Free transfer of personal data to Republic of Korea: a historic adequacy decision is coming

The European Data Protection Board (“EDPB”) has issued its opinion on the draft adequacy decision published by the European Commission on last 16 June 2021 (available here) concerning the transfer of personal data to the Republic of Korea.

This is a decision that, once in force, will allow the EU economic operators – such as, first of all, all the electronic communication service providers, cloud providers and multinational companies - to freely transfer personal data from Europe to the Republic of Korea without having to adopt either the appropriate safeguards (e.g., "Standard Contractual Clauses") or the additional measures (e.g., consent of data subjects) required by Chapter V of EU Regulation No. 679/2016 ("GDPR").

Indeed, pursuant to articles 44 et seq. of the GDPR, the transfers of personal data to countries outside the European Economic Area or to an international organization are allowed provided that the adequacy of the third country or organization is expressly recognized by a decision of the Commission.

We will now examine in detail the contents of the opinion issued by the EDPB.

Firstly, it was noted that the Republic of Korea's legal framework on the protection of personal data is substantially aligned with the European one, especially with regard to the main definitions provided for by law (“personal data”, “processing” and “data subject”), the requirements for a lawful data processing, the general principles and the security measures.

This has been possible not only thanks to the presence of an effective privacy law (i.e., the "Personal Information Protection Act" or "PIPA" which came into force in 2011) but also because of a series of "notifications" (included the “Notification no. 2021-1”) issued by the Korean Data Protection Authority (i.e., "Personal Information Protection Commissioner" or "PIPC") which explain and make easily understandable the provisions of PIPA.

Moreover, as noted by the EDPB, the Republic of Korea is part of a number of international agreements that guarantee the right to privacy (including the "International Covenant on Civil and Political Rights", the "Convention on the Rights of Persons with Disabilities" and the “ONU Convention on the Rights of the Child"), which confirms the attention that the Republic of Korea has paid to the protection of personal data for several years now.

The EDPB's analysis then focused on some key aspects of PIPA that slightly differ from the GDPR and therefore require more attention - such as, in particular, the absence of a general right to withdraw the consent provided by the data subjects, for example, for marketing activities.

According to the EDPB, although article 37 of PIPA grants data subjects the right to request the “suspension” of the processing of their personal data - a right that can be exercised also in case of direct marketing, as expressly clarified by Recital 79 of the EU Commission adequacy decision – the PIPA provides for the right to withdraw the consent only in two specific cases:

  1. in relation to the transfers of personal data carried out in the context of special corporate operations (such as mergers, acquisitions, etc.);
  2. with regard to the processing of personal data for marketing activities by providers of electronic communication services.

The EDPB therefore considered it necessary to draw the Commission's attention to the above-mentioned issues in order to analyze in detail the consequences that, in the light of the Korean legal framework, the absence of such a right might cause for data subjects and to clarify, in the adequacy decision, the actual scope of the above-mentioned right to request the “suspension” of the processing.

Secondly, the EDPB observed that, pursuant to article 58 of PIPA, a substantial part of PIPA - including Chapters III, IV and V, which respectively regulate the general principles for data processing, the security measures and the rights of data subjects - does not apply to several processing of personal data (including those necessary to meet urgent needs for the protection of public health and safety).

The EDPB also notes that the word “urgent” in the PIPA expresses an extremely broad concept that needs to be limited and contextualized, also with the help of practical examples, in order not to compromise the confidentiality of the data subjects’ personal data.

Moreover, the EDPB, in the light of the current emergency situation caused by the Covid-19 pandemic, drew the Commission's attention in relation to the need to ensure an adequate level of protection also for personal data transferred to the Republic of Korea for purposes related to public health protection.

This is because "sensitive" information relating to European citizens (for example, the vaccination status), should receive at least the same level of protection as granted under the GDPR once transferred to the Republic of Korea. In this regard, the EDPB therefore invited the Commission to closely monitor the application of the exemptions provided for in article 58 of PIPA.

Finally, the EDPB considered it appropriate to focus on the possibility for Korean public authorities to access the personal data of European citizens for national security purposes. In this respect, there is no specific obligation for Korean authorities to inform data subjects of the access to their personal data, especially when data subjects are not Korean citizens.

However, even in the absence of such obligation, the balance between the needs of protection of the national security and the protection of the fundamental rights of the data subjects can be found in the same Korean Law that protects the privacy of interpersonal communications (the "Communications Privacy Protection Act" - see also Recital 187 of the adequacy decision), according to which the access to the personal data of European citizens for purposes of national security can be made only if certain legal requirements are met (for example, in the case of communications between "foreign agencies, groups or citizens suspected of being involved in activities threatening national security").

The EDPB notes that, as a further guarantee of the confidentiality of communications accessed by the Korean authorities, the South Korean Constitution states essential data protection principles applicable to this specific matter.

In the light of the favorable opinion issued by the EDPB, it is certainly desirable, and likely, that the European Commission will adopt an adequacy decision in respect of the Republic of Korea.

In an increasingly data-driven global economy based on the economic value of personal data as well as on the sharing of personal data, such an adequacy decision would open the door to the liberalization of trade with the east, also from a privacy perspective.

This regulatory intervention, object of this article, was due and awaited and it certainly follows the "Free Trade Agreement" between the EU and South Korea in force since 2011, which has been able to exponentially increase bilateral trade between the two countries (in 2015 the trade value of transactions amounted around € 90 billion).

Our hope is that, as the years go by, the European Commission's adequacy assessments will cover more and more legal frameworks so that the international transfer of personal data can represent a real and concrete instrument for promoting the economy and innovation worldwide.

The Italian Data Protection Authority and the 2021 inspections activity: biometric data, video-surveillance, food delivery and data breach will be in the spotlight between January and June

The Italian Data Protection Authority (DPA) has defined the boundaries of the inspection activity planned for the first six months of 2021. These will include n. 50 inspections to be conducted also by the Italian Finance Police (under delegation by the DPA) and will focus on the verification of compliance with the applicable privacy laws relating to the following matters of general interest:

  1. processing of biometric data for facial recognition also through video surveillance systems;
  2. processing of personal data in the context of the so-called "domestic video surveillance" sector and in the sector of audio/video systems applied to games (so-called connected toys);
  3. processing of personal data carried out by "data brokers";
  4. processing of personal data carried out by companies operating in the "Food Delivery" sector;
  5. data breach.

From this list two big developments emerge: in particular, this year the Italian DPA will extend its inspections also to the processing of biometric data, as well as to the processing carried out through video surveillance systems. These are two areas governed not only by the GDPR and the Privacy Code but also by various guidelines and other legal provisions, as well as by extensive case law.

Let us mention, just for example, the Guidelines of the Italian DPA on biometric recognition and graphometric signature of 2014, the renewed Article 4 of Law no. 300/1970 and Administrative Memo no. 5/2018 issued by the National Labour Inspectorate, the decision of the Italian DPA on video surveillance of 2010 and the recent FAQ on video surveillance of 5 December 2020, the national and EU case law concerning the monitoring of workers and the so-called "defensive controls", Opinion no. 2/2017 of the former Working Party art. 29 ("Opinion 2/2017 on data processing at work") as well as Guidelines no. 3/2019 of the European Data Protection Board (EDPB) on processing of personal data through video devices.

The above considerations lead us to think about the correct and complex task of identifying the privacy requirements to be met by data controllers and processors - i.e. the economic operators; indeed, especially before embarking on an activity involving the processing of biometric data or the use of video surveillance systems, it is necessary to clarify the particular circumstances of the case at issue (identifying the purposes of the processing, the security measures to be adopted, the possible involvement of any third-party providers, etc.) in order to correctly prepare the privacy documents required by the many applicable regulations (possibly with the help of specialized professionals).

Therefore, it will be interesting to analyse the results of the inspection activity of the Italian DPA to understand what will be - three years after the enactment of the GDPR - the level of compliance that the Authority will consider “acceptable” and what is the real level of compliance reached by the companies operating in our country who process special categories of personal data and use video surveillance systems.

Of course, the privacy obligations relating to the processing of biometric data or through video surveillance systems are on top of those generally required for the processing of personal data; consequently, in order to achieve full compliance with the privacy regulations in force, it is necessary not only to regulate particular areas of business activity (such as, for example, video surveillance or biometrics) but also to adopt (or rather, already have adopted) a solid internal privacy structure which - in case of inspections - can prove to the authorities that the processing of personal data carried out fully complies with the relevant legal provisions.

With particular reference to video surveillance, we would like to remind you that our Firm has developed and published on its website the quick and useful Guidelines for the installation of video surveillance systems, updated with the latest Italian and European regulations. You can consult the Guidelines here.

Contact tracing and COVID-19: the GDPR as a balance between the protection of health and the privacy right

The use of contact tracing technology is necessary and essential in order to deal with the Covid-19 emergency and protect the public health of our country. However, mapping the movement of individuals can have serious consequences for the protection of our privacy. So how can the right balance be found between the two fundamental rights of health and privacy of each individual?

“Contact tracing” is the expression of the moment. It is a digital system used for tracing physical contact between individuals and in that sense it represents an important technological measure aimed at containing and preventing the spread of the Covid-19 virus in our country (and elsewhere).

This tracking system should be implemented via the application called “Immuni”, designed and developed by the Milan-based software house Bending Spoons, which will (probably) be launched in Italy by the end of May 2020.

However, the tracking of contacts between individuals and the consequent use of their common and sensitive personal data (including health data) for purposes related to the protection of public health also has an impact on their privacy.

While, on the one hand, the protection of health is a right guaranteed by the Italian Constitution – wherein “health” is understood both as a fundamental right of the individuals and an interest of the community, pursuant to article 32 of the Italian Constitution - on the other hand, the protection of personal data (or the privacy right) is a fundamental right expressly provided for by the Charter of Nice and recognized by the Italian Constitution.

Furthermore, we should ask ourselves what could be the practical consequences of using contact tracing technology in our daily lives; how the relationship between the right to health and the right to protection of personal data has been dealt with at a regulatory level; and whether it is possible to rely on the use of this new technology without fear of violation of our right to privacy.

1. What is "Immuni" and how does it work?

Immuni is an application that can be downloaded on each mobile device and that generates - for each device - a temporary, anonymous and variable identification code (ID) which interacts, via “Bluetooth Low Energy” technology, with other nearby mobile devices, thereby collecting and storing the ID code and related metadata of those devices (for example, how long the connection with the other device lasted, the distance in meters, etc.). The data controller of the personal data collected by Immuni is the Italian Ministry of Health.

Immuni checks whether the nearby ID codes include so-called “positive IDs”, i.e. ID codes associated with mobile devices owned by people who are already infected (or rather, whose infection has already been ascertained by a healthcare facility); to perform this operation, Immuni downloads positive IDs from a publicly managed server at regular intervals and cross-checks them with the ID of the device on which the application is installed. Subsequently, Immuni processes the metadata collected through a special algorithm and determines whether a “potential risk of Covid-19 contagion” (which may be more or less high) may be established.

If the outcome of the above checks is positive and Immuni believes that there is a reasonable risk of contagion, the user receives a notice on his / her device indicating that he / she was in contact with an infected person and therefore invites him / her to follow certain instructions (including, for example, staying at home and/or carrying out diagnostic tests).

A practical example on how this works: Carlo and Giulia meet for a few minutes at a short distance from each other; they both downloaded Immuni and their mobile devices have captured each other’s ID codes. After a few days, Carlo discovers that he has Coronavirus and decides spontaneously (remember that there is no obligation in this regard) to upload this sensitive data to Immuni. Meanwhile, the app installed on Giulia’s smartphone examines the IDs she has collected and stored in its memory and cross-checks them with those downloaded from the public server, detecting the presence of Carlo’s ID. Subsequently, Giulia is informed through a notice sent by her Immuni app that she was in contact with a person that tested positive to the Coronavirus (without, however, indicating who that person is) and she is thereby invited to take certain cautionary measures.

2. The opinions of the European Data Protection Board and the Italian Data Protection Authority

The European Data Protection Board (see the “Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak”) and the Italian Data Protection Authority (see “Parere sulla proposta normativa per la previsione di una applicazione volta al tracciamento dei contagi da COVID-19”) have already issued their opinions on the use of geo-localisation of individuals and contact tracing tools during the Covid-19 emergency and have identified which measures should be taken in order to ensure that the data subjects’ personal data is processed without causing prejudice to their fundamental rights and freedoms.

In this regard, according to the Italian Data Protection Authority the contact tracing carried out through the Immuni app is in line with the criteria identified by the European Data Protection Board and is compliant with the data protection principles inasmuch as such contact tracing:

a) is regulated by a law that provides a sufficiently detailed description of the processing of personal data, the type of data collected, the guarantees given to the data subjects, the provisional duration of the measure (reference should be made to art. 6 of Italian Legislative Decree of 30 April 2020, no. 28);

b) is based on the voluntary participation of the data subject, excluding any form of conditioning of individual choice and, therefore, any possibile unequal treatment for those who decide not to consent to the tracking;

c) is designed to pursue a public interest purpose indicated with sufficient precision and excludes that the personal data collected is being processed for other different purposes, it being understood that there is the possibility (within the general terms provided for by the GDPR) of using the personal data, either anonymously or in aggregate form, for statistical or scientific research purposes;

d) appears to comply with the principles of minimisation as well as with the criteria of privacy by design and by default (set out in art. 25 of the GDPR), insofar as it provides for the collection of just the data that concerns the proximity or closeness of the devices and for their treatment in pseudonymous form, provided such collection may not occur in a completely anonymous form. Such collection must occur in such a way as to exclude the use of geo-localisation data and limit the storage of data to the time strictly necessary to reach the indicated purpose, with the automatic deletion at the expiry date.

In this regard, it should be noted that, pursuant to art. 6 of Italian Legislative Decree no. 28/2020, the use of Immuni and any related processing of personal data will have to cease at the end of the state of emergency and in any case within 31 December 2020, and all personal data processed must be permanently deleted or anonymized;

e) complies with the principle of transparency with respect to the data subjects, thus guaranteeing that before activating the app the users receive an information notice in accordance with the GDPR.

Consequently, the Italian Data Protection Authority supports the use of Immuni, however, it always maintains special attention towards the data subjects: indeed, in its opinion, the Authority clarifies that, on the one hand, the characteristics of the processing of personal data carried out by Immuni can be better identified and, on the other hand, adequate measures to protect the rights, freedoms and legitimate interests of the data subcjects can be adopted (in accordance with art. 2-quinquiesdecies of the Privacy Code and art. 36, para 5, of the GDPR).

3. GDPR as a balance between the protection of health and personal data

There is unfortunately a widely held opinion, especially among non-professionals, that privacy regulations are often a mere “bureaucratic complication” that act as an obstacle to the achievement of all those goals which involve a processing of personal data.

This is an erroneous and misleading opinion, often generated by a lack of knowledge about the law, which may also be dangerous in light of the consequences which it could lead to - let us just think, for example, about the remote possibility of completely forfeiting the use of a valid and efficient contact tracing system to deal with the health Covid-19 emergency inasmuch as such system allegedly may be “incompatible” with the protection of personal data.

This writer believes that the current scenario represents the perfect context to demonstrate that, on the contrary, privacy regulations may (and must) represent the “balance” which allows for the achievement of some of the most ambitious purposes – which certainly include the protection of public health - without giving up privacy.

First of all, it should be recalled that the European Data Protection Board had the opportunity to clarify that “the data and technologies used to contribute to the fight against COVID-19 must serve to give people more tools, rather than to control, stigmatise or repress their behavior”.

A careful analysis of Regulation no. 679/2016 (so-called “GDPR”) also shows that, with reference to health emergency situations, the European legislator does not place any obstacle in the way of pursuing important interests in the public health sector by means of the processing of personal data (see recitals 52 and 54 and art. 9, paragraph 1, letter g and i), where such interests also include “monitoring and alert purposes, the prevention or control of communicable diseases and other serious threats to health”.

On the same basis, the Italian Privacy Code - updated lastly by Italian Legislative Decree no. 101/2018 - also refers to the provisions of the GDPR and indeed expressly considers “relevant” the interest of those who process personal data for the performance of public interest tasks (or tasks related to the exercise of public authority) in the health sector and for the health and safety of the population.

Consequently, it may be said that data protection rules support the adoption of measures and solutions aimed at curbing the spread of the Covid-19 without, however, forfeiting protection of individual privacy.

However, these solutions - and this is where the “balance” can be found - must always be based on laws that regulate them and that expressly establish appropriate and specific measures to protect the fundamental rights and freedoms of the data subjects, including the types of data that can be processed, the processing operations that can be carried out and the reason of the relevant public interest (see art. 9, paragraph 1, letter i of the GDPR and art. 2-sexies of the Privacy Code).

4. Conclusions and considerations

So can we “trust” Immuni? The answer must be affirmative.

As already said, the use of this app is left to the conscientiousness of each of us, since the key principle that inspires this app is the principle of willingness: each user, in other words, will be free to download it, to enter their personal data in the app, even related to their state of health (i.e Covid-19 positivity) and to comply or not with the instructions received from the app following a potential contact with an infected person.

However, experts tell us that at least 70% of the population should download it so that the app can contribute to a significant containment of the pandemic. This is certainly an ambitious objective, which, in order to be achieved, requires first of all a public awareness campaign aimed at making the app easy to understand, especially for those who are not experts in the field, and clarifying what are the guarantees identified by the Italian Government to protect our privacy.

Briefly, the guarantees that Immuni offers for the protection of our personal data, and that everyone has the duty to be aware of, are: transparency towards the data subjects (we will know before registering with the app, for example, for which purposes our personal data will be processed, for how long and to whom it will be communicated), the exclusivity of the purpose of the processing (our data will be used only for the containment of infections, excluding different purposes) and the minimisation of processing (only the data necessary to trace our contacts will be collected and reliable anonymisation and pseudonymisation techniques will be adopted).

But that’s not all. Indeed, spreading accurate knowledge of data protection rules, their real meaning, their function and their value is even more important, if not indispensable and essential, towards contributing to a widespread “legal culture” and pursuing an ambitious goal that we are all called upon to realize in this delicate historical moment.

The President of the European Data Protection Board, Andrea Jelinek, has expressly reiterated this concept to the European Commission by stating: “the voluntary adoption of a contact tracing system is associated with individual trust, thus further illustrating the importance of data protection principles”.

Awareness and trust. And vice versa.