On September 27, 2021, the European Data Protection Board (EDPB) adopted its opinion on the European Commission’s draft adequacy for South Korea. In its opinion, the EDPB highlighted areas of alignment between the data protection frameworks in the EU and South Korea and welcomed efforts to fill gaps between the two frameworks. The EDPB has also called on the European Commission to provide further clarity on a number of areas including amendments made to the Personal Information Protection Act (PIPA) and the effective legal remedies and redress for data subjects.

Speaking on the opinion, Andrea Jelinek, EDPB Chair, said: “This adequacy decision is of paramount importance, as it will cover transfers in both the public and the private sector. A high level of data protection is essential to support our long-standing ties with South Korea and to safeguard the rights and freedoms of individuals. While we underline that core aspects of the Korean data protection framework are essentially equivalent to those of the European Union, we call on the Commission to further clarify certain aspects and to closely monitor the situation.”

EDPB Opinion on Draft South Korea Adequacy Decision in Detail

In its opinion, the EDPB outlined key areas of alignment between EU and South Korean data protection frameworks including:

  • Data protection concepts (e.g. personal information, processing, data subject)
  • Grounds for lawful processing for legitimate purposes
  • Purpose limitation
  • Data retention, security, and confidentiality
  • Transparency

Additionally, the EDPB welcomed the partial amendments to PIPA which aimed to fill gaps between the GDPR and the PIPA that have been adopted by the Personal Information Protection Committee (PIPC). However, the EDPB has invited the European Commission to provide further clarity on the ‘the binding nature, the enforceability and validity’ of the additional protections brought about by Notification 2021-1 and recommended monitoring this in practice. The EDPB has also called on the European Commission to provide further information on the requirements for legal remedies and redress in relation to complaints made to the PIPC or brought before a court as well as whether data subjects in the EU would meet these requirements.

In relation to access to personal data by public authorities, the EDPB highlighted that the provisions of the PIPA ‘apply without limitation’ to access requests made by law enforcement agencies. The EDPB also noted that access requests in the area of national security will be subject to a more limited set of provisions under the PIPA, however, PIPA’s core principles such as data subject rights still apply. Additionally, the EDPB stated that it agrees with the European Commission’s assessment of the independence of South Korea’s supervisory system, which it deems to be effective.

Further reading on the draft South Korea adequacy decision:

Follow OneTrust on LinkedIn, Twitter, or YouTube for the latest on European Commission adequacy decisions.