How Do You Solve a Problem Like Korea?

By making it the subject of the UK’s first post-Brexit UK GDPR data adequacy decision of course! With effect from 19 December 2022, the UK has designated the Republic of Korea as providing an adequate level of personal data: see the Data Protection (Adequacy) (Republic of Korea) Regulation 2022. Regulation 2(2) specifies that a “transfer described by this subsection is a transfer of personal data to a person in the Republic of Korea who is subject to the Personal Information Protection Act as that Act forms part of the law of the Republic of Korea and has effect from time to time“.

Published online is a dashboard of relevant documents made available by DCMS, including translations of the core Korean (core-an?) data privacy legislation, and a supportive Opinion of the Information Commissioner on the adequacy decision. Note that the test the Commissioner has applied is whether the Secretary of State’s view that an adequate level of protection is provided is “reasonable”. For reasons not entirely clear, DCMS appear now to wish to refer to adequacy decisions as “data bridges”. 

Regardless of the nomenclature, more controversial decisions will surely come (Korea already has a, slightly different, adequacy decision from the EU) and no doubt litigation will at some stage follow. But the first UK-specific data adequacy decision is nonetheless a significant step for the domestication of the GDPR regime post-Brexit.

Christopher Knight