This article is written by Devagni Vatsaraj, pursuing a Diploma in International Data Protection and Privacy Laws from Lawsikho. The article has been edited by Zigishu Singh (Associate, LawSikho), Ruchika Mohapatra (Associate, LawSikho), and Indrasish Majumder (Intern at LawSikho).


The legal system in Korea, governing the privacy of the data subjects and protection of their data originates from the Korean Constitution, which was enacted on 17th July 1948. The Korean Constitution did not specifically declare these as constitutional rights, however, they were recognized as a basic right via various provisions of the charter. Some of these rights are provided in Article 10, Articles 12-22, etc. The Constitution refers to these rights as the “rights of Korean citizens”, however, the constitutional courts have observed that an individuals’ dignity, significance as a human being, and the right to seek happiness are rights of all human beings – they apply equally to foreign nationals as they do to the Korean citizens. Further, to provide a binding essence to the rights of privacy, Korea has enacted a series of laws that provide safeguards to the data of all individuals, citizens and foreigners. Some of the relevant laws are the Personal Information Protection Act (PIPA), The Act on the Use and Protection of Credit Information, The Communications Privacy Protection Act, etc. 

PIPA, Korea

PIPA provides the legal framework for the protection of data of the data subjects in South Korea, also known as the Republic of Korea. The applicability of the law is enlarged by an Enforcement Decree known as the PIPA Enforcement Decree; which is binding and enforceable. Regulatory Notifications (“Notifications“) adopted by the Personal Information Protection Commission (PIPC) provide the rules of interpretation and application of PIPA. To understand what is included in PIPA, what are the rights of the data subjects, what are the governing principles, etc., please find its summary handout below: 

Download Now

These regulatory notifications were recently amended to further the interpretation, application, and enforcement of certain provisions of PIPA. This amendment was carried out based on Articles 5 and 14 of PIPA. These amended notifications provide clarifications that apply to the processing of personal data as well as additional safeguards for transferring personal data from other countries to Korea. These additional safeguards are analysed as a part of the assessment of the relevant PIPA articles. 

What are adequacy decisions?

These decisions are usually taken by the European Union (EU) and they basically determine whether a non-EU country has adequate levels for protection to safeguard the personal data transferred by the EU to this other country, in this instance, the Republic of Korea. The European Commission (EC) derives from Article 45 of Regulation (EU) 2016/679, the power to determine whether a country outside of the EU offers an adequate level of data protection. The acceptance of such adequacy decision involves consideration of the proposal offered by the European Commission, the opinion of the European Data Protection Board (EDPB), authorization from representatives of EU countries, and the acceptance of such a decision by the European Commission. 

When such a decision is accepted by the EU, personal data from the EU countries and that of its member states can flow freely without any additional safeguard to third countries, in this instance, the Republic of Korea. Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, United Kingdom, and Uruguay have so far been recognized by the European Commission as providing adequate decisions.

On 16th June 2021, the European Commission launched the procedure for the adoption of an adequacy decision for transfers of personal data to South Korea under the General Data Protection Regulation (GDPR).

Views and opinions on the process towards adoption of adequacy decision for South Korea

On adoption of the adequacy decision, personal data from the EU countries and that of its member states can flow freely to South Korea’s commercial operators as well as public authorities. The adequacy decision would synchronize the trade agreement EU-Republic of Korea Free Trade Agreement (FTA) and will boost mutual aid between the two nations. 

Vera Jourova, Vice-President for Values and Transparency, said: “This agreement with the Republic of Korea will improve the protection of personal data for our citizens and support business in dynamic trade relations. It is also a sign of an increasing convergence of data protection legislation around the world. In the digitalised economy, free and safe data flows are not a luxury, but a necessity.” While the Commission for Justice, Didier Reynders said, “Two years ago, we created the world’s largest area of free and safe data flows with Japan. Soon the Republic of Korea should follow – another important partner in East Asia and another big achievement. The Republic of Korea has a strong track record in the area of data protection. The fact that the EU and the Republic of Korea have similar privacy standards is beneficial to both companies and citizens.”

While reviewing South Korea’s data protection law, EDPB found the central aspects of the law are, overall, equivalent to that of the European data protection framework. However, the EDPB pointed out that some parts of the draft require clarification and for this purpose it has called upon the EC to clarify certain aspects of South Korea’s data protection law. Some of these aspects are (a) the binding nature, enforceability, and validity of Notification; (b) restrictions regarding withdrawal of consent; (c) the concept of pseudonymisation and exemptions thereof; and (d) information provided to individuals in case of onward transfers. Further, in respect of the processing of personal data by public authorities for law enforcement and national security purposes, the EDPB pointed out that the draft decision should contain specific conditions for onward transfers of personal data transferred from the European member states. To highlight these observations in detail:

  • The EDPB observed that the PIPA, Korea exempts pseudonymization of data from a number of provisions. On the contrary, the GDPR allows such exemptions only in limited circumstances. The EDPB has recommended that the impact of pseudonymization be assessed and check whether and how these wide exemptions affect the fundamental rights and freedoms of the data subjects whose personal data is being transferred to the Republic of Korea under the adequacy decision.
  • The EDPB pointed out that the Korean law allows onward transfers from a controller based in Korea to a third country based recipient, with the data subject’s consent. The EDPB has asked the EC to ensure that data subjects are informed about the country to which their data will be transferred before consent is collected.
  • In light of the recent case of the European Court of Human Rights, the EDPB has expressed its concerns about the disclosure of personal data by telecommunication providers to national security authorities. The EDPB recommended that the EC must clarify that the interception of telecommunication data in bulk is not permitted, as this may impact data subjects’ rights.
  • The EDPB has invited the EC to consider the impact of the provision pertaining to the limited withdrawal of consent, as provided under the Korean law.
  • With regards to the complaint redressal mechanism, the EDPB has asked the EC to clarify the requirements to file a complaint with the data protection authority and to ensure that the data subjects are provided with effective remedies and can implement their right to redress.

Conclusion and the way forward

It is pertinent to note here that South Korea has, on 28th September 2021, introduced a bill amending the PIPA, which includes provisions on automated decision making and on transfers, amongst others. This amendment may help the EC to tend to some of the concerns expressed by the EDPB. It was only after scrutinizing Korea’s data protection legislation, the EDPB has highlighted that the existing safeguards apply in the context of government interference of the communications between and amongst the data subjects, as well as the restrictions that limit such interference taking place from the outside of South Korea.

The next steps involve that the EC launch the procedure for assessment and accordingly, of the adoption of its adequacy finding. Such adoption will require satisfaction and a go-ahead from the EDPB. The EDPB however, stresses that the EC must continue to monitor the legislative developments in South Korea after the adoption of the adequacy decision, and reassess its decision as necessary.


  1. Relevant laws such as the PIPA, The Act on the Use and Protection of Credit Information, The Communications Privacy Protection Act –
  2. PIPA Enforcement Decree – 
  3. Personal Information Protection Commission –
  4. Whiteboard on PIPA, Korea – 
  5. Regulation (EU) 2016/679 – 3AOJ.L.2016.119.01.0001.01.ENG&toc=OJ%3AL%3A2016%3A119%3ATOC 
  6. Opinion of the EDPB – 
  7. Adoption of an adequacy decision for transfers of personal data to South Korea – 
  8. EU-Republic of Korea Free Trade Agreement – 
  9. Draft decision on adequate protection of personal data in Korea – 
  10. Data Protection: European Commission launches the process towards adoption of the adequacy decision for the Republic of Korea – 

Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.


Please enter your comment!
Please enter your name here