South Korea: The long road to adequacy
The South Korean government recently enacted a series of reforms to its main data protection laws, largely in an effort to receive the adequacy decision from the European Commission ('the Commission'). Kwang Bae Park and Minchae Kang, Partners at Lee & Ko, discuss the legislative changes to come, and how it is hoped these will bring South Korea into the group of 'adequate' countries in the eyes of the Commission.
On 4 February 2020, amendments to South Korea's three major data privacy laws, i.e. the Personal Information Protection Act ('PIPA'), the Act on the Promotion of Information and Communications Network Utilization and Information Protection ('ICNA'), and the Credit Information Use and Protection Act ('the Credit Information Act'), were officially promulgated and are scheduled to take effect on 5 August 2020. The foregoing amendments represent the most sweeping revisions to PIPA and the ICNA since their original enactment and are expected to greatly facilitate the adequacy assessment under the EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') that the Korean government has been pursuing with consultation from the Commission.
Status of the EU's adequacy assessment
The GDPR directly binds and uniformly applies to all Member States of the EU but also provides some flexibility for certain aspects of its legal requirements to be adjusted by each Member State. An adequacy decision is one of the avenues provided in the GDPR for the transfer of personal data from the EU to a third country. The Commission establishes that such third country provides a comparable level of protection for personal data to that in the EU and that, consequently, personal data will be permitted to flow from the EU to that third country without requiring any further safeguards or authorisations. Otherwise, the GDPR requires that transfers of personal data from the EU to a third country will only be permitted if the appropriate safeguards set forth in Article 46 of the GDPR (e.g. Standard Contractual Clauses ('SCCs') and Binding Corporate Rules ('BCRs')) are in place, or if the transfer is made pursuant to a derogation under Article 49 of the GDPR. Obtaining an adequacy decision is becoming increasingly important to ensure the seamless transfer of personal data outside of the EU, and then onwards to other GDPR-compliant third countries or companies.
The Korean government established a joint public-private sector task force in August 2015 to prepare for adequacy negotiations with the EU by conducting feasibility studies, preliminary self-assessment, and comparative studies of data protection regulations under Korean law and those found under the EU's Data Protection Directive (Directive 95/46/EC) and GDPR. Since then, the Korean government has been involved in two major rounds of negotiations with the EU to obtain an adequacy decision. The first round was based on an adequacy assessment of data protection levels under PIPA, Korea's general data protection law, which broadly applies to the processing of personal data by data handlers (akin to the concept of the data controller under the GDPR) and their outsourced processors (akin to the concept of processor under the GDPR) in both the public and private sectors. Given that the primary responsibility for enforcing PIPA was placed on the Korean government's Ministry of the Interior and Safety ('MOIS') rather than the more independent Personal Information Protection Commission ('PIPC'), the EU cited this apparent lack of independence on the part of the data protection authority ('DPA') as one of the main factors that prevented it from issuing an adequacy decision based on PIPA at that time.
Considering the required time to amend PIPA (to ensure the DPA's independence) and to overcome the existing lack of independence of the DPA, the Korean government entered into a second round of negotiations with the EU based on an adequacy assessment, more limited in scope, of data protection levels under the ICNA. The DPA for the ICNA is the Korea Communications Commission ('KCC'), a central government agency under the direct authority of the President, which, in turn, ensured that it could operate with more independence than the MOIS. The ICNA also contains broad and comprehensive provisions related to the protection of personal data. In general, the level of personal data protection under the ICNA is considerably stronger than that under PIPA. However, the ICNA mainly regulates the processing of personal data by online service operators and thus there was a concern that a partial adequacy decision based on the ICNA would be too limited in scope to serve as an effective data transfer mechanism between the EU and Korea. Against this backdrop, the Korean government began efforts to amend existing legislation so that personal data protection matters that are currently handled by multiple DPAs (i.e. the MOIS and the KCC) could be handled by a singular and more independent DPA (i.e. the PIPC) and to integrate the personal data protection clauses of the ICNA into PIPA. The amendments are the culmination of such efforts by the Korean government.
Key provisions of the amendment
Streamlining South Korea's data protection regulatory authorities
The amendments focus on elevating PIPC to a central administrative agency reporting to the Prime Minister, as well as the supervisory authority for data breaches (including the misuse/abuse of personal information and leakages). Personal information protection issues that are currently handled by multiple agencies (i.e. the MOIS and the KCC) will all be handled by the PIPC instead.
In order to ensure the independence of the PIPC, Article 18 of the Government Organization Act - which stipulates the Prime Minister's authority to direct and supervise the heads of central administrative agencies - will not apply to certain tasks performed by the PIPC.
Introduction of 'pseudonymised information'
The amended PIPA introduces the concept of 'pseudonymised information.' This type of information may no longer be used to identify a specific individual without using or combining additional information to restore the information to its original state. Under the amended PIPA, data handlers may process pseudonymised information without the consent of the data subject for purposes of statistical compilation, scientific research, and record preservation for the public interest.
Introduction of 'purpose limitation'
The amended PIPA introduces a similar approach to the GDPR on the concept of 'purpose limitation.' According to Article 5(b) of the GDPR, 'Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes.'
Through the amended PIPA, South Korea's personal information protection level has become much closer to the 'adequate level of protection' required by the GDPR.
After the amendments were passed at a plenary session of the National Assembly on 9 January 2020, the Korean government explained its main features and its plans to introduce various implementing regulations (e.g. enforcement decrees, official notifications, and guidelines) through a pan-governmental briefing on 21 January 2020. The Korean government announced its intent to introduce the various implementing regulations as quickly as possible to make up for the considerable time it took to pass the amendments. The Korean government aims to make the initial drafts of the various implementing regulations available to the public on an expedited basis before the amendments go into effect on 5 August 2020, which, in turn, is expected to greatly facilitate the adequacy assessment process with the Commission.
The adoption of an adequacy decision involves an initial recommendation by the Commission, an adequacy opinion from the European Data Protection Board, approval from the EU member states, and final adoption of the decision by the Commission. With the promulgation of the amendments and the resolution of various pending issues between the parties, the Korean government expects the EU to make a preliminary adequacy decision by the first half of this year and a final adequacy decision within this year.
By obtaining recognition from the EU that it can provide an 'adequate level of protection' of personal data, Korea will be joining other countries such as Canada, Israel, Japan, and the United States (via the EU-U.S.Privacy Shield) that have already obtained such recognition. In particular, Korean companies will be able to engage in data processing on equal terms as their counterparts in the EU and personal data will be permitted to flow from the EU to Korea without incurring additional compliance costs and time consuming authorisations in the form of SCCs, BCRs, authorised codes of conduct, and various certification requirements.
However, the cross-border transfer of the personal data of Korean data subjects to other countries may remain restricted under Korean law. Specifically, Article 39-12 of the amended PIPA requires data handlers to obtain the consent of data subjects prior to transferring their personal data abroad. Therefore, we recommend that anyone who is likely to be affected by the amended PIPA to closely monitor changes to the related implementing regulations and public notices as they become publicly available in the coming months in addition to the status of the adequacy assessment on Korea by the Commission.
Kwang Bae Park Partner
Lee & Ko, Seoul
Minchae Kang Partner
Lee & Ko, Seoul