Joint Statement by Commissioner Reynders and Yoon Jong In, Chairperson of the Personal Information Protection Commission of the Republic of Korea

Met dank overgenomen van Europese Commissie (EC) i, gepubliceerd op dinsdag 30 maart 2021.

In their call today, Commissioner for Justice Didier Reynders i and Chairperson of the Personal Information Protection Commission Yoon Jong In welcomed the successful conclusion of the adequacy talks between the European Union and the Republic of Korea.

The adequacy dialogue confirmed the high degree of convergence between the European Union and the Republic of Korea in the area of data protection, which increased further with the recent entry into force of the new Personal Information Protection Act in the Republic of Korea and the strengthening of the powers of the Personal Information Protection Commission.

Building on these similarities, which ensure the continuity of protection for the exchange of personal data, an adequacy finding will enable free and safe data flows from the EU to the Republic of Korea.

By covering both commercial operators and the public sector, such an adequacy finding will not only support business operators transferring personal data as part of their commercial operations, but also facilitate regulatory cooperation, to the benefit of both sides.

It will also complement the EU-Republic of Korea Free Trade Agreement and boost cooperation between the EU and the Republic of Korea as leading digital powers.

Both sides agreed that an adequacy finding will open new opportunities for closer cooperation between the EU and the Republic of Korea to promote high standards of data protection at global level, based on their strong commitment to shared values concerning privacy.

The European Commission will now proceed with launching the decision-making procedure with a view to having the adequacy decision adopted as soon as possible in the coming months.

Next Steps

The European Commission will now launch the procedure for the adoption of its adequacy finding. This involves obtaining an opinion from the European Data Protection Board (EDPB) and the green light from a committee composed of representatives of the EU Member States. Once this procedure will have been completed, the Commission will adopt the adequacy decision on the Republic of Korea.

Background

Article 45(3) of the General Data Protection Regulation grants the Commission the power to decide, by means of an implementing act, that a non-EU country ensures “an adequate level of protection”, i.e. a level of protection for personal data that is essentially equivalent to the level of protection within the EU. The effect of adequacy decisions is that personal data can flow from the EU (and Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary.

As announced in January 2017 in its Communication on Exchanging and Protecting Personal Data in a Globalised World, the Commission has launched a dialogue with the Republic of Korea with the aim of reaching an adequacy decision under the General Data Protection Regulation (GDPR). A major step in the adequacy talks was the recent reform of the Personal Information Protection Act (PIPA), which strengthened the investigatory and enforcement powers of the Personal Information Protection Commission (PIPC), the independent data protection authority of the Republic of Korea. This reform, that entered into force in August 2020, confirmed the paramount importance of an independent data protection authority vested with effective powers as a central component of a modern data protection system as well as a key element of the growing international convergence in privacy standards. It also paved the way for the finalisation of the adequacy talks.

As part of the adequacy talks, the two sides agreed on several additional safeguards that will increase the protection of personal data processed in the Republic of Korea. These safeguards will provide for stronger protections with respect, for example, to transparency, sensitive data and onward transfers. These rules will be binding and enforceable by the PIPC and courts. As regards possible access to data by public authorities of the Republic of Korea, in particular for law enforcement and national security purposes, the framework established under the future adequacy decision will notably rely on the strong oversight role of the PIPC and facilitate EU individuals' access to redress.

Once adopted, the adequacy decision will cover transfers of personal data to commercial operators in the Republic of Korea, as well as public authorities. An adequacy decision will complement the EU-Republic of Korea Free Trade Agreement (FTA) that was formally ratified in December 2015 and was the EU's first trade deal of this type with an Asian country. Moreover, in 2010, the EU and the Republic of Korea upgraded their broader relationship to a Strategic Partnership by signing a Framework Agreement, which entered into force on 1 June 2014. This is an overarching political cooperation agreement with a legal link to the EU-Republic of Korea Free Trade Agreement.