On September 28, 2021, the European Data Protection Board (“EDPB”) issued its opinion on the European Commission’s (“Commission”) draft decision on the adequate protection of personal data in the Republic of South Korea.  Once the Commission approves the decision, it will allow for personal data to flow freely from the EEA to commercial operators and public authorities in South Korea, without the need to implement other transfer mechanisms provided in the General Data Protection Regulation (“GDPR”), such as standard contractual clauses.

The EDPB’s opinion is overall favorable with respect to the Commission’s finding that South Korea’s data protection laws offer a level of protection essentially equivalent to that provided by the GDPR.  In particular, the EDPB highlights that there are “numerous similarities” between the South Korean data protection laws (which include the Personal Information Protection Act (PIPA), its adjoining Enforcement Decree, and Notification No. 2021-1) and the European data protection framework, in particular the GDPR.

That said, while the EDPB shared the Commission’s overall affirmative adequacy view of South Korea, it added that “there are certain aspects that may require a closer look and clarification”.  For example, the EDPB asks for clarification on certain terms used in South Korea’s data protection laws, such as the meaning of “commercial organizations” that are subject to the South Korean Data Protection Authority’s oversight, as well as clarification on whether the adequacy decision covers transfers to processors in South Korea.

In addition, the EDPB asks the Commission to take a closer look at the special rules for processing pseudonymous data and for secondary processing, in order to assess the impact that these rules have on data subjects’ fundamental rights and freedoms.  The EDPB further points out that, in contrast with the GDPR, South Korea’s data protection laws do not provide for a general right to withdraw consent, nor do they include provisions on automated decision-making.  The EDPB therefore asks the Commission to evaluate how and to what extent these differences might impact its adequacy assessment.

The EDPB’s opinion includes a detailed assessment of the Commission’s findings with respect to access to personal data by South Korean public authorities.  In particular, the EDPB highlights the existing (legal?) safeguards that apply in the context of government interception of communications between and among South Koreans, as well as the restrictions that limit government interception of communications originating outside of South Korea.

Finally, similar to the UK adequacy decision, the EDPB highlights the importance of the Commission’s responsibility to continue to monitor the case law and legislative developments in South Korea after the adoption of the adequacy decision, and reassess its decision as necessary (the first reassessment will be due in 4 years from the date of the formal adequacy decision).

On September 28, 2021, the same day that the EDPB’s opinion was published, South Korea introduced a bill amending the PIPA, which, among others, includes provisions on automated decision-making and on transfers.  These amendments may help the Commission address some of the EDPB’s concerns.