The EDPB has adopted an opinion on the European Commission’s draft adequacy decision for the Republic of Korea. The EDPB focused on general GDPR aspects and access by public authorities to personal data transferred from the European Economic Area (EEA) to the Republic of Korea for the purposes of law enforcement and national security, including the legal remedies available to individuals in the EEA. The EDPB also assessed whether the safeguards provided under the Korean legal framework are effective.

On the general data protection framework, the EDPB notes that there are key areas of alignment between the EU and South Korean data protection frameworks with regard to certain core provisions, such as: (i) data protection concepts (e.g., personal information, processing, data subject); (ii) grounds for lawful processing for legitimate purposes; (iii) purpose limitation; (iv) data retention, security and confidentiality; and (v) transparency.

The EDPB welcomes the efforts made by the European Commission and the Korean Authorities to ensure that the Republic of Korea provides a level of data protection essentially equivalent to that of the GDPR, such as the additional protections provided by Notification No 2021-1, which aims to bridge some of the differences between the two frameworks. However, the EDPB notes several concerns with Notification 2021-1 and invites the European Commission to provide further information on its binding nature, enforceability and validity.

On the access by public authorities to data transferred to the Republic of Korea, the EDPB notes that the provisions of the South Korean Data Protection Act (PIPA) apply without limitation in the area of law enforcement. The EDPB further notes that data processing in the area of national security is subject to a more limited set of provisions enshrined in PIPA, although PIPA’s core principles, as well as the fundamental guarantees for data subject rights and the provisions on supervision, enforcement and remedies, do apply to the access and use of personal data by national security authorities. The South Korean constitution also enshrines essential data protection principles, which are applicable to the access to personal data by public authorities in the areas of law enforcement and national security. In addition, the EDPB agrees with the Commission’s conclusion that South Korea can be considered to have an independent and effective supervisory system.

Finally, regarding effective remedies and rights of redress, the EDPB asks the Commission to clarify the substantive and/or procedural requirements, such as burden of proof, to which a complaint with the South Korean data protection authority or any action before a court is subject, and whether EU individuals would be able to meet such a precondition. To read the EDPB’s press release in full and for a link to the opinion, click here.