EU privacy law will benefit Korea: Regulator

Vera Jourova, the European Union’s commissioner for justice, consumers and gender equality, speaks during an interview with the Korea JoongAng Daily and the JoongAng Ilbo in Seoul on Friday. [KIM SANG-SEON]

The world’s strictest law yet on data privacy went into effect across Europe on May 25, sending tech companies, hotels, airlines and any entity dealing in any way with people’s data scurrying to notify customers of the updated privacy policies.

The essence of the new law, called the General Data Protection Regulation (GDPR), is granting people the right to request the contents of their digital trail and demand they be deleted. The European Commission believes the robust measures could help eradicate mishandling of data as seen in the most recent case involving Facebook and a London-based political consultancy that impacted nearly 90 million people.

So why does a European law matter to Koreans? Since the new rules also regulate data flowing out of the European Union, countries must prove that they have an adequate level of data protection or introduce new safeguard measures before they can handle European information.

Korea has been pursuing adequacy talks with the European Union, and if the country can offer an equivalent level of data protection as in Europe, the free flow of data will be possible without further restrictions.

To accelerate the talks, Vera Jourova, the European commissioner for justice, consumers and gender equality who drafted the law, visited Korea and met with the prime minister, Lee Nak-yon, as well as representatives of the country’s data protection authorities, including the Korea Communications Commission.

“My role is something like a bodyguard who goes one day before to see the place, if it is safe,” Jourova told the Korea JoongAng Daily and the JoongAng Ilbo in an exclusive interview on Friday in Seoul after meeting with Korean representatives. “I am still of the opinion that we can finalize the discussions on the adequacy discussion this year.”

Many Korean companies remain skittish about compliance since those that fail to do so are subject to a heavy penalty - a maximum of 20 million euros ($23 million) or 4 percent of the worldwide annual revenue of the last financial year, whichever is higher. In response, Jourova said they should not be discouraged by the regulation because it will be imposed in a proportionate way and give companies a fair amount of benefits in doing business as well.

Below are edited excerpts from the interview with Jourova.

Q. Many Korean companies still fear the GDPR. Do you think the law is too strict in some parts?

A. Europe is not digital protectionist. I have also already received a lot of questions about whether Europe wants to destroy the digital business based on advertisement, and of course, I will always answer, “No.” Let them do the business which advertisers pay for. The business model is okay, but it must be fair, and you should be able to say at any minute, “I don’t want to continue.”

There are many people who are still unaware of the new risks. Then the Facebook scandal came and Mark Zuckerberg said, “We will apply GDPR globally.” So when we can imagine now after the Facebook scandal that by one mistake you can do harm to 90 million people, I can also imagine a sanction which will be that high as we foresee in the GDPR.

How did the adequacy talks go?

I had the pleasure and honor to meet with Prime Minister Lee this morning who ensured to me that Korea understands the protection of private data in a very similar way as we in Europe [do] - that it is a fundamental right which has to be guaranteed to every single citizen, and that it is more and more important with the expansion of digital technologies and the influence on our lives.

But a lot still has to be done. We are analyzing the Korean legal system, and once we find that it guarantees the same level of protection or equivalent level of protection, we can make the decision that data may flow.

How will the adequacy decision benefit Korean companies?

Once the adequacy decision is made, it will be of great help for companies doing business in European territory, because before last week, 28 different regimes had purview over protection of data. Now we have one unified regime which the company should communicate with in case of some data breach or some incident, and this increases legal clarity and, at the same time, decreases costs.

On the first day the GDPR went into effect, a privacy advocacy group, Noyb.eu, lodged complaints against tech giants like Google and Facebook, and there could be many more, especially against large tech firms. How will you deal with all the complaints?

In each member state in the EU, we have a data protection authority that checks companies’ compliance with laws based on their own risk assessment or complaints from users. [For Google and Facebook, it was the latter.] But my estimation is that, even without the complaints, they would check first the compliance of those who can do the biggest harm. And here I speak about the giant companies which monetize data in big volumes.

The basic grounds of the complaint were that tech firms made it inevitable for consumers to give consent on using data for their services. What is a better way of obtaining consent from consumers?

They have to ask you in a very clear and simple way - nothing like in three pages of difficult text - so that it is easy to check what other people have been asked and whether they gave their informed and affirmative consent. But this consent is the method of how to get in. The way out without leaving traces is the important thing, and that’s what I want the people to understand. This is your right to ask. Forget that I exist. Now give me everything back.

What if companies from a non-European country avoid paying fines? How much legal binding power does the law have in non-European countries?

We would like to see more arrangement from companies that have headquarters in European territory when they handle data. Even though the company is outside the EU, the rights are born in the EU when the company is operating in the European market using EU people’s data. In cases when a fine imposed is not paid, there will have to be legal instruments used, like some arbitration agencies. It’s not a question for data protection authorities on how to get the fine.

BY KIM JEE-HEE [kim.jeehee@joongang.co.kr]