UK’s first data adequacy decision in effect with South Korea

UK’s first data adequacy decision 

On 19 December 2022, the UK’s first data adequacy decision came into effect with South Korea. The decision allows the free flow of personal data between the two countries and also marks the UK’s first step, since leaving the European Union, in formalising new data relations with other countries.

Options for international transfers

The UK GDPR outlines the restrictions on transferring personal data outside the UK. Any international transfers need adequate safeguards.

There are various options available under Article 46 UK GDPR, including an adequacy decision, UK Binding Corporate Rules and the use of Standard data protection clauses (known as “Standard Contractual Clauses”).

Standard Contractual clauses are the most commonly used safeguard, and the UK GDPR sets out two “appropriate mechanisms” organisations can use:

• an International Data Transfer Agreement (“IDTA”) or
• an International Data Transfer Addendum (“Addendum”) which is an addendum to the new standard contractual clauses issued by the European Commission under the EU GDPR on 4 June 2021 (“New EU SCCs”). The New EU SCCs are not valid for restricted transfers under the UK GDPR on their own, but transfers are permitted if they also include the Addendum

The least burdensome option for transferring data internationally is an adequacy decision, which allows data to move freely between the UK and the relevant third country. An adequacy decision signifies that the UK Data Authority, the ICO, considers that the third country provides an adequate level of data protection.

What does the South Korea adequacy decision mean?

The UK has formally determined that data laws in South Korea provide an adequate level of protection. Organisations may, therefore, transfer data between the UK and South Korea without completing a transfer impact assessment and without using a prescribed data transfer mechanism under Article 46 (as outlined above).

The South Korea adequacy decision is wider than the EU’s adequacy decision for South Korea as it also covers the transfer of personal data related to credit information, which the EU’s adequacy decision does not.

More to come?

As the UK progresses more agreements with third countries, international data transfers will become significantly easier. It is understood that the UK Government is seeking to formalise agreements with the following countries:

- Australia

- Colombia

- Dubai International Financial Centre

- Singapore and

- United States of America

Conclusion

The South Korea adequacy decision is expected to be the first of many adequacy decisions. These should help simplify the flow of data from the UK to third countries. It will also reduce the financial burden of bilateral trade with South Korea and, in the future, with other third countries, once adequacy decision are reached with them.

However, progressing adequacy decisions will take time. In the meantime, if you or your organisation are considering transferring personal data to a third country, you should ensure that you are complying with one of the conditions set out in Chapter 5 of the UK GDPR, which covers Article 46 safeguards, as well as other mechanisms for lawful transfers, such as those laid down by the derogations in Article 49 for ad hoc transfers.

In addition, if you or your organisation rely on the standard data protection clauses, then the upcoming changes to SCCs should be on your radar. More information on the changes can be found here.