The EDPB adopted its opinion on the European Commission’s draft adequacy decision for the Republic of Korea. The EDPB focused on general GDPR aspects and access by public authorities to personal data transferred from the European Economic Area (EEA) to the Republic of Korea for the purposes of law enforcement and national security, including the legal remedies available to individuals in the European Economic Area (EEA). The EDPB also assessed whether the safeguards provided under the Korean legal framework are effective.
EDPB Chair, Andrea Jelinek, said: “This adequacy decision is of paramount importance, as it will cover transfers in both the public and the private sector. A high level of data protection is essential to support our long-standing ties with South Korea and to safeguard the rights and freedoms of individuals. While we underline that core aspects of the Korean data protection framework are essentially equivalent to those of the European Union, we call on the Commission to further clarify certain aspects and to closely monitor the situation.”
On the general data protection framework, the EDPB notes that there are key areas of alignment between the EU and South Korean data protection frameworks with regard to certain core provisions, such as:
– data protection concepts (e.g. personal information; processing; data subject);
– grounds for lawful processing for legitimate purposes;
– purpose limitation;
– data retention, security and confidentiality; and
– transparency.
The EDPB welcomes the efforts made by the European Commission and the Korean Authorities to ensure that the Republic of Korea provides a level of data protection essentially equivalent to that of the GDPR. Such as, for example, the adoption of notifications by the South Korea data protection authority (PIPC), which aim to fill the gaps between the GDPR and the Korean data protection framework, like the additional protections provided by Notification No 2021-1.
The EDPB invites the European Commission to provide further information on the binding nature, the enforceability and validity of Notification No 2021-1, and would recommend an attentive monitoring of this in practice.
On the access by public authorities to data transferred to the Republic of Korea, the EDPB notes that PIPA’s provisions apply without limitation in the area of law enforcement. The EDPB further notes that data processing in the area of national security is subject to a more limited set of provisions enshrined in PIPA, although PIPA’s core principles, as well as the fundamental guarantees for data subject rights and the provisions on supervision, enforcement and remedies, do apply to the access and use of personal data by national security authorities. The South Korean constitution also enshrines essential data protection principles, which are applicable to the access to personal data by public authorities in the areas of law enforcement and national security. In addition, the EDPB agrees with the Commission’s conclusion that South Korea can be considered to have an independent and effective supervisory system.
Finally, regarding effective remedies and rights of redress, the EDPB asks the Commission to clarify the substantive and/or procedural requirements, such as a burden of proof, to which a complaint with the PIPC or any action before a court is subject, and whether EU individuals would be able to meet such a precondition.
For its assessment, the EDPB used the GDPR Adequacy Referential and the EDPB Recommendations 2/2020 on the European Essential Guarantees for surveillance measures, as well as existing CJEU and ECtHR case law concerning access by public authorities.