The UK has agreed a knowledge adequacy deal “in precept” with the Republic of Korea, permitting the free stream of knowledge between the jurisdictions and supporting greater than £1.3bn in data-dependent commerce.
The in-principle information adequacy settlement is the UK’s first since leaving the European Union (EU), and is ready to be significantly useful to enterprises with important operations in each international locations.
This contains the likes of AstraZeneca, Normal Chartered, Samsung and LG Electronics, which can not want contractual safeguards in place – reminiscent of worldwide information switch agreements or binding company guidelines – to share information between the UK and South Korean jurisdictions.
The UK authorities stated the settlement will cut back the executive and monetary compliance prices corporations would usually face when seeking to switch information abroad, and that the 2 international locations will work collectively on “the route and enchancment of knowledge frameworks” going ahead.
The settlement additional commits each the UK and South Korea to working collectively to “meet the worldwide challenges and alternatives on information”, together with by way of cooperation with different “strategic companions” by way of multilateral initiatives such because the newly established International Cross Border Privateness Guidelines (CBPR) Discussion board.
Nonetheless, the info adequacy resolution has solely been agreed in precept, which suggests it’s but to be finalised and is gentle on element.
“Right this moment marks an enormous milestone for the UK, the Republic of Korea and the excessive requirements of knowledge safety we share,” stated then UK information minister Julia Lopez, who resigned from her place on 6 July over the controversy surrounding prime minister Boris Johnson. “Our new settlement will open up extra digital commerce to spice up UK companies and can allow extra important analysis that may enhance the lives of individuals throughout the nation.”
John Whittingdale MP, the UK prime minister’s commerce envoy to the Republic of Korea, stated: “The settlement displays the sturdy relationship which already exists between our two international locations and our shared dedication to excessive requirements of knowledge safety. By enabling the free stream of knowledge, I’ve little question that this can cut back obstacles and assist companies to commerce.”
Alongside the in-principle adequacy settlement, the UK Data Commissioner’s Workplace (ICO) has additionally signed a memorandum of understanding (MoU) with the South Korean Private Data Safety Fee (PIPC), which units out how the authorities will proceed to share experiences and greatest apply, cooperate on particular tasks of curiosity, and share info or intelligence to help their regulatory work.
“Cooperation between worldwide information safety authorities is important in occasions of world data-driven enterprise and this MoU builds on the sturdy collaboration the 2 authorities have already got,” stated the ICO in an announcement. “The MoU comes after the PIPC was restructured as an impartial information safety authority in Korea following the modification to a few information safety legal guidelines, and likewise at a time of accelerating commerce between the UK and Korea.”
The ICO stated it welcomes the adequacy announcement, including: “The UK authorities is chargeable for the adequacy course of with different international locations, and the ICO will help and help in step with our outlined function within the adequacy course of.”
In accordance with the federal government’s personal MoU with the ICO from March 2021, the info safety regulator might be consulted earlier than any adequacy settlement is finalised.
The UK introduced the Republic of Korea as a precedence nation for information adequacy – alongside the US, Australia, Singapore, the Dubai Worldwide Finance Centre and Colombia – in August 2021.
EU information adequacy with South Korea
The announcement of an impartial information adequacy deal in precept comes six months after the EU finalised its personal adequacy settlement with the Republic of Korea in December 2021, following the conclusion of official talks in March that yr.
A complete of 12 adequacy choices have been made by the EU underneath the Common Information Safety Regulation (GDPR) because it got here into impact in Might 2018, overlaying Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.
On the excellence between the EU’s and the UK’s separate adequacy agreements with South Korea, Ashley Winton, a fintech and privateness associate inside the information group at legislation agency Mishcon de Reya’s innovation division, stated the European Fee’s declaration is proscribed.
“It excludes private information from spiritual organisations, political events and credit score information, and in relation to all different private information, it supplies that sure extra guidelines have to be adopted when the non-public information is in Korea,” he informed Pc Weekly.
Winton added that whereas the UK authorities’s settlement in precept makes no point out of those limitations, comparable features may very well be included when extra element concerning the settlement is revealed.
“The brand new settlement does, intriguingly, stress the necessity for ‘extra scalable options’ and makes reference to the International CBPR Discussion board,” he stated. “That is a world framework created by the US Division of Commerce that covers the US, Canada, Japan, the Republic of Korea, Philippines, Singapore and Taiwan.”
In March 2022, the EU and US individually introduced they’d reached a knowledge privateness settlement – referred to as the Trans-Atlantic Information Privateness Framework – to interchange Privateness Defend and permit information sharing throughout the Atlantic.
Winton additional added that if the UK, following Brexit, is unable to acquire its personal alternative to Privateness Defend – the info safety framework that enabled the free stream of knowledge between the US and EU, however which was struck down in July 2020 on the premise that it failed to make sure European residents ample proper of redress when information is collected by the US intelligence providers – “becoming a member of this [Global CBPR] discussion board may very well be an efficient manner for companies within the UK to switch private information safely to the US – albeit maybe on the expense of the EU adequacy declaration for transfers of non-public information from the EU to the UK”.
Talking with Pc Weekly, Estelle Massé, international information safety lead at worldwide non-governmental organisation Entry Now, famous that the UK-South Korea adequacy settlement is the second information stream deal announcement to make use of the phrase “settlement in precept”.
“It was first utilized in March this yr for the EU-US information flows deal,” she stated. “It’s fascinating to see the UK following the lead of the EU, not solely in making steps to grant an adequacy to Korea, but in addition in utilizing this obscure and unclear language to announce it.
“An ‘settlement in precept’ supplies little or no info on the authorized particulars of a deal. The truth is, it merely confirms an intention to succeed in an settlement, however rather a lot should still be up within the air. For example, almost 4 months after the ‘settlement in precept’ was introduced between the EU and the US, we’re nonetheless ready for info on precise reforms and authorized texts that would be the basis of that deal.”
EU adequacy with the UK
Though the European Fee granted the UK information adequacy in June 2021, permitting British companies to proceed exchanging information with Europe, it warned this will likely but be revoked if the UK’s new information safety guidelines diverge considerably from the EU’s.
It is because the UK authorities has proposed watering down the nation’s information safety regime as a part of a transfer to chop crimson tape and increase its aggressive place following Brexit.
Many of those proposed adjustments are outlined in a session on the UK’s information panorama, which was launched on 9 September 2021.
Entitled Information: a brand new route, the proposals counsel eradicating organisations’ necessities to designate information safety officers (DPOs), ending the necessity for obligatory information safety affect assessments (DPIAs), and introducing a “payment regime” for topic entry requests (SARs).
It additionally features a proposal from Downing Road’s Taskforce on Innovation, Progress and Regulatory Reform (TIGRR) to ditch the UK GDPR Article 22, which protects individuals from being topic to solely automated decision-making.
In its official response to the session, the federal government confirmed that it “is not going to pursue this proposal”, however stated it’s contemplating how one can amend Article 22 to make clear the way it applies in apply. “Reforms will solid Article 22 for granted to particular safeguards, quite than as a basic prohibition on solely automated decision-making,” it stated. “Reforms will allow the deployment of AI-powered automated decision-making, offering scope for innovation with applicable safeguards in place.”
Nonetheless, the opposite proposals to chill out the foundations round DPOs, DPIAs and SARs have been all accepted by the federal government in its response.
One other space of concern to the EU are UK legal guidelines that permit authorities businesses to entry and retain bulk information on people who aren’t underneath suspicion.
MEPs have beforehand argued, for instance, that this apply is inconsistent with GDPR, and that information sharing between UK indicators intelligence company GCHQ and the US Nationwide Safety Company “wouldn’t shield EU residents or residents”.