UK signs data adequacy agreement "in principle" with South Korea

On the 5th July 2022, the UK signed a data adequacy agreement in principle, with South Korea. The agreement will allow the free flow of data between countries, and marks the first inprinciple data adequacy agreement the UK has signed since leaving the European Union.

The adequacy decision has only been agreed in principle, therefore there is no specific detail as to how data flows will work yet, however details should be released when the deci-sion is finalised.

Organisations with a significant operational presence in both South Korea and the UK include AstraZeneca, Samsung, LG Electronics and Standard Chartered, all of whom are set to benefit from the deal. International data transfer agreements will no longer be needed in order to share data between jurisdictions, once the decision is finalised and has come into force.

In addition to the adequacy decision, the Information Commissioners Office (ICO) has signed a memorandum of understanding (MoU) with the South Korean Personal Information Protection Commission to outline how both authorities will cooperate, sharing best practises, information, and intelligence. In a statement, the ICO said:

“Cooperation between international data protection authorities is essential in times of global data-driven business and this MoU builds on the strong collaboration the two authorities already have.”

South Korea and the EU

As part of the post-Brexit data flow proposals, the UK named South Korea, along with the US, Australia, the Dubai International Finance Centre, Colombia, and Singapore as priority countries for data adequacy agreements. The UK’s adequacy decision with South Korea comes six months after the EU finalised its own data adequacy agreement with them in December 2021. South Korea is one of the few Asia-Pacific jurisdictions to receive an EU adequacy decision.

Data protection law in South Korea abides by similar principles to most major international data protection laws, valuing principles of lawfulness, purpose limitation and specification, data accuracy, minimization of data, and security. In South Korea, data protection operates under the Fair Information Practice Principles.

In some instances, South Korea’s standards for data processing are even stricter than the GDPR, for example, requiring the consent of data subjects to transfer their data abroad; South Korea also have a reputation for enforcing data protection laws with harsh sanctions for any serious violations.

“Today’s agreement is an important milestone in the strengthening of cooperation between the UK and Republic of Korea. The promotion of the trustworthy use and exchange of data across borders is key to realising a more secure and prosperous future for our citizens, businesses, and governments.”

gov.uk

Given the existing adequacy agreement between the EU and South Korea, this latest agreement in-principle is unlikely to threaten the UK-EU adequacy ruling, however specific details of the UK’s new Data Reform Bill which we reported on in June’s edition of the Debrief, are still yet to be released.

To read the government’s announcement in full, please click here.