South Korea introduces new committee on cross-border data flow

By Kuksung Nam, The Readable
Jan. 31, 2024 8:06PM GMT+9

South Korea is seeking to advance its governance over data flow as the country’s privacy agency launches an expert committee dedicated to transmitting data across borders.

On January 30, the Personal Information Protection Commission (PIPC) held an inauguration ceremony and announced the formation of the Expert Committee for Cross-border Transfer. The committee is comprised of twelve delegates, including one of the commissioners of the PIPC, representing diverse fields such as academics, law, industry, and civic groups.

The PIPC explained that the committee would be tasked with evaluating whether a certification, a country, and an international organization meet the same level of privacy standards as stated in the country’s law. After the committee’s assessment, the group plans to deliberate with appropriate authorities to finalize their decision after conducting internal discussions. If a certification, a country, or an international organization is found to be qualified, companies could transmit personal information without receiving consent from the users by either obtaining the verification or sending the data to certified countries.

Companies and organizations in South Korea could transfer their client’s personal information beyond the country's borders only if they first met specific requirements. Last year, the privacy agency adopted new rules that would allow companies to transmit data abroad if they first obtained PIPC designated certification. In addition, the revised law also stated that those who are in charge of managing the personal information could send the data to a country or an international organization that has been deemed by the PIPC to be equally trustworthy.

The changes come as the privacy agency aims to secure individuals' personal information while lessening the burden put on companies to abide by South Korea’s privacy law. According to PIPC’s January 11 findings, among almost 3,600 applications originating in the country in 2023, more than 760 transferred their users’ data to foreign countries such as the United States, Japan, and Singapore. This is a 10.4% increase compared to the level in 2022, when the number of applications was 696. The PIPC stated that although more than half of the companies are sending their data across borders as a means to manage customer service, there has been an increase in the number of companies that are transmitting these for the purpose of market analysis.

“Currently, the law allows one certification, the Personal information & Information Security Management System (ISMS-P), to count as representing a qualification,” said an official of the International Cooperation Division. “The committee will look into the matter in the long run and make the decision after.” The Readable asked if there was a specific country that the PIPC had in mind, but the official said that they could disclose no further details.

The cover image of this article was designed by Sangseon Kim. This article was copyedited by Arthur Gregory Willers.

Kuksung Nam is a journalist for The Readable. She has extensively traversed the globe to cover the latest stories on the cyber threat landscape and has been producing in-depth stories on security and privacy by engaging with industry giants, foreign government officials and experts. Before joining The Readable, Kuksung reported on politics for one of South Korea’s top-five local newspapers, The Kyeongin Ilbo. Her journalistic skills and reportage earned her the coveted Journalists Association of Korea award in 2021 for her essay detailing exclusive stories about the misconduct of a former government official. She holds a Bachelor’s degree in French from Hankuk University of Foreign Studies, a testament to her linguistic capabilities.