Table of Contents

Introduction

Access to and the sharing of data are increasingly critical to achieve digital transformation and data-driven innovation. In the last few years, countries have focused on “data governance,” in particular how, where, and when data, including personal data, should be collected, stored, combined, and analyzed.1 In June 2020, President Moon Jae-in of the Republic of Korea (hereinafter the ROK or Korea) announced the Digital New Deal to spearhead a forward-looking innovative economy. The Digital New Deal envisioned an accelerated transition to a digital economy by extensively digitalizing the national infrastructure while fostering the DNA—data, network, and artificial intelligence (AI)—ecosystem and non-face-to-face industries.2 The government’s new focus on data governance reflects both technological and social dynamics: the growing importance of global cloud computing services; the emergence of new, powerful big data and machine-learning algorithms; and increasing public concerns about data protection and cybersecurity.

Despite the growing need for access to data and the resulting economic and social benefits, data access and sharing have not realized their full potential due to ever-growing barriers to data access. Many countries have practiced data localization (also known as data localism or data nationalism), such as requiring data, particularly personal data, be stored and accessible inside their borders. This has certainly complicated cross-border data flows with the effect of restricting the development of digital economy. The privacy, data protection, and cybersecurity concerns used to justify data localization are real and important.3

Korea is often listed among those countries with significant data localization requirements.4 Privacy or data protection is certainly a major driver of the controls on cross-border data flows in Korea. However, Korea joined the Cross-Border Privacy Rules (CBPR) system of the Asia-Pacific Economic Cooperation (APEC) in June 2017. Korea has been bolstering privacy protections and diminishing barriers to data flows among the APEC economies that joined the CBPR, including Canada, Japan, and the United States. This chapter focuses on the evolution of Korean policy of data protection and cross-border data flows by analyzing the relevant Korean laws.5 It explores how Korea has been making efforts to balance between the use of personal data and the data protection internally and to successfully facilitate cross-border data flows.

The Korean Legal Framework for Data Protection and Privacy

Privacy and data protection in Korea are addressed generally by Articles 17, 16, and 18 of the Korean Constitution and specifically by various laws. These articles in the Korean Constitution track Article 12 of the Universal Declaration of Human Rights and Article 17(1) of the International Covenant on Civil and Political Rights: The privacy of citizens must not be infringed, all citizens must be free from intrusion into their place of residence, and the privacy of correspondence of citizens must also not be infringed. Although data protection or the protection of personal information is not explicitly stipulated in the Korean Constitution, in 2005, the country’s Constitutional Court recognized the existence of the right to self-determination of personal information as a fundamental right.6

Nohyoung Park
Nohyoung Park has been a professor of law at Korea University Law School since 1990, where he has also been dean of the Law School and vice president. His background is in international economic law focusing on the WTO, but he also studies cybersecurity and data privacy, and negotiation and mediation.

Over the last twenty years, several laws on privacy and data protection have been enacted in Korea that flow from these constitutional and legal strictures. Korea enacted the Personal Information Protection Act (PIPA) on March 29, 2011, which became effective on September 30, 2011. This was supposed to be Korea’s general law on data protection as it applied to the processing of personal information in both the private and public sectors.7 However, the Act on Promotion of Information and Communications Network Utilization and Information Protection (known as the Network Act) in 2016 ultimately had a larger impact on the private sector because it applies to the protection of personal information processed by information and communications service providers in the internet environment. Through the so-called three data laws’ amendment adopted by the National Assembly on January 9, 2020, the PIPA has become at last a truly general law on data protection by taking those provisions on data protection under the Network Act.8

Korea has adopted special laws on data protection covering different sectors or types of personal information (see table 10).

Implementation of Korean Privacy and Data Protection Laws

The Personal Information Protection Commission

Through the three data laws’ amendments of 2020, the Personal Information Protection Commission (PIPC) has become a genuinely independent supervisory authority, similar to those found in European Union (EU) countries under the General Data Protection Regulation (GDPR).9 The PIPC sits under the Office of the Prime Minister and is charged “to independently conduct work relating to the protection of personal information.”10 The PIPC chairperson is subject to the direction and supervision of the prime minister, according to the president’s orders. Nevertheless, the following missions are not subject to the prime minister’s direction and supervision: matters concerning investigation into infringement upon the right of data subjects and the ensuing dispositions; the handling of complaints or remedial procedures relating to personal information processing and mediation of disputes over personal information; and matters concerning the assessment of data breach incident factors.11

Balancing the Use and Protection of Personal Information

The PIPA purports to protect personal information. Its purpose is “to protect the freedom and rights of individuals, and further, to realize the dignity and value of the individuals, by prescribing the processing and protection of personal information.”12 Like many data protection laws around the world, the PIPA was enacted by referring to the Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, which are regarded as model data protection principles in most countries. Unlike the OECD guidelines, the Convention for the Protection of Individuals With Regard to Automatic Processing of Personal Data (108 Convention) of the Council of Europe and the GDPR, however, the purpose of the PIPA does not explicitly mention the use or cross-border flows of personal information.13 The PIPA has been dubbed “Asia’s toughest data privacy law” by the scholars Graham Greenleaf and Whon-il Park, as it tilts the balance in favor of the protection of personal information.14

Still, the approach to and the level of data protection provided in the PIPA have been criticized for obstructing the advancement of the Fourth Industrial Revolution, which relies on big data analytics and artificial intelligence. Thus, the revision of the legislative framework for data protection has been a hotly debated part of regulatory and institutional reforms suggested by the Presidential Committee on the Fourth Industrial Revolution (PCFIR). There were several hackathons and deliberations by the PCFIR to reform data protection laws in early 2018. The results were reflected in the amendment to major laws relating to data protection introduced in the National Assembly on November 15, 2018. The three data laws’ amendment enacted in February 2020 expanded the PIPA and gave the PIPC independent and stronger enforcement powers. Yet industry representatives used the slogan of the Fourth Industrial Revolution and blocked the efforts of nongovernmental organizations trying to stick to stronger protection of personal information.15 It remains to be seen whether the application and implementation of Korean data protection laws (including the PIPA) will really encourage more active and innovative use of personal information.

Korea has not been an island in developing its data protection regime. Indeed, Korean laws on data protection have developed by referring to the international documents as well as foreign laws like the European Union’s GDPR. Through the three data laws’ amendment, for example, new concepts like pseudonymization were adopted by the PIPA and the Credit Information Act, and data portability by the latter law.16 These concepts had already been introduced by the GDPR. Moreover, the PIPC is designed to be precisely the type of supervisory authority provided for in the GDPR, as Korea has been trying to meet the GDPR’s adequacy criteria.17 On March 30, 2021, the PIPC and the European Commission jointly announced the successful conclusion of the adequacy talks between Korea and the EU. The adequacy decision is expected to be made by the European Commission sometime in 2021.18 The adequacy dialogue confirmed the high degree of convergence in data protection between Korea and the European Union. Achieving an adequacy decision from the European Commission may imply that Korean laws on data protection will correspond to the developments of the GDPR if Korea intends to keep an adequacy status.

Cross-Border Transfer of Personal Information and Data Localization Under Korean Laws

Korea’s data protection laws, including the PIPA, constrain any company or government agency wishing to transfer personal information outside Korea. The data, other than personal information, is protected under the laws governing intellectual property in Korea.19 The U.S. government and industry have argued that the restrictions the PIPA imposes on the transfer of personal information outside of Korea are too strict, and this has become a subject of contention between the two countries.20

Cross-border transfer of personal information may be classified into two types for regulatory purposes: providing personal information to third parties abroad and outsourcing personal information processing abroad. In most cases, providing personal information to third parties is conducted for the benefit of the transferee, while outsourcing of personal information processing is conducted for the benefit of the transferor.21 The differences between the two types of cross-border transfer are substantial, especially for the personal information of information and communications service users (hereinafter IT service users). The prior consent of and some form of notice to IT service users are required for providing personal information to third parties abroad, whereas outsourcing does not necessarily require prior consent of IT service users.22 For outsourcing the processing of personal information, the notice and consent may be replaced, inter alia, by the posting of the required notice in the controllers’ privacy policies.23

Providing Personal Information to Third Parties Abroad

Under the PIPA, when providing data subjects’ personal information to third parties abroad, the controller must obtain the prior consent of those data subjects.24 To do this, a controller must follow the same procedure used to notify data subjects about how their personal information might be transferred to domestic third parties. In both cases, data subjects must be notified: the entity to which the personal information is provided; the purpose of using the personal information by the entity to which such information is provided; the particulars of the personal information to be provided; the period of time when the personal information will be used and retained; and the fact that the data subject is entitled to refuse consent, and the disadvantages, if any, resulting from the refusal to give consent.25 These requirements are regarded to be “stringent” on service providers seeking to transfer customer data outside Korea.26

Transferring IT Service Users’ Personal Information Abroad

The PIPA has special provisions applying to the transfer of personal information abroad by information and communications service providers (hereafter IT service providers).27 Thus, the general provisions applicable to providing personal information to third parties abroad, as provided in Article 17(3), do not apply to transferring personal information of the IT service users abroad. IT service providers must obtain IT service users’ consent if they intend to provide, outsource the processing of, or store IT service users’ personal information abroad. IT service providers must notify IT service users of the following information in advance before obtaining such users’ consent: the particulars of the personal information to be transferred; the country to which the personal information is transferred, the date of transfer, and transfer methods; the name of the entity to which the personal information is transferred; and the purpose of using the personal information and the period of retaining and using such personal information by the entity to which such information is transferred.28

IT service providers must implement safeguards as prescribed by the Enforcement Decree of the Personal Information Protection Act (hereinafter Presidential Decree 30892) if they intend to transfer the personal information of IT service users abroad with the prior consent of the latter.29 The safeguards to be implemented are measures to ensure the safety for protecting personal information in accordance with internal management plans, measures to handle the complaints relating to data breach and dispute resolution, and other measures necessary to protect IT service users’ personal information.30 IT service providers intending to transfer personal information abroad must in advance consult the safeguards mentioned above with the entity to which such information is transferred and reflect them in the terms of any contract.31

IT service providers need not obtain IT service users’ consent to outsource the processing of or storage of such personal information. However, if all the items, which must be notified to IT service users, are made public in the privacy policy of the IT service providers or if the IT service users are notified using a method such as email, or by another method prescribed by Presidential Decree 30892, including written notices.32 IT service providers must obtain IT service users’ consent, however, when providing, including accessing, IT service user’s personal information to third parties abroad.

Onward Transfer of IT Service Users’ Personal Information to a Third Country

The entity to which the personal information of IT service users is transferred, when transferring such information to a third country, must comply with the provisions of the PIPA applicable to transferring such information abroad.33 Thus, for the onward transfer of IT service users’ personal information, Articles 39-12 (1 through 4) for the cross-border transfer of personal information discussed above must be observed by such IT service providers transferring to another third country. The data protection during onward transfer is an element for the adequacy decision by the European Commission.34

Designation of Domestic Agents

IT service providers with no address or business office in Korea that meet the criteria prescribed by Presidential Decree 30892 must designate a domestic agent in writing.35 A foreign IT service provider is required to designate a domestic agent if it has sales for the preceding year that reached or exceeded 1 trillion Korean won, roughly equal to $890 million; its sales from IT services for the preceding year reached or exceeded 10 billion Korean won, roughly equal to $8.9 million; it stored or maintained at least 1 million domestic users’ personal information on an average daily basis over the three months immediately before the end of the preceding year; or it caused or is likely to cause a data breach incident in violation of the PIPA and was required by the PIPC to submit relevant articles, documents, and so on as part of an investigation.36

On behalf of the IT service provider, the domestic agent does the following: fulfilling the role of a data protection officer; notifying and reporting data breaches, including the loss, theft, or divulgence of personal information; and submitting related articles, documents, and so on when required by the PIPC.37 If the domestic agent violates the PIPA, its IT service provider is deemed to have committed such a violation.38 A domestic agent must have an address or business office in Korea.39 When a domestic agent is designated, contact information for the agent must be included in the privacy policy.40 Through the designation of a domestic agent, the PIPA may have de facto extraterritorial effect by indirectly controlling those foreign IT service providers abroad.41

Reciprocity and the Transfer of Personal Information Abroad

When implementing data protection laws, countries must deal with a tension between the desire to encourage the inbound cross-border data flows and the need to ensure their citizens’ personal data is protected at home and abroad. Countries with equivalent levels of data protection will allow and encourage cross-border data flows between each other.42

Recently, countries like China, Russia, and Vietnam have restricted cross-border flows of personal information. In reaction to these actions, Korea has embraced the reciprocity principle to encourage and enable the cross-border transfer of personal information. Thus, personal information may not be allowed to be transferred to foreign IT service providers located in a country that restricts the transfer of personal information abroad.43 This provision was designed to respond to the different levels of data protection in different countries. However, the requirement of reciprocity is not applicable when the transfer of personal information abroad is necessary to implement a treaty or other international agreement.44 The proper application of the reciprocity principle would require detailed internal guidelines so as not to impair bilateral relations with those countries to be subject to the restrictions applied by Korea. Although there needs to be a flexible and reasonable response to other countries’ restrictions on cross-border flows of personal information, there must be clear guidelines for the reciprocity principle to apply consistently and proportionately. The implementation of the reciprocity principle is also to be added to the missions of the PIPC.

Export of Location-Based Data Disputed by the United States

The Act on the Establishment, Management, etc. of Spatial Data (Spatial Data Act) prescribes matters concerning the standards and procedures for the surveying of land and waterways as well as the preparation, management, and so on of cadastral records and comprehensive real estate records.45 The Spatial Data Act has a provision that may affect the cross-border transfer of information, particularly location-based data. No person can take abroad the results of a fundamental land survey: when it is likely to harm national security (or other important national interests) or when the land survey data are confidential as defined by other statutes.46 In addition, no person can take abroad the results of a publicly available survey in cases where it is likely to harm national security (or other important national interests) or where the data are confidential.47 Nevertheless, a consultative body may make a decision to allow the results of a fundamental survey to be taken abroad after the national security implications of doing so are considered.48

There is no general legal prohibition on exporting location-based data in Korea. Nevertheless, Korea has not approved the exportation of location-based data, although there have been numerous applications by foreign suppliers.49 U.S. companies, including Google, seeking approval to export location-based data in order to offer competitive mapping and navigation services, have argued that Korea is linking such approval to individual companies’ willingness to blur satellite imagery of Korea on their global mapping service sites for national security concerns.50 As a matter of fact, Article XXI of the General Agreement on Tariffs and Trade (GATT) provides for the security exceptions, which are supposed to be judged by the claiming World Trade Organization (WTO) member itself.51 Nevertheless, the United States argues that Korea is the only significant market in the world that maintains such restrictions on the export of location-based data.52

Cross-Border Transfer of Personal Information and Data Localization Under Korean Foreign Trade Agreements

Korea has been an assertive player in negotiating bilateral, plurilateral, and multilateral trade agreements. As such, it has negotiated some data-specific provisions that have influenced, or been influenced by, its domestic paradigm. Since the conclusion of its first free trade agreement (FTA) with Chile in 2003, Korea has concluded twenty-one FTAs.53 The Korea-Chile FTA does not have provisions on cross-border data flows and data localization as such, but its subsequent FTAs generally do. Those data localization provisions, except for the Regional Comprehensive Economic Partnership (RCEP), address the location of computing facilities in the context of financial services.

Under the Korea-EU FTA and the Korea-U.S. FTA, Korea expressed its intent to undertake modification to its regulatory regime that will result in its adoption of approaches that will permit the transfer of financial information across borders while addressing such areas as the protection of sensitive information of consumers, prohibitions on unauthorized reuse of the sensitive information, the ability of financial regulators to have access to records of financial service suppliers relating to the handling of such information, and requirements for the location of technology facilities.54

Under the Korea-U.S. FTA, the parties recognize the importance of the free flow of information in facilitating trade, and thus they must endeavor to refrain from imposing or maintaining unnecessary barriers to electronic information flows across borders.55 This “endeavor” obligation for free flows of electronic information across borders, although not being directly binding, must be a commitment by the parties, in principle, to not impose data localization requirements. Notably, there are no provisions on data localization in the Korea-China FTA. The rigid requirements of data localization provided in China’s various laws and regulations may explain why no provision was agreed on data localization in the Korea-China FTA.56

The RCEP includes provisions on the location of computing facilities in Chapter 12 on electronic commerce.57 First, the parties recognize that each party may have its own measures regarding the use or location of computing facilities, including requirements that seek to ensure the security and confidentiality of communications.58 Second, any party must not require a covered person to use or locate computing facilities in that party’s territory as a condition for conducting business in that party’s territory.59 Third, a party is not prevented from adopting or maintaining any measure inconsistent with the obligation not to require the use or location of computing facilities that it considers necessary to achieve a legitimate public policy objective.60 The measure taken above must not be applied in a manner that would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade.61 In addition, a party is not prevented from adopting or maintaining any measure that it considers necessary for the protection of its essential security interests.62 Such measures must not be disputed by other parties.63 Thus, the essential security interests may work as a definite and decisive excuse for adopting or maintaining the measures regarding the use or location of computing facilities.

Lessons From Korea’s Experience

Korea has become a major manufacturing powerhouse and, like other countries, seeks to anchor its next economic surge in the deployment of data and the development of a digital economy. To make breakthroughs in the Fourth Industrial Revolution and cultivate new industries and growth paths, Korea has adopted several national strategies and policies to fully use data including personal information. Thus, the Personal Information Protection Act was recently amended to cover pseudonymization of personal information to facilitate more use of personal information, following the example of the EU’s GDPR. Korea has also supported free cross-border flows of personal information in the development of digital trade rules in the WTO and the G20 as well as its FTAs.

Korea needs more good quality data, including personal information, ready and fit for uses in the global digital economy. This means Korea needs both stronger data protection within its borders and free cross-border data flows with limited data localization requirements outside its borders.

The challenge, then, is that Korea needs to keep its data protection laws effective to protect data subjects while enabling more use of personal information and developing the digital economy. The digital economy can develop stably only with the trust of customers or clients who willingly provide their personal information. The good news is that after four years of negotiation, the European Commission is expected to make an adequacy decision in Korea’s favor later in 2021, as it already issued a draft decision on the adequate protection of personal data by Korea on June 14, 2021. After the PIPA is formally recognized to have an equivalent level of data protection to the GDPR, Korea will be able to import more good quality personal information from the EU. And, in a sense, the EU, for its part, will be able to export its data protection rules to Korea. Korea’s data protection laws, including the PIPA, are very likely to be affected by the developments in the EU.

Data protection laws protect data subjects in processing their personal information. Data protection is considered a fundamental right both in the EU and in Korea. Thus, the collection and use of personal information must be based on the consent of data subjects in principle from the perspective of the right to self-determination of personal information. However, the consent of data subjects is not given priority in comparison to other legal bases for the collection and use of personal information both in the EU and in Korea. Critics of Korean privacy laws argue that Korea allows the cross-border transfer of personal information only upon the consent of the data subjects concerned. This rule in the PIPA would indeed restrict the cross-border transfer of personal information, but the PIPA is expected to be amended later in 2021 to cover other legal bases for cross-border transfer of personal data, like those in the GDPR. As the PIPA has the reciprocity principle to discourage the restriction of the cross-border flows of personal information, Korea will have to facilitate the outbound flow of personal information.

Privacy and data protection and cybersecurity in the digital economy need to be understood in a different way from the current WTO rules, which were negotiated and agreed without knowing the digital economy or trade in data properly. These concepts have been an important exception to free trade in the GATT and the General Agreement on Trade in Services (GATS), but in the digital economy and digital trade, privacy and data protection are important to obtain and sustain the trust of individuals. Cybersecurity is also important to protect the flows of data. Thus, privacy and data protection and cybersecurity are to be recognized as essential elements positively supporting the stable operation of digital trade where data, including personal information, flows cross country borders. In this respect, privacy and data protection and cybersecurity measures should not be viewed as unjustifiable or unreasonable causes of data localization, although they must not be unjustifiably misused or abused intentionally.

The problem is that there are not yet international agreements governing privacy and data protection, on the one hand, and cybersecurity, on the other. Indeed, there is a conspicuous gap in data protection levels even between democratic allies such as the United States and EU countries. Even after almost twenty years of negotiation on cybersecurity in the United Nations, there is no hope of reaching an international agreement in the near future.

One of the main tacit purposes of the GATT and the GATS was a need for governments not to interrupt international free trade by prescribing what they are allowed to do or not. Likewise, there is a good and urgent need for an international agreement for digital trade where governments are not allowed to unjustifiably interrupt cross-border flows of data. Privacy and data protection and cybersecurity are most common and plausible justifications that governments may raise for the sake of human rights and national security, respectively. Thus, a plurilateral agreement on trade-related aspects of electronic commerce, or on digital trade, being negotiated in the WTO can only be successful if it covers privacy and data protection and cybersecurity sufficiently to support digital trade or trade in data. Then, it seems that the digital trade provisions in the RCEP would affect the negotiations of digital trade rules in the WTO, as China is a major supporter of those provisions on its own. It remains to be seen whether the digital trade provisions to be agreed in the WTO would advance further in favor of free cross-border data flows than those of the RCEP. Newly negotiated digital trade rules of the WTO must be better than the United States-Mexico-Canada Agreement (USMCA), the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), and the RCEP in dealing with privacy and data protection and cybersecurity at least in the context of digital trade.

Considering that many contracting parties to both the RCEP and the CPTPP are in the same boat, the difference in forging a way forward may come from countries that become first-movers. In a sense, China was the driving force behind the rather restrictive digital trade rules in the RCEP, while the United States was the driving force of the rather free digital trade rules in the Trans-Pacific Partnership agreement, the forerunner to the CPTPP. Korea has to push this debate and rule-making process forward. After all, the RCEP and its digital trade rules, in particular, may not satisfy Korea’s desire to develop digital trade. Thus, Korea needs to go further. For one, it must join the CPTPP in order to benefit from its much freer digital trade rules. If the United States also joins, the CPTPP may become a more influential instrument for digital trade than the RCEP. And that is not all. Korea and its democratic trading partners must also be more ambitious in negotiating and agreeing to freer digital trade rules in the WTO. Those digital trade rules must have more meaningful and effective rules on privacy and data protection and cybersecurity to support the stable operation of digital trade even for a limited number of WTO members in the beginning.

Korea has an important role to play in this effort because it has successfully developed data protection laws over the past ten years. And the impending PIPA amendment will further facilitate the use of personal information by adopting new elements like data portability and the right to respond to automated decisions. The PIPA amendment will also cover other legal bases for cross-border transfer of personal information in addition to the consent of data subjects. In this way, Korea, both by its own example and as a prospective leader in plurilateral and multilateral trade negotiations, could drive forward a new architecture of digital trade including data localization rules.

Acknowledgments

I would like to express my deepest appreciation to the Carnegie Endowment for International Peace, in particular Tim Maurer for inviting me to write the chapter, Evan Feigenbaum for encouraging the conduct of research, Michael Nelson for giving me good suggestions after a thorough review, and Alexander Taylor for taking care of administrative matters.

Notes

1 For example, on November 25, 2020, the European Commission published the Data Governance Act (DGA) in response to a public consultation on the European Strategy for Data. The DGA aims to foster the availability of data for use by increasing trust in data intermediaries and by strengthening data-sharing mechanisms across the EU. See also Australian Government, “Data Governance Framework 2020,” approved on August 24, 2020, https://www.aihw.gov.au/getmedia/a10b8148-ef65-4c37-945a-bb3effaa96e3/AIHW-data-governance-framework.pdf.aspx. This chapter uses the terms “personal data” and “personal information” in the same way. The latter is more often used in the context of Korean laws.

2 Cheong Wa Dae (President’s Office of Korea), “Opening Remarks by President Moon Jae-in at 6th Emergency Economic Council Meeting,” June 1, 2020, https://english1.president.go.kr/Briefingspeeches/Speeches/833. The Korean government has been pursuing digital economic policies based on the “Fourth Industrial Revolution Action Plan” made in November 2017.

3 For discussing the causes or reasons for data localization, see Joshua P. Meltzer, “Data and the Transformation of International Trade,” Brookings Institution, March 6, 2020, https://www.brookings.edu/blog/up-front/2020/03/06/data-and-the-transformation-of-international-trade/.

4 United States Trade Representative, “2021 National Trade Estimate Report on Foreign Trade Barriers,” March 2021, pp. 323–35; International Regulatory Strategy Group, “How the Trend Towards Data Localisation Is Impacting the Financial Services Sector,” December 2020, https://www.irsg.co.uk/assets/Reports/IRSG_DATA-REPORT_Localisation.pdf; and Nigel Cory, “Cross-Border Data Flows: Where Are the Barriers, and What Do They Cost?,” Information Technology and Innovation Foundation, May 2017, http://www2.itif.org/2017-cross-border-data-flows.pdf?_ga=2.45773412.1159173050.1620277743-1412413491.1620277743.

5 The following analysis of Korean laws is effective as of June 2021.

6 On May 26, 2005. See decision 99Hun-Ma513.

7 The PIPA was in fact developed from the Act on the Protection of Personal Information Maintained by Public Institutions where the Interior Ministry was responsible for its implementation. Thus, although the PIPA covers the processing of personal information by private sectors, the Interior Ministry, not the Personal Information Protection Commission, was responsible for the PIPA until the so-called three data laws’ amendment in 2020.

8 The three data laws’ amendment refers to the amendment to the PIPA, the Network Act, and the Credit Information Act. The PIPA was amended on February 4, 2020, and effective on August 5, 2020. This amendment records as the tenth since its enaction in March 2011. The Network Act is currently similar to the e-Privacy Regulation to be adopted by the European Union.

9 Before the amendment in February 2020, the enforcement powers under the PIPA were entrusted not to the PIPC but to the Interior Ministry. The PIPC had only deliberation powers on data protection policymaking until that amendment.

10 PIPA, Art. 7(1). The Korea Internet and Security Agency (KISA) performs the functions, including receiving reports of data breaches and collecting relevant materials from a controller in case of an alleged violation of the PIPA, delegated by the PIPC.

11 PIPA, Art. 7(2). First, the investigation power, given to the PIPC by the three data laws’ amendment in 2020, used to be conducted by the Interior Ministry. Those foreign-related companies were imposed administrative fines for violating the provisions of the PIPA. For example, Audi-Volkswagen Korea was imposed a fine of 12 million Korean won, roughly equivalent to $11,000, for violating the obligation of destruction after the expiry of the retention period in February 2018. In February 2019, along with other foreign-related companies, DHL Korea was fined 32 million Korean won, roughly equivalent to $28,000, for violating the obligation of notifying the required items to data subjects for obtaining their consent. Second, the Personal Information Dispute Mediation Committee has dealt with mediation over personal information disputes. The disputes subject to mediation have mainly involved the out-of-purpose use and provision to third parties of personal information, the collection of personal information without the consent of data subjects, and the denial of access to personal information or failure of taking measures necessary to correct or erase personal information, etc. Third, the PIPC may advise the head of central administrative agencies over matters necessary to improve the relevant statutes in terms of data protection by analyzing and reviewing the data breach incident factors of such statutes. It has been reviewing most of the statutes subject to enactment or amendment since September 2016. For example, the National Intelligence Service (NIS) submitted a proposal on the Framework Act on Cyber Security to the PIPC for assessment on October 25, 2016. The PIPC recommended the NIS, inter alia, to prevent the misuse and abuse of personal information by accurately defining the scope of data to be collected and used in cybersecurity activities. The proposal was automatically discarded, however, as the session of the National Assembly was closed in May 2020.

12 PIPA, Art. 1.

13 The 108 Convention is the first legally binding international instrument for data protection. On May 18, 2018, the Committee of Ministers of the Council of Europe adopted the protocol amending the 108 Convention. Korea, like Japan, the Philippines, and Indonesia in Asia, is accredited as an observer to the Consultative Committee established by the 108 Convention. Joining the Consultative Committee as an observer may imply that Korea would ultimately accede to the 108 Convention.

14 Graham Greenleaf and Whon-il Park, “Korea’s New Act: Asia’s Toughest Data Privacy Law,” Privacy Laws & Business International Report, no. 117 (June 2012): 1–6, (UNSW Law Research Paper No. 2012-28).

15 Mediaus, “Three Data Laws Criticized as the Law Stealing Human Rights in Information” (in Korean), July 17, 2020, http://www.mediaus.co.kr/news/articleView.html?idxno=188321.

16 The provisions on data portability and the right to respond to automated decisions are also included in a proposed amendment to the PIPA that was circulated in January 2021.

17 In January 2017, the European Commission adopted a communication on the international aspects of privacy, which set out the EU strategy in the field of international data flows and protection. In this communication it was announced that the European Commission would actively engage with key trading partners in East and Southeast Asia, starting with Japan and Korea. After the conclusion of the EU-Japan talks on adequacy decision in July 2018, the mutual EU-Japan adequacy decision was adopted on January 23, 2019.

18 The European Commission issued a draft decision on the adequate protection of personal data by Korea on June 14, 2021.

19 For example, trade secrets are protected under the Unfair Competition Prevention and Trade Secret Protection Act, where trade secret is defined as “information, including a production method, sale method, useful technical or business information for business activities, which is not known publicly, is managed as a secret, and has independent economic value.”

20 U.S. Department of State, “2020 Investment Climate Statements: South Korea,” https://www.state.gov/reports/2020-investment-climate-statements/south-korea/. A proposed amendment to the PIPA, covering the provisions on cross-border transfer of personal information, was circulated by the PIPC in January 2021. It remains to be seen whether this amendment would be successful throughout the legislative process in 2021.

21 Providing personal information to third parties includes sharing personal information with third parties. PIPA, Art. 17(1).

22 PIPA, Art. 39-12(2).

23 PIPA, Art. 39-12(2). Administrative fines not exceeding 20 million Korean won, roughly equivalent to $18,000, may be imposed for outsourcing the processing of, or storing, users’ personal information overseas in violation of this provision.

24 PIPA, Art. 17(3). Providing personal information to third parties abroad is more restricted than providing to domestic third parties in that there are other legal bases in addition to the consent of data subjects for the latter. See PIPA, Art. 17(1).

25 PIPA, Art. 17(2). For the prevention and combating of crime, including terrorism, the US and Korea may, in compliance with their respective national laws, in individual cases, supply with the personal data of the data subject(s), inter alia, that will commit or has committed a criminal offense, or participates in an organized criminal group or association, or will commit or has committed terrorist or terrorism-related offenses in the other country, or offenses related to a terrorist group or an association in the other country. The Agreement between the Government of the Republic of Korea and the Government of the United States of America on Enhancing Cooperation to Prevent and Combat Crime, signed on November 7, 2008, Art. 8(1). Public institutions may provide personal information to third parties abroad for other purposes than collected where it is necessary to perform a treaty or other international agreement; or where it is necessary for the investigation of a crime, indictment, and prosecution. PIPA, Art. 18(2)(vi) and (vii) respectively.

26 U.S. Trade Representative, “2017 National Trade Estimate Report,” p. 284.

27 For the protection of IT service users’ personal information transferred abroad, providing, outsourcing the processing of, or storing IT service users’ personal information abroad are collectively referred to as transferring. Providing IT service users’ personal information abroad includes accessing to such information. PIPA, Art. 39-12(2).

28 PIPA, Art. 39-12(3).

29 PIPA, Art. 39-12(4).

30 Presidential Decree 30892, Art. 48-10(1).

31 Presidential Decree 30892, Art. 48-10(2).

32 Presidential Decree 30892, Art. 48-10(3).

33 PIPA, Art. 39-12(5).

34 When assessing the adequacy of the level of data protection, the European Commission must take account of the elements including “rules for the onward transfer of personal data to another third country or international organization which are complied with in that country or international organization.” GDPR, Art. 45(2)(a).

35 PIPA, Art. 39-11(1). For example, Netflix, a global OTT service provider, has not been required to designate a domestic agent, because it has its own business office in Korea.

36 Presidential Decree 30892, Art. 48-9(1).

37 PIPA, Art. 39-11(1).

38 PIPA, Art. 39-11(4).

39 PIPA, Art. 39-11(2).

40 PIPA, Art. 39-11(3).

41 On September 9, 2020, the PIPC decided to recommend seven foreign IT service providers to improve the management of a domestic agent. Those IT service providers included Facebook, Microsoft, and TikTok. For reference, the GDPR provides for the designation of a domestic agent to exert its extraterritorial effect explicitly. The controller or the processor, which are not established in the EU, are required to designate a representative in the EU in the following two cases: (1) where the processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the EU; or (2) the monitoring of their behavior as far as their behavior takes place within the EU. GDPR, Art. 27.

42 For example, the 108 Convention of the Council of Europe seeks to reduce restrictions on transborder data flows between the contracting parties on the basis of reciprocity. Though, “an equivalent protection” provided in Art. 12(3)(a) of the convention needs to be carefully determined.

43 PIPA, Art. 39-13.

44 PIPA, Art. 39-13.

45 Spatial Data Act, Art. 1.

46 Spatial Data Act, Art. 16(2). See also Art. 14(3).

47 Spatial Data Act, Art. 21(2). See also Art. 14(3).

48 Spatial Data Act, Arts. 16(2) and 21(2). A consultative committee is organized by the minister of land, infrastructure and transport with the heads of the relevant agencies, including the minister of science and ICT, the minister of foreign affairs, the minister of unification, the minister of national defense, the minister of the interior, the minister of trade, industry and energy, the director of the national intelligence service, and so on.

49 U.S. Trade Representative, “2020 National Trade Estimate Report,” p. 320.

50 U.S. Trade Representative, “2019 National Trade Estimate Report,” pp. 324–25. The precise satellite imagery of certain facilities is argued to pose a threat to the national security of Korea, which is still technically in an armed conflict with North Korea.

51 According to Art. XXI(a), a contracting party (WTO Member) must not be required to furnish any information the disclosure of which it considers contrary to its essential security interests. In addition, according to Art. XXI(b)(iii), a contracting party must not be prevented from taking any action that it considers necessary for the protection of its essential security interests taken in time of war or other emergency in international relations. The “self-judging” principle seems to apply in this case. In the dispute raised with respect to Section 232 of the Trade Expansion Act of 1962, the United States argued that “the tariffs imposed pursuant to Section 232 are issues of national security not susceptible to review or capable of resolution by WTO dispute settlement.” Panel Report, United States-Certain Measures on Steel and Aluminum Products, Communication from the United States, WT/DS544/2, April 17, 2018. Although a ceasefire and armistice agreement brought the fighting to an end in 1953, the Korean War is technically still ongoing.

52 U.S. Trade Representative, “2020 National Trade Estimate Report,” p. 320.

53 Korea has concluded FTAs with Chile, Singapore, the EFTA, the Association of Southeast Asian Nations (ASEAN), India, the EU, Peru, the United States, Turkey, Australia, Canada, China, New Zealand, Vietnam, Colombia, the Republics of Central America, the UK, Indonesia, Israel, and Cambodia in chronological order. Korea is also a signatory to the Regional Comprehensive Economic Partnership (RCEP). The FTAs with Indonesia, Israel, Cambodia, and the RCEP have not yet entered into force.

54 The Korea-EU FTA, Annex 7-D on the additional commitment on financial services, para. 1, and the letter from Hyun Chong Kim and Sung Jin Kim on June 30, 2007, attached to Chapter 13 on financial services of the Korea-U.S. FTA. This kind of deference in regard to the requirements for the location of technology facilities is also provided in the Korea-Turkey FTA (Annex D on Schedule of Specific Commitments [Korea], Footnote 32), the Korea-Australia FTA (Annex 8-B on Specific Commitments, Section A[2] on Transfer of Information), the Korea-Canada FTA (Annex 10-B on Specific Commitments, Section C on Transfer of Information, para. 10, second sentence), and the Korea-Republics of Central America FTA (Annex 11-A on Cross-Border Trade [Korea], Footnote 9).

55 Korea-U.S. FTA, Art. 15.8.

56 For a brief analysis of China’s data localization requirements, see Dehao Zhang, “China: Data Localization Requirements,” September 1, 2020, https://www.fieldfisher.com/en/insights/china-data-localisation-requirements.

57 The RCEP was signed among the ten member states of ASEAN as well as Australia, China, Japan, Korea, and New Zealand on November 15, 2020. The RCEP was initiated by ASEAN, but China must have influenced its economic and political strength during the negotiations as the other signatories are largely dependent on China’s market.

58 RCEP, Art. 12.14(1). A similar provision is found in the CPTPP.

59 RCEP, Art. 12.14(2). The identical provision is found in the CPTPP and the USMCA.

60 RCEP, Art. 12.14(3)(a). The identical provision is found in the CPTPP.

61 RCEP, Art. 12.14(3)(a). The identical provision is found in the CPTPP.

62 RCEP, Art. 12.14(3)(b). This provision is not found in the CPTPP and the USMCA. This exception for essential security interests is also found for the cross-border transfer of information by electronic means. See RCEP, Art. 12.15(3)(b).

63 RCEP, Art. 12.14(3)(b). This provision is not found in the CPTPP and the USMCA.