The highest court in the European Union, the Court of Justice of the European Union (“CEJU”), ruled  that the EU-US Safe Harbor Framework, which permitted transfer and storage of personal information between  the two jurisdictions, to be invalid on October 6, 2015 (local time). The EU-US Safe Harbor  Framework, which became effective in 2000, enabled companies in the US to store personal  information of European customers that were generated by web searches, SNS postings and other  online activities in their servers located in the US. The CEJU held that the Safe Harbor Framework  was problematic because it potentially grants the US government a general access to the online data  of European nationals and emphasized the prevailing fear of the far-reaching surveillance powers of  the US government, which was only made more obvious by the revelations made by Edward Snowden in  2013.

Accordingly, many corporations that generate profits from the free flow of information now face a  new development in how they handle and transfer user information. The European Commission (“EC”)  attempted to mitigate this anxiety among the companies by assuring such companies that other  treaties and frameworks between the EU and the US could provide the basis for the continued  transfer of information and, in reality, the large corporations in the IT industry, such as  Facebook and Microsoft,  continue  to  provide  the  same services as before without disruption.  However, in light of the fact that other treaties and frameworks are anticipated to be scrutinized  by the European personal information watchdogs, the new safe harbor framework that is currently  being negotiated between the EU and  the  US  for  the  past  two  years will  likely  encounter  added pressures in its consummation.

Although the foregoing decision by the CEJU will unlikely have direct and immediate impact on  Korean companies, it is possible that legal issues may likely arise if Korean companies handle  personal information garnered from the EU member states (including the EEA countries, which are not  full members of the EU; hereinafter the same) outside of the EU. In anticipation, the Korean  government has recently created a TFT to tackle such legal compliance issues. If a nation receives  a rating of “adequacy” for its personal information protection regime from either an EU member  state or the EC, the companies in such nation are permitted to transfer personal information from EU member states to a server located outside of the EU.

However, since the manpower and cost involved for an individual company to comply with the  regulations of the EU could be prohibitive, the Korean government has created measures to tackle such compliance  issues from the national-level.

However, according to the relevant personnel from the Korean Ministry of Government Administration  and Home Affairs, it would take a minimum of two years for the Korean government to obtain the  rating of “adequacy” for its personal information protection regime.  Therefore, during that  two-year term, companies may  have  to  individually  comply  with  the  EU’s  regulation   regarding  cross-border  transfer  of  personal information.   Even if the  Korean government does  not obtain the rating of “adequacy” for its personal information protection regime, the personal  information handler may effectuate a cross-border transfer of personal information so long as it  takes the following measures pursuant to the EU Data Protection Directive: (i) establish additional  safety provisions (e.g. appropriate contractual provisions or binding corporate bylaws); (ii) adopt  the standard contractual provisions of the EC; or (iii) present grounds that trigger exceptions  provisions. However, the grounds for exceptions under the EU Data Protection Directive are applied  narrowly and, in any circumstances, the appropriate level of data protection should be secured.   Moreover, obtaining the rating of “adequacy” for the national personal information protection  regime is the preferred method under the EU Data Protection Directive.

Meanwhile, if a Korean company were to provide or transfer personal information to a third party  located outside of Korea, it generally has to provide advance notice and obtain consent from the  information subject pursuant to Article 17(3) of the Personal Information Protection Act or Article  63 of the Act on the Promotion of Information and Communications Network Utilization and Information Protection.