An adequacy decision for South Korea may finally be on the cards. Cast your mind back four years (yes really!) to January 2017 when the European Commission announced it had launched a dialogue with South Korea with the aim of reaching an adequacy decision under Article 45(3) GDPR. South Korea, along with Japan, were identified as key trading partners in Asia, with whom the Commission would “actively engage” and “prioritise discussions on possible adequacy decisions”. The aim of these discussions was to foster “regulatory convergence towards the EU standards” and facilitate “trade relations”.

The joint statement, issued on 30 March 2021, is the culmination of the work undertaken to ensure “the high degree of convergence between the European Union and the Republic of Korea in the area of data protection”. The reform of South Korea's Personal Information Protection Act in 2020, the strengthening of the regulatory and investigatory powers of the Personal Information Protection Commission and agreed additional safeguards for transparency, sensitive data and onward transfers, helped conclude the talks and move the process forward.

The proposed decision will cover both private and public sectors and enable “free and safe data flows from the EU to the Republic of Korea”. In addition it is hoped the decision will foster closer regulatory co-operation, complement the EU-Republic of Korea Free Trade Agreement and “will open new opportunities for closer co-operation between the EU and the Republic of Korea to promote high standards of data protection at global level”.

As we know from the UK’s pending adequacy decision, the next steps are an opinion from the EDPB and after taking this into account the Commission will ask a committee of representatives from EU Member States to give the go ahead (the comitology procedure). Only following the successful completion of these stages can the Commission adopt the final adequacy decision for the South Korea.

Many are seeing this announcement as a positive step for both South Korea and the UK in their bid to have an EU adequacy decision granted in their favour. Given the willingness of the Commission to consider South Korea’s laws as potentially adequate, the robust nature of the UK’s data protection regime must raise hopes that the UK’s adequacy decision, along with South Korea’s, will navigate the tricky path through the comitology procedure with a positive outcome.