From now on, when domestic corporations and public institutions move employees' or customers' personal information to EU-based branches or other companies, they will not have to undergo additional requirements such as obtaining the individual's consent.
Ko Hak-su, Chairperson of the Personal Information Protection Commission, said in a joint press statement issued with Michael McGrath, the European Commission's Commissioner for Democracy, Justice, Rule of Law and Consumer Protection, at the Global Privacy Assembly (GPA) held in Seoul on the 16th that this was the result of "an equivalency recognition acknowledging that the EU's level of personal information protection is substantially the same as Korea's."
After the introduction of the equivalency recognition system through the Sept. 2023 amendment to the Personal Information Protection Act, the EU became the first to be recognized. Previously, in 2021, the EU allowed the transfer of personal information to Korea through the adequacy decision system under the General Data Protection Regulation (GDPR), which assesses whether non-EU countries have equivalent levels of personal information protection measures. With this, the Personal Information Protection Commission explained, a framework has been established for personal information to be freely transferred in both directions between Korea and the EU.
This equivalency recognition covers all forms of transfer, including provision of personal information, access, outsourced processing, and storage in EU-region clouds. Resident registration numbers and personal credit information transfers are not covered.
With this equivalency recognition, domestic personal information controllers can transfer personal information without additional requirements to a total of 30 countries, including the 27 EU member states subject to the EU GDPR and three countries in the European Economic Area (EEA) — Norway, Liechtenstein, and Iceland. The expense burden of cross-border transfers is also expected to be greatly reduced.
The Korea Internet & Security Agency (KISA) earlier projected in a report that equivalency recognition with the EU could increase trade volume by up to $32.9 billion (about 45 trillion won). In the mid to long term, it estimated a maximum 0.326% production effect and a maximum 0.274% welfare effect.
This equivalency recognition takes effect from the date of promulgation, today, and a review will begin three months before Dec. 15, 2028. If the review finds that the level of protection is not maintained, the recognition may be modified or revoked. If it is determined that transferred personal information is not properly protected and damage has occurred or concerns are significant, the Personal Information Protection Commission may order a suspension of transfers.
Ko, the Chairperson, said, "As Korea and the EU have established a safe and free data transfer framework across all private and public sectors, data cooperation will be further strengthened going forward."
Meanwhile, the GPA, the world's largest consultative body of personal information supervisory authorities, opened in Seoul on this day, the second time in Asia following Hong Kong in 2017.