea was adopted based on the General Data Protection Regulation (GDPR) of the European Union (EU). It means that the EU acknowledges that Korea’s personal information protection policy is on a par with the GDPR. As a result, Korean enterprises have a status equivalent to the EU member states. Companies are now exempted from preexisting complicated procedures such as the SCC. In addition, they can transfer EU citizens’ personal information to Korea without additional certification or procedures.

The General Data Protection Regulation (GDPR), which is the personal information protection act of the EU that took effect on May 25, 2018, applies to all enterprises running business targeting the EU. By adding the content about the designation of a data protection officer (DPO), impact assessment, etc., it has strengthened companies’ responsibilities. In addition, the GDPR strengthened data subjects’ rights by adding or reinforcing the right to restriction of processing, the right to data portability, the right to erasure, and the right to object profiling. In all the member states, infringements of the personal data protection provisions are subject to administrative fines up to 4% of the total worldwide annual turnover. As such, they are protecting personal data through such strict penalty provisions.

The GDPR adequacy decision is a program that certifies whether a non-EU member state’s personal information protection system is on par with that of the EU. Adequacy decision-certified states are designated after evaluating whether the country has a similar level of personal data protection system to the EU. Certified states can freely transfer EU citizens’ personal data as the EU member states do.

Although the GDPR adequacy review on the Republic of Korea began in January 2017, the consultation was suspended twice due to noncompliance with the “independence of a supervisory authority on personal data” which is one of the requirements. As the Personal Information Protection Commission (PIPC) was expanded and launched as an independent supervisory authority with last year’s amendments to the three data acts, discussion has resumed and consultation has rapidly progressed. 

The Republic of Korea and the EU have had over 60 meetings including video conferences for the past five years for an in-depth review on the Korean government agencies’ duties and relevant acts such as the Personal Information Protection Act. As a result, it has been confirmed that the personal data protection system of the Republic of Korea is on par with the EU's GDPR. The European Data Protection Board (EDPB) mentioned the excellence of Korea’s legal systems, highly regarding the Korean government’s efforts for narrowing the differences between the Korea and EU’s legal systems through the Personal Information Protection Commission’ notification, establishment, and revision. Korea’s adequacy decision was unanimously approved at the comitology of the European Commission.

EU Adequacy Decision Procedure

The European Commission conducts three phases: initial decision, opinion collection, and final decision.

Phase 1 (initial decision)

European Commission (Administrative Body)

Officialize the adoption of initial decision (Mar. 30)

Publish a draft of written decision (Jun. 16)

“The adequacy decision was made on the basis of the Republic of Korean and the EU’s common will to conduct high standards of information protection and Korea’s excellent personal information protection systems,” said Yoon Jong-in, chairperson of the PIPC, and Didier Reynders, European Commissioner for justice. 

An official from the PIPC said, “It shows that strengthened personal information protection can contribute to revitalizing international trade. We will reinforce cooperation between the Republic of Korea and the EU in the digital area by improving the Korea-EU Free Trade Agreement (FTA).”

Korean enterprises running business in the EU member states had to examine the GDPR and local acts thoroughly and conclude a SCC through the inspection and administrative procedures in order to transfer EU citizens’ information to Korea. This process required at least three months and costs between KRW 30 million and KRW 100 million. Furthermore, administrative fines might be imposed on enterprises in case of infringements of the relevant regulations. In addition, small and medium enterprises had to give up expanding their businesses to the EU member states since it was difficult to conclude a SCC.

By obtaining GDPR adequacy decision, the Republic of Korea now has a status equivalent to that of the EU member states in transferring personal data abroad and is exempted from preexisting complicated procedures. Accordingly, more Korean companies are expected to expand their business to the EU member states. In particular, it is predicted that Korean data analysis companies will make inroads into the European market. 

According to a press release of the PIPC, German Company A originally wanted to ask a Korean company to conduct an analysis on the personal data of their customers for establishing marketing strategies, but they had to request only a limited research due to the local authority’s complicated approval process for personal data transfer. After adequacy decision, however, Company A can establish their marketing strategies more smoothly since they are now able to transfer data to Korean companies without complicated procedures such as the SCC.

It should be noted that it only reduces the burden of the duty related to overseas data transfer and there still are business operators’ obligations to comply with the GDPR including the collection and processing of EU citizens’ personal data. 

The PIPC predicts that the domestic data economy will be more revitalized with the strengthened data exchange and cooperation between Korean and EU enterprises. Unlike adequacy decision on Japan, which was limited to private data transfer, the adequacy decision on the Republic of Korea applies to public data as well, which is expected to strengthen the cooperation between the Korean and EU governments in the public sector. The PIPC will work on additional international negotiation for the transfer of personal information from non-EU member states, selecting the UK as its first target. 

Companies subject to the application of the GDPR

Operates a business premises in an EU member state and processes personal data

Provides goods and services for residents of the EU member states

Monitors the behaviors of residents of the EU members states

*GDPR application depends on whether they “reside in the EU member states,” instead of their “nationality.”

→ Therefore, if personal data of those with EU member state nationality is collected or processed in the Republic of Korea, the GDPR does not apply. On the other hand, if Korean nationals’ information is collected or processed in any EU member state, they are considered EU residents and the GDPR applies.

*It applies when the EU market is “clearly” considered. Simple accessibility is not deemed grounds for the application of the GDPR.

Source & Reference

Press release of the PIPC, Korea Passes the Final Adequacy Decision of EU

KISA GDPR Response Support Center