South Korea is changing its data privacy laws in a bid to secure an agreement with the EU to let South Korean digital communications providers move data out of the bloc.
South Korea updated its Act on the Promotion of IT Network Use and Information Protection (Network Act) in December 2018. Starting March 19, the law will require digital communications providers who deal with South Korean data but who have no physical presence in the country to establish a domestic representative to deal with data protection issues.
The EU and South Korea are in talks over whether the Asian nation has adequate data protections under the EU’s General Data Protection Regulation. Companies in South Korea want to access EU citizens data because it is a lucrative market for digital businesses, privacy attorneys told Bloomberg Law.
The Network Act amendments are “part of a world-wide trend, moving in the direction to tighter controls over companies’ handling of personal data and setting up more vigorous enforcement,” Alexander Southwell, chair of Gibson Dunn & Crutcher LLP’s privacy, cybersecurity, and consumer protection group, said. Such efforts are likely to help countries show the EU they have adequate data protections for EU citizens’ data, he said.
South Korea’s communications regulator, the Korean Communications Commission, will also have power, as of March 19, to limit data transfers to countries that implemented data localization requirements. Further amendments taking effect in June that will strengthen child privacy protections and require companies to set aside money in case of data protection violations.
South Korea applied for a narrow adequacy decision for the digital communications industry by updating the sector-specific privacy law. The EU has the authority under the GDPR to say companies following a specific sector-law provide adequate data protections.
Access to EU citizens data would give businesses easy access to the EU’s lucrative digital single market. A company like Samsung Electronics Co., for example, would be able to process EU consumer data within South Korean borders if the EU deems the country has adequate data protections. Without such a determination or without appropriate privacy safeguards, the company would have to outsource its data processing to a third party in a country with sufficient data protections.
Representatives for the European Commission, and the Korean personal information and communications commissions, didn’t immediately respond to Bloomberg Law’s requests for comment on the data transfer talks.
South Korea is also preparing to try to win a broader adequacy decision from the EU by introducing proposed amendments to its Personal Information Protection Act.
Data anonymization provisions of those proposed amendments may draw skepticism from EU officials, Southwell said. It’s still unclear whether South Korea will enact those changes, but the EU will be watching to see if the changes help South Korea provide adequate data protections, he said.
The proposed amendments to PIPA, if enacted, may help South Korea ease data transfer restrictions, privacy attorneys said. For example, the changes would make the Personal Information Protection Commission the lead data protection regulator in the country, Haksoo Ko, a law and economic professor at the Seoul National University of Law who focuses on data privacy and tech issues, said. They would bring South Korea more in line with the GDPR, he said.
“The GDPR has shown tremendous impact in Korea in that respect,” Ko said.