Law amendments with reference to the EU General Data Protection Regulation (GDPR, henceforth) are flooding in Korea. It signals that GDPR is one way or another treated as a landmark for regulatory policy on data space. However, a point to see before such benchmarking is whether GDPR itself is compatible with the WTO Agreement. If not, Korea is likely to suffer from the same trade conflicts as the EU would face. Motivated by the concern, this study seeks to figure out key trade issues of Korea’s recent law amendments inspired by GDPR.
The GDPR applies to all companies processing the personal data of data subjects residing in the EU, aiming to protect its citizens from privacy and data breaches as well as to facilitate free flow of data in the region. One of the major features of GDPR is the extended jurisdiction, so that it applies to the processing of personal data of the EU data subjects by a company not established in the EU. Non-EU businesses processing the data of EU citizens must appoint a representative in the EU to meet the obligations imposed by GDPR. Such requirement to appoint a local representative may be understood as a compliance measure in the GATS context.
There is another kind of compliance measure, so-called ‘adequacy test.’ A country outside the EU should be recognised by the European Commission as having adequate protections in place in order to freely transfer personal data to somewhere outside the EU. It is the Commission that makes the final decision on adequacy status. Alternative route for a company without regional establishment to secure adequacy status for offshore processing personal data of EU citizens is to get an approval from supervisory authorities of EU Member States. In such instances, it is necessary for the company to adduce adequate safeguards for the protection of privacy and personal data.
Is extraterritorial jurisdiction or adequacy test of GDPR trade-friendly then? Despite the lack of any available legal basis in trade agreements, the GATT dispute settlement panel once rejected extraterritorial jurisdiction because it would undermine the legal security of the multilateral trade framework. Adequacy test has potentially severe problems in terms of the GATS consistency. It is basically a discriminatory measure by reasons of origin, so that services and service suppliers are presumed to be of like. Unless such differential treatment is effectively justified by some other characteristics inextricably linked to such origin, it could constitute discrimination under MFN or national treatment obligations on a case-by-case basis. It deserves special attention for the EU to have a safeguard against such potential violations, none other than the GATS Article XIV (General Exceptions). In fact, this option is feasible for the EU because adequacy test is a compliance measure. Recourse to GATS Article XIV is available on the condition that challenged measure is a compliance measure, as far as it may be concerned with protection of privacy and personal data.
Korea has been maintaining strong opt-in regulation on cross-border data transfer including personal data and space information. Contrary to regulation on space information equipped with solid national security ground, regulation on personal data transfer overseas is relatively vulnerable to trade friction. Views are spreading that Korea should change its policy stance to cope with the 4th industrial revolution, a common saying since 2016. Public sentiment still seems to put more weight on data sovereignty than usage in light of the recent law amendments. Patterns are unusual in law-making. Legislation is lingering in the Personal Information Protection Act that is the general law on the protection of personal data. In contrast, legislative efforts are very active in sectoral laws such as the ‘Telecommunications Business Act (TBA, henceforth)’ and ‘Internet Multimedia Broadcast Services Act (IMBSA, henceforth).’ Seemingly having little connection to the protection of personal data, they frequently adopt extraterritorial jurisdiction, local representative appointment requirement and adequacy test of GDPR.
There are more to mention. Benchmarking GDPR, amendment bills of TBA and IMBSA claim to stand for relieving reverse discrimination in regulation. In a word, bill drafters presumably intend to solve regulatory issues induced by cross-border supply of value-added telecommunications services through capitalizing extraterritorial jurisdiction and local representative appointment requirement of GDPR. However, it is not unlike we try to open the lock with a wrong key. Figuratively speaking, it is a crossbite between means and end. Regulatory approach of this kind often leads to trade conflicts.
Much more serious attention is due to two elements of the amendment bill of ‘Act on Promotion of Information and Communications Network Utilization and Information Protection, etc.’ One is the reciprocity provision and the other is the local server requirement. Aiming to authorize overseas transfer of personal data on a reciprocal basis, the former is scheduled to go into effect very soon. This clause is obviously a measure by origin discriminating between foreign online service suppliers. Without MFN exemptions registered in any trade agreements, Korea has no authority to implement such a measure. Although the latter is pending at the National Assembly, it is highly likely to run counter to Korea’s market access and national treatment obligations in the context of GATS and KORUS FTA as well. Therefore, repealing the amendments is greatly advisable to stop Korea from being embroiled in unnecessary trade disputes.