S-Space College of Law/Law School (법과대학/대학원) The Law Research Institute (법학연구소) Journal of Korean Law Journal of Korean Law Volume 17 Number 1/2 (2017/2018)
Cross-Border Transfers of Personal Data and Practical Implications
- Lee, Inhwan; Keh, Jennifer S.
- Issue Date
- 서울대학교 아시아태평양법연구소
- Journal of Korean Law, Vol.17 No.1, pp. 33-52
- personal data; cross-border transfer; third-party provision; delegation of personal data processing
- The cross-border transfer of personal data is an important and often-discussed issue in South Korea. As Koreas representative personal data protection regulations, namely, the Personal Information Protection Act (PIPA) and the Act on the Promotion of IT Network Use and Information Protection (Network Act), distinguish between the third-party provision of personal data and the delegation of personal data processing, it is helpful to analyze the overseas provision of personal data separately from the overseas delegation of personal data processing. Regarding the overseas provision of personal data, the requisite consent is deemed valid only if each third-party recipient is disclosed prior to obtaining the data subjects consent. Thus, it is difficult to obtain consent initially and when new recipients are added. In addition, as the PIPA and the Network Act do not address the issue of whether personal data can be submitted to foreign government authorities pursuant to foreign laws, it is difficult for companies to respond to requests for personal data from foreign government authorities. As for the overseas delegation of personal data processing, although the Network Act includes an exception to the consent requirement for the overseas delegation of personal data processing, companies that want to rely on this exception must carefully analyze the underlying scope of the delegation and the delegated tasks, as there is a lack of precedents and guidance from regulators on exactly when this exception applies. Moreover, companies that delegate the processing of their personal data overseas should ensure that they and their overseas delegatees comply with PIPA and the Network Acts various security requirements for protecting personal data. Last, companies should stay current on the latest international developments in light of Koreas recently joining the APEC CBPRs and Koreas ongoing efforts to obtain an adequacy decision from the European Commission.