On November 2018, the South Korean National Assembly considered a bill to amend the Personal Information Protection Act (“PIPA”) to give the Personal Information Protection Commission (“PIPC”) enforcement powers of its own.

PIPA, which was enacted on September 30, 2011, provides the main framework for South Korea’s strict data privacy regime and governs the collection, usage, disclosure and other processing of personal information. PIPA applies to all private and governmental organizations, unless there is sector-specific legislation (such as the Act on Promotion of Information and Communication Network Utilisation and Information Protection (the “Network Act”), the Act on Use and Protection of Credit Information, the Framework Act on Electronic Commerce, the Medical Service Act, or the Act on Real Name Financial Transactions and Guarantee of Secrecy) which provides for different rules in specific industries. Notably, PIPA established the PIPC as the independent supervisory body, and set down strong penalties for breaches which include heavy fines and even imprisonment for data handlers.

South Korea has been seeking an adequacy decision from the European Union (the “EU”) since 2015. An adequacy decision is a finding made by the EU Commission which ratifies that the data protection legislation and systems in place in a non-EU country (“third country”) provide a comparable level of protection to that in the EU, such that personal data can be transferred safely from countries in European Economic Area (the 28 EU Member States, Norway, Liechtenstein and Iceland) to that third country and without the imposition of further authorisations. Although the third country's data protection regime does not need to be identical to that of the EU, there must be "essential equivalence." Under Article 45.2(b) of the General Data Protection Regulation, when assessing equivalence, the EU Commission must take into account “the existence and effective functioning of one or more independent supervisory authorities in the third country…with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers.” Under PIPA in its current form, the PIPC does not have any enforcement powers. Instead such powers are assigned to the Ministry of the Interior and Safety (the “MIS”), which is a government body and therefore not independent.

Accordingly, South Korea is now looking to amend PIPA to hand the enforcement functions of the MIS and the Korea Communications Commission (which is the sanctioning authority under the Network Act) over to the PIPC. Commentators say that once such changes have been made, South Korea will be in a good position to obtain an EU adequacy decision.