Since about a week ago, a new batch of emails have started to fill my inbox. The senders are various entities -- publishing companies, journals, academic organizations, law firms, and even airlines -- in Europe and in Korea.

These emails ask for my consent to store and process my personal information such as contact details, dues payment, membership record, and the like. The senders all refer to the new regulation of the European Union called the General Data Protection Regulation that entered into force on Friday.

This new EU regulation aims to protect personal data like never before. Remember, at every turn of our online memberships and benefits, we provide our personal information. In essence, the choice is actually not ours to make. Unless all the “yes” boxes are checked, you cannot move to the next page. Many of us just check them without even bothering to read the fine print, after which, the information is saved somewhere, transferred elsewhere and shared with other entities. It disappears into cyberspace limbo and the provider loses control.

The GDPR purports to fix this problem. It requires very specific, unambiguous and informed consent from providers. Also, consenting individuals possess continuous control over the information provided. In addition, information collecting entities are required to have data protection officers in place. Noncompliance will entail harsh penalties: fines could be 20 million euros ($23 million) or 4 percent of total worldwide revenue. Given increasing concern over the provision and utilization of personal information, the direction the EU has taken is the right one.

The need for a new legal guideline to protect personal data is becoming an increasing reality. In the digital economy, such information constitutes a critical platform for production, sales and marketing of new products and services. To stay competitive, corporations must be keen to collect and process personal information. To the contrary, individuals become more vulnerable to the information gathering drive and schemes. Therefore, the market naturally demands new legal guardrails. And Europeans have taken the initiative.

After May 25, EU corporations are all alerted, of course. Interestingly and importantly, this new regulation has also put non-EU corporations in a hurried scramble mode. In other words, those covered by the new regulation are not just the companies or entities operating in the EU that are collecting and processing personal data. Those in other countries may also be subject to the regulation if they process information collected from EU citizens or their information processing is related to EU citizens. So, foreign companies who have customers in the EU or business operations in the EU even remotely -- which should be many by the way -- are all subject to the GDPR.

By way of example, Korean companies with EU customers should also be directly implicated by this regulation. As a matter of fact, some new emails that I am receiving now are from Korean companies.

“Extraterritorial” application of domestic law has often prompted responses from other countries whose companies and nationals are affected by the law. Given the harsh penalty provisions of the GDPR, its ultimate enforcement will probably lead to tension and clashes between Brussels and other countries.

Other countries are now all eyes and ears. Once they see how the EU regulation fares, they are likely to follow suit.

The increasing sensitivity also demands introduction of a similar legal framework in Korea to better protect personal information. As we speak, the National Assembly’s special task force committee -- the special committee on the “fourth industrial revolution” -- just completed its pilot project to spearhead national debate on this very issue. The final report released Monday contains legislative recommendations on how personal data can be collected and utilized with proper protection measures in place and a stringent penalty in case of violation. The skeletal recommendations do not say much.

Korea is likely to be watching carefully the development of the EU’s latest initiative.


Lee Jae-min
Lee Jae-min is a professor of law at Seoul National University. He can be reached at jaemin@snu.ac.kr. -- Ed.