On 24 November 2022, the UK government announced its adequacy decision for the Republic of Korea, which will allow UK organizations to share personal data with Korean organizations more freely under the UK General Data Protection Regulation (“UK GDPR”).
The adequacy decision is expected to come into effect on 19 December 2022.
The adequacy decision and the Data Protection (Adequacy) (Republic of Korea) Regulations 2022 (“Regulations”) that will give effect to the decision can be found here. The UK government and the Republic of Korea government’s announcements can be found here and here (respectively).
From the UK’s perspective, this is the first decision to recognize a jurisdiction as ‘adequate’ from a data protection standpoint since the UK left the EU. The adequacy decision will apply to personal data transfers to any recipient in the Republic of Korea that is subject to the Personal Information Protection Act (“PIPA”), the Korean data protection law, and means that it will no longer be necessary to implement additional appropriate safeguards (such as the UK International Data Transfer Agreement) under Article 46 of the UK GDPR or rely on a derogation under Article 49 of the UK GDPR for such transfers.
The decision follows the EU’s adequacy decision that was granted to the Republic of Korea in December 2021 (see the full text of the EU’s adequacy decision here). It is important to note that the EU’s adequacy decision does not apply to transfer of certain categories of personal data. For example, personal data transfers are excluded from the scope of the EU’s adequacy decision where those transfers are made to an entity that is subject to oversight by the Republic of Korea’s Financial Services Commission for the processing of personal credit information pursuant to the Republic of Korea’s Credit Information Act. However, the scope of the UK’s adequacy decision includes transfers of personal credit information. This will enable UK organizations to transfer that type of data to their counterparties in the Republic of Korea regardless of whether or not those counterparties are subject to oversight by the Republic of Korea’s Financial Services Commission. The Regulations follow the UK government’s designation of the Republic of Korea as a priority jurisdiction for data adequacy assessments in 2021. At that time, the Republic of Korea was designated as a ‘top priority’ jurisdiction alongside the United States, Australia, Singapore, the Dubai International Finance Centre and Colombia. The UK government announced that assessments on other ‘priority countries’ are still in progress.