UK signs ‘in principle’ data adequacy agreement with South Korea

Bilateral adequacy agreement will allow businesses to conduct cross-border data transfers with minimal restrictions

The UK has agreed a data adequacy deal “in principle” with the Republic of Korea, allowing the free flow of data between the jurisdictions and supporting more than £1.3bn in data-dependent trade.

The in-principle data adequacy agreement is the UK’s first since leaving the European Union (EU), and is set to be particularly beneficial to enterprises with significant operations in both countries.

This includes the likes of AstraZeneca, Standard Chartered, Samsung and LG Electronics, which will no longer need contractual safeguards in place – such as international data transfer agreements or binding corporate rules – to share data between the UK and South Korean jurisdictions.

The UK government said the agreement will reduce the administrative and financial compliance costs companies would normally face when looking to transfer data overseas, and that the two countries will work together on “the direction and improvement of data frameworks” going forward.

The agreement further commits both the UK and South Korea to working together to “meet the global challenges and opportunities on data”, including via cooperation with other “strategic partners” through multilateral initiatives such as the newly established Global Cross Border Privacy Rules (CBPR) Forum.

However, the data adequacy decision has only been agreed in principle, which means it is yet to be finalised and is light on detail.

“Today marks a huge milestone for the UK, the Republic of Korea and the high standards of data protection we share,” said then UK data minister Julia Lopez, who resigned from her position on 6 July over the controversy surrounding prime minister Boris Johnson. “Our new agreement will open up more digital trade to boost UK businesses and will enable more vital research that can improve the lives of people across the country.”

John Whittingdale MP, the UK prime minister’s trade envoy to the Republic of Korea, said: “The agreement reflects the strong relationship which already exists between our two countries and our shared commitment to high standards of data protection. By enabling the free flow of data, I have no doubt that this will reduce barriers and help businesses to trade.”

Alongside the in-principle adequacy agreement, the UK Information Commissioner’s Office (ICO) has also signed a memorandum of understanding (MoU) with the South Korean Personal Information Protection Commission (PIPC), which sets out how the authorities will continue to share experiences and best practice, cooperate on specific projects of interest, and share information or intelligence to support their regulatory work.

“Cooperation between international data protection authorities is essential in times of global data-driven business and this MoU builds on the strong collaboration the two authorities already have,” said the ICO in a statement. “The MoU comes after the PIPC was restructured as an independent data protection authority in Korea following the amendment to three data protection laws, and also at a time of increasing trade between the UK and Korea.”

The ICO said it welcomes the adequacy announcement, adding: “The UK government is responsible for the adequacy process with other countries, and the ICO will support and assist in line with our defined role in the adequacy process.”

According to the government’s own MoU with the ICO from March 2021, the data protection regulator will be consulted before any adequacy agreement is finalised.

The UK announced the Republic of Korea as a priority country for data adequacy – alongside the US, Australia, Singapore, the Dubai International Finance Centre and Colombia – in August 2021.

EU data adequacy with South Korea

The announcement of an independent data adequacy deal in principle comes six months after the EU finalised its own adequacy agreement with the Republic of Korea in December 2021, following the conclusion of official talks in March that year.

A total of 12 adequacy decisions have been made by the EU under the General Data Protection Regulation (GDPR) since it came into effect in May 2018, covering Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.

On the distinction between the EU’s and the UK’s separate adequacy agreements with South Korea, Ashley Winton, a fintech and privacy partner within the data group at law firm Mishcon de Reya’s innovation department, said the European Commission’s declaration is limited.

“It excludes personal data from religious organisations, political parties and credit data, and in relation to all other personal data, it provides that certain additional rules must be followed when the personal data is in Korea,” he told Computer Weekly.

Winton added that while the UK government’s agreement in principle makes no mention of these limitations, similar aspects could be included when more detail about the agreement is revealed.

“The new agreement does, intriguingly, stress the need for ‘more scalable solutions’ and makes reference to the Global CBPR Forum,” he said. “This is an international framework created by the US Department of Commerce that covers the US, Canada, Japan, the Republic of Korea, Philippines, Singapore and Taiwan.”

Read more about data transfers and adequacy

In March 2022, the EU and US separately announced they had reached a data privacy agreement – known as the Trans-Atlantic Data Privacy Framework – to replace Privacy Shield and allow data sharing across the Atlantic.

Winton further added that if the UK, following Brexit, is unable to obtain its own replacement to Privacy Shield – the data protection framework that enabled the free flow of data between the US and EU, but which was struck down in July 2020 on the basis that it failed to ensure European citizens adequate right of redress when data is collected by the US intelligence services – “joining this [Global CBPR] forum could be an effective way for businesses in the UK to transfer personal data safely to the US – albeit perhaps at the expense of the EU adequacy declaration for transfers of personal data from the EU to the UK”.

Speaking with Computer Weekly, Estelle Massé, global data protection lead at international non-governmental organisation Access Now, noted that the UK-South Korea adequacy agreement is the second data flow deal announcement to use the phrase “agreement in principle”.

“It was first used in March this year for the EU-US data flows deal,” she said. “It is interesting to see the UK following the lead of the EU, not only in making steps to grant an adequacy to Korea, but also in using this vague and unclear language to announce it.

“An ‘agreement in principle’ provides very little information on the legal details of a deal. In fact, it merely confirms an intention to reach an agreement, but a lot may still be up in the air. For instance, nearly four months after the ‘agreement in principle’ was announced between the EU and the US, we are still waiting for information on actual reforms and legal texts that will be the foundation of that deal.”

EU adequacy with the UK

Although the European Commission granted the UK data adequacy in June 2021, allowing British businesses to continue exchanging data with Europe, it warned this may yet be revoked if the UK’s new data protection rules diverge significantly from the EU’s.

This is because the UK government has proposed watering down the country’s data protection regime as part of a move to cut red tape and boost its competitive position following Brexit.

Many of these proposed changes are outlined in a consultation on the UK’s data landscape, which was launched on 9 September 2021.

Entitled Data: a new direction, the proposals suggest removing organisations’ requirements to designate data protection officers (DPOs), ending the need for mandatory data protection impact assessments (DPIAs), and introducing a “fee regime” for subject access requests (SARs).

It also includes a proposal from Downing Street’s Taskforce on Innovation, Growth and Regulatory Reform (TIGRR) to ditch the UK GDPR Article 22, which protects people from being subject to solely automated decision-making.

In its official response to the consultation, the government confirmed that it “will not pursue this proposal”, but said it is considering how to amend Article 22 to clarify how it applies in practice. “Reforms will cast Article 22 as a right to specific safeguards, rather than as a general prohibition on solely automated decision-making,” it said. “Reforms will enable the deployment of AI-powered automated decision-making, providing scope for innovation with appropriate safeguards in place.”

However, the other proposals to relax the rules around DPOs, DPIAs and SARs were all accepted by the government in its response.

Another area of concern to the EU are UK laws that allow government agencies to access and retain bulk data on individuals who are not under suspicion.

MEPs have previously argued, for example, that this practice is inconsistent with GDPR, and that data sharing between UK signals intelligence agency GCHQ and the US National Security Agency “would not protect EU citizens or residents”.

Read more on IT for government and public sector

Data Center
Data Management