The European Commission recently adopted an adequacy decision regarding the Republic of Korea’s data protection laws. As a result of this decision, personal data can freely flow between the EEA and South Korea without the need for additional transfer mechanisms.

Without such a finding of adequacy, EU law prohibits the transfer of data out of the EU without certain measures being in place. These include, for example, the transferring entity and the recipient entering into Standard Contractual Clauses, or the recipient having Binding Corporate Rules in place. South Korea now joins 13 other countries that are able to freely transfer data from the EEA. This list includes Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, United Kingdom, and Uruguay.

This decision follows the EDPB’s September opinion on the Commission’s draft Korea adequacy decision. The decision covers transfers of data to both commercial operators and public authorities. A list of common Q&As can be found here. Whether the UK will grant South Korea this same adequacy status remains to be seen. Unlike the recent UK adequacy decision, which contains a sunset provision, the conclusion about the adequacy of South Korea’s data privacy laws is not time-limited. Instead, the decision will be subject to a regular review every three to four years. The decision will continue so long as the level of data protection remains.

Putting it Into Practice: Companies who regularly engage in cross-border data transfers will not need additional measures -like SCCs- if the data transfers are from the EU to Korea.

The European Commission announced today a long-awaited decision that the UK data protection standards are adequate under the meaning of GDPR’s Article 45, providing a mechanism to enable transfer of data from the EU to the UK without the need for additional authorisation or putting in place additional safeguards. This decision will be in force for four years but can be withdrawn if the UK were to lower its standards and no longer provide EU citizens adequate protection for their personal data. The decision excludes personal data that is transferred for purposes of United Kingdom immigration control.

In the bleak aftermath of Brexit this is a positive development for many businesses on both sides of the English Channel and provides for much needed legal certainty for data flows between the EU and the UK without the need to implement any additional transfer mechanism such as the newly issued EU standard contractual clauses.

A European adequacy decision was expected not least as the UK only recently implemented its Data Protection Act 2018 which is broadly in line with the GDPR. There continue to be concerns that the UK will eventually diverge from EU standards not least given the ongoing political debate in the UK post-Brexit to alleviate UK businesses from the requirements of the GDPR. For now the European Commission was not convinced that these concerns were justified.

Putting It Into Practice: The UK now joins the group of other 12 countries (Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay) which so far have benefited from an EU adequacy decision.