1.

Progress

In December 2021, the EU issued an adequacy decision to Korea, finding Korea’s personal information protection regime equivalent to that of the EU. As a result, personal data of EU citizens can be transferred to Korea without further requirements.

However, the EU’s decision was unilateral, enabling transfers only from the EU to Korea. To facilitate transfers in the opposite direction (i.e., Korea to the EU), the PIPC pursued mutual recognition of equivalence.

The March 2023 PIPA amendment established a legal basis for equivalence recognition (Article 28-8, Paragraph (1), Item 5). Subsequent steps included the development of a promotion plan for equivalence with the EU (February 2024) and policy discussions with the European Commission at the Global Privacy Assembly (November 2024).

On November 19, 2024, the expert committee on overseas transfers concluded that the EU’s data protection standards matched those of Korea. After inter-ministerial consultations and a thorough review, the PIPC formally resolved to recognize EU equivalence in its plenary meeting on September 3, 2025.
 

2.

Implications and Expected Effects

With this decision, Korea now mirrors the EU’s adequacy decision by permitting personal data transfers from Korea to the EU without requiring prior consent from the data subjects. This is expected to greatly facilitate data flows between Korea and the EU.

However, organizations must still comply with the relevant PIPA provisions, including requirements for providing personal information to third parties and the protection of data subjects’ rights. Adequate safeguards must be implemented to ensure the security of data transferred overseas and to manage grievances and resolve any disputes arising from personal information infringements.

This is the first instance in which Korea has determined that another jurisdiction’s data protection is substantially equivalent to its own. The decision may set a precedent for future recognition of equivalence with countries outside the EU.