Framework for Overseas Transfer of Personal Data in South Korea - Is it really enough to protect right of privacy?

I. Background

In the world of globalization and digitalization, transfer of data, especially including the “Personal Data” seems somehow irresistible flow by now. However, prior to the comprehensive revision of “Big 3 Data Acts”, including Personal Information Protection Act (“PIPA”), in August 2020, South Korean legislation de facto prohibited oversea transfer of personal data. However, following the aforementioned revision, South Korean legislation permits overseas transfer of personal data when it aligns the requirement in the Framework for overseas transfer of personal data (the “Framework”).

The Framework was understood as comparable to or incorporating core aspects of the GDPR(Global Data Protection Regulation) of the EU. This perception arose from the adequacy discussions initiated between South Korean and EU, which is started in 2017, and subsequent joint declaration of South Korea and EU of a high-level of adequacy between their respective Framework in March 2021, which was based on aforementioned revision of relevant statues of South Korea.

However, it does not inherently guarantee the Framework`s constitutionality or offer sufficient privacy protection. From my perspective, several contentious issues remain unresolved.

II. Summary of the Framework in South Korea

Ironically, there is no provision for justifying “Overseas transfer” of personal data in legislation, statutes, regulation, and rules of South Korea. Consequently, without explicit authority, the “Overseas transfer” of personal data is generally interpreted as the transfer(including inquiry) of personal data(by the definition in PIPA) between servers or computers located overseas. Requirements for overseas transfer of personal data in current Framework is following,

• Obtain separate consent from the data subject, after providing prior notice from a personal data controller. This notice should include specific details such as a list of the personal data transferred, transfer date, method and destination country, purpose of transfer and usage, period of retention and usage, as well as the method and consequences of refusal.
• Special provisions in a statute, a treaty, or other international conventions.
• In any case requiring personal data processing and retention for the conclusion and execution of a contract with the data subject, either through prior disclosure in the privacy policy or notice that contains specific details that should be included in the notice for a forementioned separate consent.
• Where the recipient of personal data obtains relevant certification of personal information protection by the Protection Commission, a governmental agency.
• Where the Protection commission recognizes that that the Framework of recipient country is substantially equal to the level of South Korean Framework

Also, a personal data controller that intends to transfer personal data overseas shall take protective measures described in the presidential decree and rules. However, also ironically, the relevant rules are not technically prescribed in details of such measures, rather based on principals and conceptions, like minimized process, transparency, safety, responsibility.

III. Discussion and Conclusion - Is the Framework enough or constitutional?

The new Framework of South Korea places emphasis on “Separate Consent”, which differentiate between ‘consent for transfer personal data oversea’ and ‘consent to “process” personal data (including collection, generation, connecting, interlocking, recording, storage, retention, value-added processing, editing, output, correction, recovery, use, provision, disclosure, and destruction of personal information and other similar activities, as defined by Art. 2 (2) of PIPA)

However, I believe that “Separate Consent” for transferring personal data overseas does not have a substantive effect on the protection of privacy.

First, suppose transferring data overseas under the control of personal data controller, without involving transfer of personal data to the third parties. In such cases, it simply involves relocating the physical storage location, and the controller of personal data remains subject to South Korean jurisdiction. However, under the new Framework, the controller of personal data is required to obtain separate consent, which can be seen as another superficial procedure imposed by bureaucratic officials.

Second, under PIPA, there is another ‘separate consent’ scheme on providing personal data to ‘third parties’, including domestic and foreign recipients. This implies that to provide personal data to foreign recipients, the controller of personal data must obtain three distinct consents from the data subject: one for collection, one for provision, and one for overseas transfer. However, requiring an additional consent specifically for overseas transfer may not serve as an effective safeguard, as the data subject has already confirmed the foreign recipient and consented to provide the data.

In short, it is challenging to find a rationale to support the “Separate Consent” scheme for transferring personal data overseas. It represents another form of overregulation, potentially running afoul of Art. 37(2) of the South Korean Constitution, which pertains to the principle of ‘the Less Restrictive Alternative’ in constitutional adjudication, mirroring the position of U.S Supreme court`s position as seen in the well-known case Shelton v. Tucker, 364 U.S 479, 487 (1960).

Next, technical provisions. In the initial stages of Big 3 Data Acts, including PIPA, policy makers leaned toward a more technical approach to ensure the adequacy of protection measures or other necessary measures for personal data. However, during discussions for the comprehensive revision of Big 3 Data Acts, regulators encountered criticism against this technical approach, due to its tendency to rely on limited technologies or programs. Therefore, PIPA departed from its previous technical approach, and adopted more conceptual, principle- based rules for protection measures after the revision.

Nevertheless, the impact of the revision was minimal, and subsequent changes were negligible, particularly for financial institutions. In respect of supervision and examination by supervisory authorities, it is almost impossible to prove adequacy of the system they used. This difficulty arises from the lack of technical expertise among supervisors, and the absence of specific guidelines to ascertain the adequacy of such systems. Consequently, financial institutions tend to adopt systems that have been verified in prior examinations or supervisions by regulators. This situation exemplifies another instance of 'under-regulation', highlighting the need for revisions to establish rules including minimal technical requirements to fulfill the purpose of protection.

<--/commentPlugin-->