The United Kingdom (UK) has granted data adequacy status to South Korea, signifying that South Korea offers an adequate level of protection for personal data. The UK-based organizations that are subject to the UK Data Protection Act 2018 can now freely transfer personal data to South Korea without the implementation of any additional cross-border data transfer tools.
Following a data adequacy agreement in principle between the UK and South Korea (entered into on 5 July 2022) and the issuance of an opinion by the UK Information Commissioner's Office in which it endorsed the decision to grant adequacy status to South Korea, the UK enacted the Data Protection (Adequacy) (Republic of Korea) Regulations 2022 ("UK Korea Adequacy Regulations") on 19 December 2022, which formalized the data adequacy status of South Korea for the purposes of data transfers from the UK to South Korea. These Regulations extend to England and Wales, Scotland, and Northern Ireland.
What is Data Adequacy?
Under the UK legal framework, the Secretary of State may specify through regulations whether a third country, a territory, one or more sectors within a third country, or an international organization ensures an adequate level of personal data protection. Article 45 of the UK General Data Protection Regulation (UK GDPR) specifies the list of criteria to be considered by the Secretary of State when carrying out an adequacy assessment.
If adequacy regulations are enacted in relation to the personal data protection framework of a third country, a territory, the sector(s) within a third country, or an organization, personal data from the UK may be transferred to the adequate jurisdiction, sector, or organization without the need for additional safeguards, such as standard contractual clauses (SCCs) or binding corporate rules (BCRs).
Transfers based on UK-Korea Adequacy Regulations
In accordance with Article 45 of the UK GDPR, organizations may now transfer personal data between the UK and South Korea based on the UK-Korea Adequacy Regulations without requiring any specific authorization.
In practice, this entails that companies in both nations can freely exchange data, making it simpler for them to conduct business and engage in bilateral trade. The agreement also ensures that any cross-border sharing of personal data would be protected in accordance with the strict privacy guidelines followed in the UK.
This decision is particularly important in the digital economy, where the exchange of personal data is essential for many businesses to operate and thrive. Many small and medium enterprises benefit from this development as they may have refrained from transferring personal data to South Korea in the past due to the stringent legal requirements.
The UK’s Department for Digital, Culture, Media & Sport (DCMS) has also highlighted that the UK’s adequacy decision is broader than the EU-South Korea data transfer framework, especially because organizations in the UK are allowed to share personal data related to credit information with South Korea to help identify customers and verify payments. The DCMS has specified that the ability to share such information will promote financial activities between the two countries.
In addition to the economic benefits, the data adequacy decision also ensures that individuals' personal data is protected when it is transferred between the UK and South Korea. It ensures that individuals' rights and freedoms are respected and that their personal data is processed in a transparent, privacy-friendly, and secure manner.
It is important to note here that the Secretary of State has the power to review the adequacy of South Korea at any time if they become aware of any significant change in the personal data protection framework of South Korea. The Secretary of State may revoke or amend the UK Korea Adequacy Regulations, if necessary, to ensure that cross-border data transfers are only freely conducted if sufficient safeguards for protecting data subjects’ rights are in place.
Overall, the UK's first data adequacy decision with South Korea is a positive development that will facilitate the exchange of personal data between the two countries and promote economic activities while also ensuring the protection of individuals' personal data.
