On 19 December 2022, the UK's Data Protection (Adequacy) (Republic of Korea) Regulations 2022 ("UK Korea Adequacy Regulation") entered into force, following an agreement in principle on 5 July 2022 and the UK government’s announcement on 23 November 2022. Organizations can now transfer personal data between the UK and South Korea without the requirement to conduct a transfer impact assessment or to enter into a data transfer mechanism under Article 46 of the GDPR (as adapted into UK national law as the “UK GDPR”), such as an International Data Transfer Agreement or Addendum.
Background
Under Article 45 of the GDPR, the European Commission ("EC") may determine that a country, territory, or one or more specified sectors within that country, ensures an adequate level of protection over personal data transferred from the European Economic Area. If so, organizations will be able to transfer personal data subject to the GDPR to such a country, territory or sector without the need for a data transfer mechanism, such as the Standard Contractual Clauses.
Following the UK's departure from the European Union, all countries deemed adequate by the EC are automatically deemed adequate under the UK's data protection regime. Consequently, organizations may also lawfully transfer personal data subject to the UK GDPR to such countries without a data transfer mechanism.
The UK Korea Adequacy Regulation, also known as a data bridge, is notable for being the first UK adequacy regulation published after the UK's departure from the European Union. Both the EC and UK government are now able to make their own adequacy assessments, and the Korea Adequacy Regulation follows the European Commission's adequacy decision on South Korea ("EU Korea Adequacy Decision"), which was adopted on 17 November 2021.
Commentary
Although similar in purpose, the UK Korea Adequacy Regulation is wider in scope than the EU Korea Adequacy Decision. The EU Korea Adequacy Decision concludes that South Korea ensures an adequate level of protection for personal data transferred from an organization in the EU to entities in South Korea falling within the scope of application of Korean Personal Information Protection Act ("PIPA").
As a result, certain types of data transfers that fall outside the scope of PIPA are excluded from the scope of the EU Korea Adequacy Decision, and organizations must ensure that an appropriate data transfer mechanism is in place prior to transferring such data from the European Economic Area to South Korea. Such data transfers include data transfers to the following recipients who intend to process personal data for these respective activities:
- religious organizations, to the extent they process personal data for their missionary activities
- political parties, to the extent they process personal data in the context of the nomination of candidates; and
- entities that are subject to oversight by the Korean Financial Services Commission for the processing of personal credit information pursuant to the Korean Credit Information Act, to the extent they process such information.
Conversely, the UK Korea Adequacy Regulation specifically includes data transfers that involve the transfer of personal data relating to credit information. The UK Department for Digital, Culture, Media and Sport ("DCMS") has stated that this was intended to "help UK businesses with a presence in the Republic of Korea to boost credit, lending, investment and insurance operations in the Republic of Korea.”
This will undoubtedly be welcomed by both UK and South Korean businesses, as South Korea is a significant trading partner with the UK. Trade between the two countries totalled GBP 17.2 billion at the end of 2022, a GBP 4.1 billion increase from an already significant year of UK-Korean trade in 2021. The removal of data protection clause costs and the anticipated increase in export trade as a result has been estimated to provide a total annual benefit to UK businesses of GBP 14.8 million.
Further developments
The UK government has announced that it will focus on a number of priority destinations for data adequacy. Such countries include Australia, Singapore, the Dubai International Finance Centre - and most notably, the U.S.
With the draft EU adequacy decision published by the EC on 13 December 2022 (for more information, please see our client alert here), a data bridge between the UK and U.S. is similarly expected to follow. We are watching this space for updates.
Authors
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.