Questions & Answers on the adoption of the adequacy decision ensuring safe data flows between the EU and the Republic of Korea
After the conclusion of the talks between the European Commission and Republic of Korea in March 2021, today's adoption of the adequacy decision for the Republic of Korea marks the final step in the process. This decision allows for free and safe data flows as of today and confirms the shared commitment of the EU and the Republic of Korea to a high level of data protection.
What is an adequacy decision?
An adequacy decision is one of the tools provided under the General Data Protection Regulation (GDPR) to transfer personal data from the EU to third countries guaranteeing a comparable level of protection of personal data to that in the European Union. It is a decision taken by the Commission, as a result of which personal data can flow freely and safely from the European Economic Area (EEA) (the 27 EU Member States as well as Norway, Liechtenstein and Iceland) to that third country, without being subject to any further conditions or authorisations. In others words, transfers to the third country in question can be handled in the same way as intra-EU transmissions of data. This adequacy decision covers transfers of personal data to the Republic of Korea's commercial operators as well as public authorities.
The benefits of an adequacy decision go beyond data transfers with the EU. Many non-EU countries, including Argentina, Colombia, Israel and Switzerland, recognise that the countries and territories found adequate by the Commission also offer an appropriate level of protection to meet the requirements for international transfers under their own data protection legislation. In practice, this means that, when benefiting from an adequacy decision, a third country like the Republic of Korea simultaneously enjoys free flows of data with a broad network of countries around the world.
What are the criteria to assess adequacy?
Adequacy does not require the third country's data protection system to be identical to the one of the EU, but is based on the standard of "essential equivalence". It involves a comprehensive assessment of this country's data protection framework, both of the protection applicable to personal data and of the available oversight and redress mechanisms. The European data protection authorities have developed a list of elements that must be taken into account for this assessment, such as the existence of core data protection principles, individual rights, independent supervision and effective judicial redress.
How does the Republic of Korea meet the adequacy criteria?
In the Republic of Korea, the processing of personal data is governed by the Personal Information Protection Act (PIPA), which provides similar principles, safeguards, individual rights and obligations as the ones under EU law. A major step in the adequacy talks was the reform of PIPA that entered into force in August 2020, which strengthened the investigatory and enforcement powers of the Personal Information Protection Commission (PIPC), the independent data protection authority of the Republic of Korea. This reform confirmed the importance of an independent data protection authority vested with effective powers as a central component of a modern data protection system as well as a key element of the growing international convergence in privacy standards.
As part of the adequacy talks, the two sides also agreed on several additional safeguards that will increase the protection of personal data processed in the Republic of Korea. These safeguards provide for stronger protection, for example with respect to transparency (by requiring Korean data importers to inform Europeans about the processing of their data) and onward data transfers (by ensuring that data continues to benefit from the same level of protection when further transferred to third countries). These rules are binding and enforceable by the PIPC and Korean courts.
Regarding the possible access to data by public authorities of the Republic of Korea, in particular for law enforcement and national security purposes, the framework established under the adequacy decision will notably rely on the strong oversight role of the Personal Information Protection Commission. Moreover, it will facilitate EU individuals' access to redress, by making it possible to lodge a complaint before the Personal Information Protection Commission with the support of their national data protection authorities.
How does the EU benefit from the adequacy decision with the Republic of Korea?
Europeans benefit from strong protection under Korean law when their data is transferred to the Republic of Korea, including through the additional safeguards that were agreed as part of the adequacy dialogue.
The adequacy has a broad scope of application, covering both commercial operators and the public sector. It not only supports European business operators transferring personal data to the Republic of Korea as part of their commercial operations, but also facilitates regulatory cooperation between European and Korean public authorities.
The adequacy decision also complements the Free Trade Agreement (FTA) between the European Union and the Republic of Korea that entered into force in July 2011. The trade agreement has led to a considerable rise in bilateral trade of goods and services. The adequacy decision will support this trade relationship worth nearly €90 billion a year.
When will the adequacy decision become applicable?
The Commission adopted the adequacy decision on 17 December 2021. It is applicable as of the same day.
Is the adequacy decision limited in time?
There is no time limitation, but the Commission will continuously monitor relevant developments in the Republic of Korea and regularly review the adequacy decision. The Commission will carry out a first review three years after the adoption of the decision and subsequently at least every four years. Adequacy decisions can be adapted or even withdrawn in case of developments affecting the level of protection in the third country.
With which other countries does the EU already have adequacy decisions?
In addition to the adequacy decision for the Republic of Korea, the Commission has adopted adequacy decisions for the following countries and territories: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay, Japan, and the United Kingdom. The Commission is also actively exploring the possibility of adequacy with other important partners in particular in Asia and Latin America, building on the current trend towards upward global convergence in data protection standards.
The adequacy decision with the U.S. (EU-U.S. Privacy Shield) was annulled by the European Court of Justice in July 2020. Securing a new arrangement for safe transatlantic data flows is a priority for us and our U.S. partners. Negotiations are ongoing and have intensified in the past months, with discussions at technical and political level.
For more information
Adequacy decision for the Republic of Korea
Joint press statement on the adoption of the adequacy decision for the Republic of Korea