Japan and Korea: Different Paths to EU Adequacy
(2018) 156 Privacy Laws & Business International Report, 9-11
6 Pages Posted: 13 Feb 2019
Date Written: December 10, 2018
The first two adequacy assessments of countries under article 45 of the EU’s General Data Protection Regulation (GDPR) are, at the end of 2018, taking different paths to the goal of positive adequacy decision by the European Commission.
In the case of Japan, the Commission’s draft Decision [this was written before the final Decision in January 2019, but which made no major changes to the draft] was neither endorsed nor rejected by either the European Data Protection Board (EDPB) or the European Parliament (EP), but both bodies set out long lists (similar in most respects) of criticisms and questions concerning the draft. After detailing these matters, my interpretation is that both bodies imply that the Commission has failed to demonstrate Japan’s adequacy. The EDPB recommended that the Decision be reviewed in two years, not four years as proposed [and the final Decision has accepted this]. The adequacy of Japan’s data privacy regime may be questionable, but there is no questioning the adequacy of its economic influence.
Bills to comprehensively amend Korea’s four main data privacy laws were introduced into Korea’s National Assembly jointly by fourteen Members on 15 November 2018. Korea’s previously proposed scope of an adequacy decision was limited to those parts of the private sector under the ‘Network Act’ and the jurisdiction of the Korean Communications Commission (KCC). The Personal Information Protection Commission (PIPC), while independent in its decision-making, did not have any independent powers to enforce its decisions but had to rely upon enforcement by the Ministry of the Interior and Safety (MOIS). Korea is now proposing to make the PIPC a ‘central administrative agency’ under the Prime Minister, with independent authority over all situations of processing of personal information, and to transfer to it all powers and functions of the MOIS under PIPA, and of KCC under the Network Act. PIPC is also to be empowered to investigate violations and to impose administrative fines up to 3% of a company’s turnover. Once enacted, the European Commission will have to assess whether these proposals meet the GDPR’s technical standards for the necessary powers and independence of a DPA, and allow Korea to pursue a ‘jurisdiction-wide’ adequacy assessment. The Bills also propose to deal with aspects of ‘big data’ processing directly in PIPA (similar to Japan) rather than under the 2016 ‘Big Data Guidelines’, which had no clear legal status, and to include a range of other changes that would bring Korea’s laws closer to the GDPR.
At this stage, Korea’s approach is different from than taken by Japan, because there is no equivalent to Japan’s Supplementary Rules which apply stronger GDPR-like provisions only to EU-origin personal data but not to Japan-origin data. The Korean approach has been to strengthen its law through legislation applying to all personal data, irrespective of its source.
Keywords: Japan, Korea, Asia, European Commission, Data Protection, Privacy, Adequacy, GDPR
Suggested Citation: Suggested Citation