Trade Consistency of Regulation on Cross-border Data Flow and Its Policy Lessons for Korea (데이터의 국가간 이동에 관한 규제정책의 통상법적 합치성 제고방안 연구)
Posted: 29 Jul 2019
Date Written: December 31, 2018
English Abstract: Law amendments with reference to the EU General Data Protection Regulation (GDPR, henceforth) are flooding in Korea. It signals that GDPR is one way or another treated as a landmark for regulatory policy on data space. However, a point to see before such benchmarking is whether GDPR itself is compatible with the WTO Agreement. If not, Korea is likely to suffer from the same trade conflicts as the EU would face. Motivated by the concern, this study seeks to figure out key trade issues of Korea’s recent law amendments inspired by GDPR.
The GDPR applies to all companies processing the personal data of data subjects residing in the EU, aiming to protect its citizens from privacy and data breaches as well as to facilitate free flow of data in the region. One of the major features of GDPR is the extended jurisdiction, so that it applies to the processing of personal data of the EU data subjects by a company not established in the EU. Non-EU businesses processing the data of EU citizens must appoint a representative in the EU to meet the obligations imposed by GDPR. Such requirement to appoint a local representative may be understood as a compliance measure in the GATS context.
There is another kind of compliance measure, so-called ‘adequacy test.’ A country outside the EU should be recognised by the European Commission as having adequate protections in place in order to freely transfer personal data to somewhere outside the EU. It is the Commission that makes the final decision on adequacy status. Alternative route for a company without regional establishment to secure adequacy status for offshore processing personal data of EU citizens is to get an approval from supervisory authorities of EU Member States. In such instances, it is necessary for the company to adduce adequate safeguards for the protection of privacy and personal data.
Is extraterritorial jurisdiction or adequacy test of GDPR trade-friendly then? Despite the lack of any available legal basis in trade agreements, the GATT dispute settlement panel once rejected extraterritorial jurisdiction because it would undermine the legal security of the multilateral trade framework. Adequacy test has potentially severe problems in terms of the GATS consistency. It is basically a discriminatory measure by reasons of origin, so that services and service suppliers are presumed to be of like. Unless such differential treatment is effectively justified by some other characteristics inextricably linked to such origin, it could constitute discrimination under MFN or national treatment obligations on a case-by-case basis. It deserves special attention for the EU to have a safeguard against such potential violations, none other than the GATS Article XIV (General Exceptions). In fact, this option is feasible for the EU because adequacy test is a compliance measure. Recourse to GATS Article XIV is available on the condition that challenged measure is a compliance measure, as far as it may be concerned with protection of privacy and personal data.
Korean Abstract: 최근 다수의 국내법 개정안이 EU 개인정보보호법을 약방문처럼 벤치마크하고 있으나, 이 법의 국제통상협정 합치성에 관한 논의는 진행되지 않고 있다. 혹시라도 EU 개인정보보호법에 국제통상협정 위반요소가 내재되어 있다면, 이는 국내정책의 일관성 및 안정성 훼손으로 이어질 수 있다. 본 연구는 EU 개인정보보호법 주요 규정에 대한 GATS 양립성 분석 결과에 기초해 주요 국내법 개정안의 문제점 및 개선방향을 논의한다
Keywords: Trade, Regulation, Cross-border Data, Korea
Suggested Citation: Suggested Citation