The highest court in the European Union, the Court of Justice of the European Union (“CEJU”), ruled that the EU-US Safe Harbor Framework, which permitted transfer and storage of personal information between the two jurisdictions, to be invalid on October 6, 2015 (local time). The EU-US Safe Harbor Framework, which became effective in 2000, enabled companies in the US to store personal information of European customers that were generated by web searches, SNS postings and other online activities in their servers located in the US. The CEJU held that the Safe Harbor Framework was problematic because it potentially grants the US government a general access to the online data of European nationals and emphasized the prevailing fear of the far-reaching surveillance powers of the US government, which was only made more obvious by the revelations made by Edward Snowden in 2013.
Accordingly, many corporations that generate profits from the free flow of information now face a new development in how they handle and transfer user information. The European Commission (“EC”) attempted to mitigate this anxiety among the companies by assuring such companies that other treaties and frameworks between the EU and the US could provide the basis for the continued transfer of information and, in reality, the large corporations in the IT industry, such as Facebook and Microsoft, continue to provide the same services as before without disruption. However, in light of the fact that other treaties and frameworks are anticipated to be scrutinized by the European personal information watchdogs, the new safe harbor framework that is currently being negotiated between the EU and the US for the past two years will likely encounter added pressures in its consummation.
Although the foregoing decision by the CEJU will unlikely have direct and immediate impact on Korean companies, it is possible that legal issues may likely arise if Korean companies handle personal information garnered from the EU member states (including the EEA countries, which are not full members of the EU; hereinafter the same) outside of the EU. In anticipation, the Korean government has recently created a TFT to tackle such legal compliance issues. If a nation receives a rating of “adequacy” for its personal information protection regime from either an EU member state or the EC, the companies in such nation are permitted to transfer personal information from EU member states to a server located outside of the EU.
However, since the manpower and cost involved for an individual company to comply with the regulations of the EU could be prohibitive, the Korean government has created measures to tackle such compliance issues from the national-level.
However, according to the relevant personnel from the Korean Ministry of Government Administration and Home Affairs, it would take a minimum of two years for the Korean government to obtain the rating of “adequacy” for its personal information protection regime. Therefore, during that two-year term, companies may have to individually comply with the EU’s regulation regarding cross-border transfer of personal information. Even if the Korean government does not obtain the rating of “adequacy” for its personal information protection regime, the personal information handler may effectuate a cross-border transfer of personal information so long as it takes the following measures pursuant to the EU Data Protection Directive: (i) establish additional safety provisions (e.g. appropriate contractual provisions or binding corporate bylaws); (ii) adopt the standard contractual provisions of the EC; or (iii) present grounds that trigger exceptions provisions. However, the grounds for exceptions under the EU Data Protection Directive are applied narrowly and, in any circumstances, the appropriate level of data protection should be secured. Moreover, obtaining the rating of “adequacy” for the national personal information protection regime is the preferred method under the EU Data Protection Directive.
Meanwhile, if a Korean company were to provide or transfer personal information to a third party located outside of Korea, it generally has to provide advance notice and obtain consent from the information subject pursuant to Article 17(3) of the Personal Information Protection Act or Article 63 of the Act on the Promotion of Information and Communications Network Utilization and Information Protection.