The Draft Korea Adequacy Decision: Submission to European Union Authorities
17 Pages Posted: 30 Sep 2021 Last revised: 3 Nov 2021
Date Written: August 16, 2021
The European Commission’s draft adequacy Decision concerning the Republic of Korea will be the third such decision under the GDPR, once finalised.. The decision is significant not only for its practical implications for Korea, but also for what it adds to our emerging understanding of how ‘adequacy’ is being interpreted under the GDPR.
This submission is made in the belief that it is valuable for independent third parties to critique draft adequacy Decisions. First, if third countries with sub-standard protections are held to provide adequate protection, then the rights of EU citizens under the GDPR are diminished when their data is exported. Second, NGOs and other parties in third countries need to know the standards to which their countries should be held if they apply to the EU for an adequacy assessment. Third, these Decisions are, in practice, a major source of interpretation of the provisions of the GDPR, but as we know from the Schrems cases, they are interpretations that can be challenged.
This paper concludes that the Commission’s positive Decision concerning Korea’s data protection system sets out a strong case for Korea providing adequate protection, but has shortcomings and ought to be improved before it is finalised. It is unlikely that a stronger case could be made for any other country in the Asia-Pacific. The Korea Decision, even without improvements to the draft, is far more convincing than the Commission’s Japan Decision.
The Korea Decision clarifies some aspects of what will be necessary for future positive Decisions. It seems to be unavoidable, and is in fact desirable, that the Commission should negotiate the making of what is in effect delegated legislation by the country’s data protection authority, such as the Supplementary Rules in the Japan and Korea Decisions, provided that such rule-making is constitutional and otherwise valid and enforceable. One of main lessons for other countries considering applying to the Commission for an adequacy Decision is that their country (through its DPA and other public authorities) will almost certainly need to negotiate Supplementary Rules of a similar complexity to those found in the Korea and Japan Decisions, and those Rules will have to be enforceable within domestic law.
The paper identifies factors which this Decision indicate may be significant in relation to future adequacy decisions concerning other countries. It also identifies a number of desirable improvements to the Decision, relating to automated processing, onward transfers and pseudonymized information.
Keywords: Korea, European Commission, data privacy, adequacy decision GDPR
Suggested Citation: Suggested Citation