The Department for Digital, Culture, Media & Sport (DCMS) has announced that an agreement has been reached between the UK and South Korea in relation to transfers of personal data. The relevant Regulations are due to come into force on 19 December 2022. This is a landmark decision of data adequacy as it is the first one that the UK has made independently since leaving the EU.
Background
In July 2022 the UK and South Korea concluded a year of discussions by agreeing an adequacy deal in principle. This agreement sought to enable the transfer of personal data between the two countries in a safe and secure way and without the need for administrative burdens such as additional contractual safeguards required under GDPR.
Since then, the DCMS conducted a full assessment of South Korea’s personal data legislation and reached a final decision that that legislation offers an adequate level of protection for transfers of personal data from the UK to any organisations in the Republic of Korea (ROK) that are subject to the Korean general data protection law. The DCMS also concluded that the South Korean regime governing data protection is capable of upholding and protecting the rights of British citizens.
EU adequacy decision
The EU already has in place an adequacy decision with South Korea. When it was part of the EU, the UK was therefore able to share personal data cross-border to ROK without any additional requirements. The recent decision by the UK ensures that the free flow of data to and from ROK is still possible, even after having left the EU.
However, the UK adequacy decision goes further than the EU equivalent, as organisations in the UK will be able to share personal data related specifically to credit information, in order to help identify customers and verify payments. As a result, this will help businesses with a presence in the ROK to boost lending, insurance, and credit operations in the region. This may prove important to UK business as ROK is one of the fastest growing markets for the UK, with exports to the country last year totalling $6.46 billion and two thirds of British services exports were data-enabled.
Effect of the deal
Whereas previously, businesses who wanted to transfer personal data to South Korea needed to ensure appropriate safeguards were put in place (such as the UK International Data Transfer Agreement, the UK addendum to the EU’s standard contractual clauses, Binding Corporate Rules, or any other mechanisms set out in Chapter V of the UK GDPR), they will now be able to transfer the same data freely, without any restrictions.
Julia Lopez, the Minister of State for media, data, and digital infrastructure summarised the effects of the decision: “before the end of the year, businesses will be able to share data freely with the ROK - safe in the knowledge it will be protected to the high privacy standards we expect in the UK”.
DCMS has said that the effect of the UK’s decision will boost annual business savings and exports by up to £14.8 million. The decision is also estimated to cut administrative and financial burdens for UK businesses by £11 million a year and is expected to increase exports to South Korea by £3.8 million annually.
The ICO was involved throughout the process and is expected to publish its opinion in due course but in the meantime has commented on the decision: “We are satisfied with the Government’s recognition of similar data protection rights and protection in Korean laws. This will bring certainty to UK businesses and reduce the burden of compliance, while ensuring people’s data is handled responsibly.”
The ICO has also said that it will be focusing on the other ‘priority countries’, which it identified last year as the United States (note the latest development which we wrote about here), Australia, Singapore, the Dubai International Finance Centre and Colombia.
What does this agreement mean for businesses?
The effect of the decision will mean that companies based in either the UK or South Korea will be able to freely send, receive, process and store data belonging to residents of either country. There will be no need for those businesses to undertake additional safeguards (such as using International Data Transfer Agreements in respect of data transfers from the UK).
Additionally, the agreement will also help UK organisations with a presence in ROK to boost their credit, lending, investment and insurance operations there as a result of the scope of the adequacy decision. This could mean that business who rely especially on the exchange of financial and credit data (e.g. payment-processing companies) could see a significant difference in their operations which will be quicker, easier and lower cost.
The decision is a positive step in ensuring that UK business maintains a global reach when it comes to data protection and that legal and administrative barriers are not unnecessarily created, such that growth and innovation are stifled. The agreement with South Korea signals that the UK recognises the value of taking a proactive approach to data protection in order to be a key player in a global digital economy.
We will be closely following the progress of the other priority countries as this decision paves the way for unlocking the value of data by improving processes for international data transfers.
If you have any questions or would otherwise like to discuss any issues raised in this article, please contact David Varney.