On 19 December 2022, the UK government’s first post-Brexit data adequacy decision came into effect. Under the Data Protection (Adequacy) (Republic of Korea) Regulations 2022, the UK has formally determined that the Republic of Korea provides an adequate level of data protection for the purposes of the UK GDPR. As a result, UK businesses are free to transfer personal data to Korean recipients without having to take any additional steps (such as entering into standard contractual clauses or conducting transfer impact assessments).
The UK’s decision was expected as the European Commission had already granted South Korea an adequacy decision under the EU GDPR in December 2021. However, the UK decision, dubbed a “data bridge”, is because the EU decision extends to personal data that benefits from an exemption from South Korea’s main data protection law, the Korea Personal Information Protection Act.
How did we get here
Under the GDPR, transfers of personal data to “third countries” are prohibited unless one of the conditions set out in Chapter V of the GDPR is met. The most favorable condition is the presence of an “adequacy decision” in the third country (according to Article 45 GDPR). This means that third countries are considered to offer a comparable level of data protection (taking into account factors such as the rule of law). basic privacy protections in addition to personal data protection laws). If an adequacy decision exists, personal data can freely move to third countries without the need for further steps.
Before Brexit, the UK, like all other member states, relied on the European Commission to decide adequacy decisions for third countries. After Brexit, when the UK created its own parallel version of the GDPR, the power to decide on adequacy decisions was transferred to the Secretary of State (at the same time the existing Her EU adequacy decisions were temporarily transferred to the UK no longer applicable to the law). South Korea’s data bridge is the first adequacy certification made by the Secretary of State under her GDPR in the UK.
What does the decision cover?
Data Bridge is intended for transfers of personal data to persons in the Republic of Korea subject to PIPA. PIPA is a general and comprehensive data protection law that broadly resembles GDPR.
Contrary to the EU decision, the UK data bridge will include an individual to an individual in the Republic of Korea subject to the Act on the Use and Protection of Credit Information, which provides for specific rules to be applied when processing by organizations in the financial sector. It also includes credit transfer. personal credit information.
What can we expect from the future data bridge?
The UK government has indicated it has ambitious plans for data bridges. “A global network of personal data flows is critical to the UK’s prosperity and modern way of life and “I want to use data bridge as a mechanism to remove unnecessary barriers to cross-border data flows”. Below that ‘Data: New Directions in accordance with the strategy, the UK has selected the following countries as ‘top priorities’ for adequacy determinations:
- Australia;
- Columbia;
- Dubai International Financial Centre;
- Singapore; and
- United States of America.
In addition, the following countries represent the UK’s long-term priorities.
- India;
- Brazil;
- Indonesia; and
- Kenya.
Given that the EU seeks to secure a partial adequacy decision for the US through the EU-US Data Privacy Framework, the UK’s next steps for that country will be very challenging with respect to the UK’s IT infrastructure. In particular, whether the UK will introduce a data bridge with the same scope as her EU agreement, or whether the UK is about to do something more ambitious, i.e. a broader data bridge is being concluded. It’s interesting to see. With South Korea – on an immediate or long-term basis.
Finally, as the UK is no longer under the jurisdiction of the Court of Justice of the European Union, Schrems II Judgment was handed down in 2020. It is important to note that appeals by privacy activists against the UK-US Data Bridge (or any other UK Data Bridge) are separate from appeals of EU-US decisions. And proceed through the English courts, not in Europe.
author: James Clark
