Ducks overlooking outside scenery on bridge.
  1. Home >
  2. Snapshots >
  3. Data protection >
  4. >
  5. UK’s first adequacy decision since leaving EU permits data transfers to South Korea

SHARE:

UK’s first adequacy decision since leaving EU permits data transfers to South Korea

Published on 31 March 2023

The question

What is the impact of the UK-South Korean data transfer deal on businesses?

The key takeaway

The UK government has passed legislation which allows personal data transfers between the UK and the Republic of Korea (ROK) without the requirement for additional safeguards. This is the UK’s first adequacy decision since leaving the EU.

The background

As a result of leaving the EU, the UK and EU data protection regimes have diverged. However, provisional arrangements following Brexit mean that the countries in the EEA and all countries covered by the EU’s adequacy decisions pre-Brexit are also considered adequate for the purposes of the UK GDPR.

The EU passed an adequacy decision in respect of the ROK in December 2021 which does not apply to the UK GDPR. Therefore, for the purposes of the UK GDPR, the ROK was not an adequate country and parties intending to transfer data to the ROK would have to complete a transfer risk assessment and put in place safeguards to protect data.

The development

The UK government has now finalised the Data Protection (Adequacy) (Republic of Korea) Regulations 2022 (SI 2022/1213) (the Regulations) which specify the ROK as an adequate country for the purposes of data transfers under the UK GDPR.

The effect of this adequacy decision is that transfers to the ROK (which are subject to the Korean Personal Information Protection Act) no longer require a transfer risk assessment or that safeguards be in place, most commonly standard contractual clauses between sender and recipient or binding corporate rules. The UK government estimates that removing these requirements would cut administrative and financial burdens for UK businesses by £11m a year.

Why is this important?

This is the first adequacy decision made by the UK independently since leaving the EU and would allow for seamless data transfers to the ROK. It is also broader than the EU’s adequacy arrangement with the ROK and allows for the transfer of personal data related to credit information. The UK Government has earmarked other countries for adequacy decisions in the future including Australia, India, Singapore and the USA.

Any practical tips?

Organisations currently transferring data to the ROK should assess the impact of this decision on their present arrangements. Standard contractual clauses and binding corporate rules are typically drafted to apply to “restricted transfers” only. Transfers to the ROK are no longer considered a “restricted transfer”, so such arrangements are no longer necessary. It would be worth revisiting contracts involving data transfers with entities in the ROK at the relevant time to ensure these are brought up to speed with this change in approach.

Spring 2023