Author: James Clark
On 19 December 2022 the UK government’s first data adequacy decision of the post-Brexit era came into effect. Under the Data Protection (Adequacy) (Republic of Korea) Regulations 2022, the UK formally determined that the Republic of Korea provides an adequate level of data protection for the purposes of the UK GDPR. Consequently, UK businesses can now freely transfer personal data to recipients in South Korea without needing to take any additional steps (such as entering into standard contractual clauses or carrying out transfer impact assessments).
The UK’s decision was expected, as the European Commission had already granted the Republic of Korea an adequacy decision under EU GDPR back in December 2021. However, the UK’s decision – which it is referring to as a ‘data bridge’ – is broader than the EU decision, as it extends to personal data that benefits from exemptions from South Korea’s primary data protection law, the Korean Personal Information Protection Act.
How did we get here?
Under the GDPR, transfers of personal data to ‘third countries’ are prohibited, unless one of the conditions set out in Chapter V of the GDPR is met. The most favourable condition is that an ‘adequacy decision’ exists for the third country (under Article 45 GDPR), which means that the third country is deemed to provide an equivalent level of data protection (taking into account factors such as the rule of law and fundamental privacy safeguards, in addition to personal data protection laws). Where an adequacy decision exists, personal data can move freely to the third country without any additional steps being required.
Prior to Brexit, the UK, in common with all other Member States, relied on the European Commission to determine adequacy decisions for third countries. Post-Brexit, when the UK created its own parallel version of the GDPR, the power to determine adequacy decisions was transferred to the Secretary of State (at the same time as the existing EU adequacy decisions were grandfathered into UK law on a temporary basis). The Korea data bridge is the first adequacy decision made by the Secretary of State under the UK GDPR.
What does the decision cover?
The data bridge covers any transfer of personal data to a person in the Republic of Korea who is subject to the PIPA. The PIPA is a general and comprehensive data protection statute which is broadly analogous to the GDPR.
Unlike the EU decision, the UK data bridge also encompasses transfers of personal credit information to persons in the Republic of Korea who are subject to the Use and Protection of Credit Information Act, which provides specific rules applicable to organisations in the financial sector when they process personal credit information.
What can we expect from future data bridges?
The UK government has indicated that it has ambitious plans for data bridges. It believes that “global networks of personal data flows are critical to the UK’s prosperity and modern way of life”, and it wants to use data bridges as a mechanism to “remov[e] unnecessary barriers to cross-border data flows”. Under its ‘Data: A New Direction’ strategy, the UK has selected the following countries as its ‘top priorities’ for an adequacy decision:
- Dubai International Financial Centre;
- Singapore; and
- the United States of America.
In addition, the following countries represent the UK’s longer-term priorities:
- Indonesia; and
Given that the EU is on the cusp of securing a partial adequacy decision for the United States through its ‘EU-US Data Privacy Framework’, the UK’s next steps for that country – which is so crucial when it comes to the IT infrastructure of UK businesses – will be closely watched. In particular, it will be interesting to see whether the UK puts in place a data bridge with the same scope as the EU deal, or whether the UK tries to do something more ambitious – a data bridge with a broader scope, as has been concluded with Korea – on either an immediate or longer-term basis.
Finally, now that the UK is no longer subject to the jurisdiction of the Court of Justice of the European Union – something that wasn’t the case when the Schrems II judgment was handed down in 2020 – it is important to note that any challenges to a UK-US data bridge (or any other UK data bridge, for that matter) by privacy activists will be conducted separately from challenges to the EU-US decision, and will proceed through UK, rather than European, courts.