En En Mission Report

European Parliament 2014-2019

Committee on Civil Liberties, Justice and Home Affairs

20.2.2019

MISSION REPORT

following the following the ad-hoc delegation to Seoul (South Korea) 29 October – 2 November 2018

Committee on Civil Liberties, Justice and Home Affairs

Members of the mission: Claude Moraes (S&D) (Leader of the mission) Josef Weidenholzer (S&D) Michał Boni (PPE) Nathalie Griesbeck (ALDE) József Nagy (PPE)

CR\1177539EN.docx PE636.094v01-00

EN United in diversity EN Summary account of meetings

Monday, 29th October 2018 - Travel day and EU Delegation to South Korea

I. Meeting with the EU Ambassador to South Korea

Participants: Michaël Reiterer, Ambassador to the EU, Joelle Hivonnet, Minister Counsellor and John Sagar, First Secretary

The delegation kicked off with a welcome meeting by Mr Michael REITERER, Ambassador of the European Union/Head of the Delegation in South Korea and senior officials on the general situation in Korea and the issues related to data protection

The Ambassador explained that, in the context of the data protection negotiations, Commissioner Jourova came in June 2018 and that she had fruitful exchanges with the South Korean authorities and stakeholders.

Furthermore, data protection was mentioned in the EU-Korea summit at the end of October 2018 in Brussels (ASEM summit). Although no joint statement was published, the data protection reference indicated that the goal of the negotiations was to reach an adequacy understanding by the end of the current year 2018. Indeed, the interest in Korea is very high on this issue from the public authorities’ side and many meetings were organised last June for the Commissioner in the regard. Furthermore, he mentioned that the civil society is also very engaged and consultations with various stakeholders took place.

Among possible issues at stake are the status of national security agencies, automated machine and profiling and more generally, the issue of surveillance.

The Ambassador also stressed that President Moon is very interested in the relations with the EU. He visited different capitals before Brussels for the EU-Korea Summit mid- October.

On other topics of information, such as denuclearisation of North Korea, he reiterated that the Position of the EU is that sanctions can be lifted only if there are progress in the denuclearisation. There have been developments in the good direction compared to

PE636.094v01-00 2/32 CR\1177539EN.docx EN September 2017 but the situation must be monitored. He also noted that discussions between North Korea and South are going faster than between North Korea and USA. So far, there are not enough developments in this one and both sides try to improve that.

Also, on the EU-Korea relationship, there are good relations in science and research. There is a lot of interest by Korean companies to participate in the horizon 2020 Program. Besides, the topic of the 4th industrial revolution is an important one. Finally, the exchanges programmes such as Erasmus plus/Jean Monnet chair continue to develop.

From an economical point of view, unemployment in Korea is higher than usual and also touches the students of the big three universities of the country (usually less affected).

According to statistics, 32% of the big companies produce 70% of GDP. Samsung alone is around 12%. Therefore, there is an important impact of the big players on the economy and the current government would like to help the small-medium sized to develop as well. One issue in this context is the social dialogue, which the current President promised to increase in the Korean society. In terms of economy, the best relations are with China, then the USA and in third, the EU.

Tuesday, 30th October 2018 - Meetings at institutional level and stakeholders

II. Roundtable with representatives of civil society

Participants: Eun woo LEE, Institute for Digital Rights; Byoung-il OH & Miru LEE, Korean Progressive Network Jinbonet; HyeJin BYEON, Center for health and Social change; Cheolhan YUN, Citizen's Coalition for Economic Justice; Seohyung LEE, Minbyun-Lawyers for a Democratic Society; Myung YUN & You Kyung HUH, Consumers Korea

The delegation started the day with a roundtable with civil society representatives.

The first presentation was made by a representative of the Korean Progressive Network Jinbonet, presenting the views of the different civil society represented at the meeting. The NGOs explained that they are working to defend data protection of the data subjects. In terms of action, they stressed that up until now, the NGOs launched awareness

CR\1177539EN.docx 3/32 PE636.094v01-00 EN campaigns towards citizens.

The presentation focused on the issues identified by the civil society organisations regarding the personal information protection regime in the Republic of Korea, namely, according to them:

- Absence of independent data protection authority: Some problems that they identified in relation to this are that there is a landscape of different legislations, which may lead to contradictions and that there are various authorities responsible, which leads to a fragmentation of the Supervisory authorities into different divisions. In short, the legislation is diverse and the authorities also. They stressed that some authorities’ main tasks (e.g. KCC and FSC) are to promote their sectors and fields, and that this may be sometimes in contradiction with the defence of data protection. - Concept of personal information: they stressed that the definition refers to the concept of “easily combined with other information” and it may have the consequence that the scope of personal data may be too narrow (compared to that of the EU) - Concept of pseudonymised data: For them, the concept is not only used for scientific research but englobes all types of research, including industrial R&D or trade secret (confidential data), which would make the definition too vague and no give a possibility for exercising data subject’s rights. They stated that they consider that there is a gap compared to GDPR, because it is only scientific research in the GDPR. - Violation of the purpose limitation principles: They mentioned different cases where they see such violation under PIPA, for instance on statistical processing by public administration (Art 58(1)) or under the Resident Registration Number (RRN) where they consider that data are excessively collected and processed. - The situation of special categories of data and profiling: they stated that NGOs have been raising concerns about biometric data, which are not regarded as sensitive information in South Korea. Another concern that they mentioned is that there is no provision on profiling or automated decision making. - Law enforcement (LE) and national security access to personal data: they presented some points, which they consider issues on LE access as well as access and supervision of personal data at the National Intelligence Service (NIS). Regarding the NIS, it is a comprehensive cybersecurity authority not only to execute relevant policies but also to tackle threat 24/7 all year long. It oversees national cyber security policy, prevents cyber crises and detects attacks, investigates cyber intrusions and analysis of information and conducts security verification schemes. They questioned as well the possible wide surveillance of citizens by the NIS. Regarding the development of a cryptographic model, which is sensitive, the authority can not only access original source but it also carries out certification scheme. - Robotics, AI, Machine to Machine: they are questioning whether legislation are

PE636.094v01-00 4/32 CR\1177539EN.docx EN protecting enough the data subjects: On this aspect, the NGOs commented on the GDPR accomplishment and their position that South Korea should adapt its system to more robust data protection standards. - KCC, PPC adequately staffed? Example of complaints? They consider that the authorities are not adequately staffed. They also regret that there is no class action mechanisms in South Korea, so private enforcement scheme does not exist on top of public prosecution. Finally they consider that the administrative fines are of very small amount and seldom imposed.

They summarised the following issues at stake: surveillance by the National Intelligence Service; the use of pseudonymised data in R&D, public statistics and commercial statistics with little safeguard; and the use of “my data” (no safeguard, situation of sensitive data, illusion of self-control).

In the discussion that followed this general presentation, one issue stressed with the Members touched upon algorithm impact assessment. The NGOs consider that supplementary systems should be adapted to address these issues. The NGOs are interested in enhancing transparency and be able to provide correct explanation of the algorithms. Lastly, regarding algorithm, they stated that discrimination issues are important regarding AI, so they work against discrimination and in view that human rights are protected not only by law but also in practice.

They explained that certain large business platforms have a monopoly regarding personal data and they consider that it should be addressed. Personal information should be protected and the issue of protection should be in line with protection of the basic human rights of the people.

One participant (Consumers Korea) explained that it is interested in and working on issues surrounding smart devices. They have not carried a full investigation yet, but their first conclusions are that consumers are not adequately informed about the collection of their data. Furthermore, they said that the consumers need to read the fine prints, which are not always very clear. For instance, there is not pop-up banner about collection of their data, or how to turn off the data collection options. In Korea, the consumers need to search through the app or even contact companies how to deactivate certain functions.

Members also discussed about cases brought in front of KCC that are relevant to explain the powers of the authority. On enforcement of data protection law, NGOs referred to a case dealt with by the KCC, which was in charge of overseeing a case where 3,2 million consumers data were sent to an insurance company. The level of fine was of 0,5 million

CR\1177539EN.docx 5/32 PE636.094v01-00 EN dollars as an administrative fine but it was a large scale violations of consumers rights.

Another participant (Jinbonet) presented some of their issues, linked to a narrow scope of data protection solution:

- They stressed that they would like to have a clear description on how the use of pseudonymisation for research or for use in a broader scope should be allowed. They stated that a draft bill is under consideration in South Korea. The draft introduces new concept such as pseudonymised and anonymised data in the South Korean framework. It foresees that pseudonymisation can be used for statistics, research and archives for public purposes. They said that it seems similar to GDPR but they also said that it uses research to allow companies to use pseudonymisation for commercial purposes, while GDPR only allows it for scientific research, hence the scope would be different. - Access for Law Enforcement without decision of a Court. They stated that it takes time to go to Court on such cases and that often the law also misses the rights of the data subject to oppose or to be informed. - Definition of sensitive information: They consider it a crucial concept and they wanted to have clarifications on the concept in the legal framework.

A third representative of civil society (Citizen Coalition for Economic Justice) explained that currently, economic activities are based on real name system to identify the persons concerned for using the data. They said that the problem is that when collecting information, the government monitors people and for the business, they are using the data for commercial purposes. From the consumer side, consumers are not properly informed on how, when and to whom data is provided. Due to such problems in handling personal information, it has led to several issues that are found in leakage of personal and misuse of personal data

They described 3 main issues: - When consumers launch lawsuits, a first problem is that there are few consumers, which go to court - The Courts themselves do not substantially recognise such damages - From the business side, court is often exempting the responsibility of the business if they came with their own management policy. So there are few cases of punishment.

Furthermore, the Consumers Korea representative explained that up until the seventies, eighties, there were not many problems, but in the nineties, there were several leakages of personal data. At that time, the issue was that consumers were rarely informed or made aware of such cases. So the consumers groups were created to make the efforts to

PE636.094v01-00 6/32 CR\1177539EN.docx EN have the rights of data subjects protected. Another problem that they see is that the government authorities are fragmented. So there needs to be a unified channel to consumer’s protection.

At the question of Members on how do the consumers can know which authority is to be contacted in case of complaint, they replied that regarding for instance leakage of personal data, consumers are not even aware that there was a leakage. They are informed though the media after the incident broke out. Currently, the process is as follows: There is consumer Korea and a government led complaint centre. Consumers can go to consumer Korea to get their rights recognised in Court. The NGOs consider that other systems are needed to be implemented to give rights to consumers to directly act in court in a more efficient way.

One question of a Member related to the right to be forgotten in Korea. They explained that it is not a big issue in Korea because consumers can easily ask the institutions or business concern to delete their personal data. It is not stipulated in the law but it is a term usually used in the community.

In terms of international cooperation of consumer organisations, Consumers Korea clarified that it is a member of Consumers International. They cooperate with other international advocacy groups in the world. Jinbonet is in relation with EFF, IAPP and other associations. They explained that there are a lot of similarities with the Japanese legislation which had an impact in South Korea.

The representative of Minbyun-Lawyers for a Democratic Society explained that the lawyers’ organisation works to install democracy within the Korean Society. On the data protection legislation, they consider that there is still a lot to do, as the legislation is still a vertical based legislation, not enough democratic and too much government-led structure.

This meeting was concluded by the NGOs stating that the awareness of the citizens is often low, even in the EU regarding GDPR, so the work of civil society is an important element that needs to be promoted. Many NGOs work on the protection of consumers and human rights. Thanks to GDPR, Korea and the EU should reach adequacy level in view of reinforcing the traditional view of the Country.

CR\1177539EN.docx 7/32 PE636.094v01-00 EN III. Meeting with the Korea Communications Commission and the Korea Internet & Security Agency

Participants: Presentation by KCC / KISA at staff working level official and meeting with Mr. Hyo-seong LEE, Chairman of the KCC and Mr Seok-hwan KIM, President of KISA

Data Protection Legal Framework

KISA made a presentation on the data protection framework in Korea. The speaker started by explaining that the right to privacy was defined as a fundamental Right by the Constitutional Court in a case in 2003 and the right to control one’s own personal data was recognised as a fundamental right since a Constitutional Court decision of 2005.

He presented the general law and the special laws The General law is the Personal information protection Act. As regards the specific sector Acts, they have the following ones: - For personal data covering online commerce: the Act on promotion of information and communication network utilization and information protection, etc and the Act on the protection, use, etc. of location information; - For credit and financial information: the use and protection of credit information act and the Act on real names financial transactions and confidentiality; - For Health information: the medical service Act, the framework Act on health examination and the Act on welfare of persons with disabilities; - For Student information: the framework Act on education, the elementary and secondary education Act and the early childhood education Act; - For other areas, such as passport, taxation, police, customs, etc: many special laws specific to these areas.

This combination of a general law with special/sectoral laws, which reflect the characteristics of specific sectors leads to collaboration among professional DPAs in different sectors. He also stated that it creates synergistic effects through inter- complementary activities by sharing roles of professional DPAs in different sectors.

Network Act and PIPA

A presentation of the main aspects of the Network Act and PIPA was made:

- Regarding the Network Act, various aspects were described. It was said that it is based on the OECD Principles, that it was widely used for regulating the personal data

PE636.094v01-00 8/32 CR\1177539EN.docx EN protection until PIPA was launched (since 1999 till 2011), that it is the most experienced act among the data protection acts in Korea and that it is administered by an Independent Authority (KCC). Other aspects underlined were that it contains notification/reports of breach of Personal data, that the KCC can order correctional measures to the business operators who violates the relevant laws, that there are administrative sanctions, civil liability and imprisonment. Finally the KCC has the power to request the submission of materials concerning violations and their examination and for the assurance of an order for remedial action;

- Regarding the PIPA, it is the General act for personal data protection in Korea since 2011, it has many similarity and share the core principles with the Network Act, such as strict regulation for each stage of the life cycle of controlling personal data, prior opt-in consent, privacy officer and privacy policy, data breach notification and report, administrative sanctions, civil liability and imprisonment, etc. Furthermore, there is stronger protection for important personal data, there is a personal information Dispute Mediation Committee, which is put in place and there is also self-regulation.

A big difference mentioned between GDPR and PIPA is that there are different articles to cover the collection, use and transfer of data. In GDPR, there is one concept, the one of “processing”, while the Korean law has different concepts.

Cases

When discussing about existing cases, the Members were not given specific statistics but some specific relevant cases were mentioned to illustrate the work of the Korean Court in the field of data Protection.

A case at the District Court level in 2015 referred to the forced disclosure of status quo of Google’s provision of personal information and service details of domestic users to a third party. Two cases at the Supreme Court level were also mentioned, the first one in 1998 on the clandestine collection of personal information for the purpose of surveillance by a government agency (Defense Security Command) and the second one in 2015 on the disclosure of the members of Teacher’s Organisations and Unions at the National Assembly Member’s home page without obtaining the consent of data subjects.

On enforcement by the KCC, the presentation listed different cases showing the strong enforcement of the Network Act on both overseas and domestic companies: Apple in 2011 ($US2.660), Google in 2014 ($US188.292), both on collection of data without consent and more recently after the amendment of the Network Act in May 2014 to increase the administrative fine maximum to an amount up to 3% of the ISP’s annual

CR\1177539EN.docx 9/32 PE636.094v01-00 EN turnover, the case of PPOMPU Communication leakage in 2015 ($US94.200) and the INTERPARK leakage in 2016 ($US 4.4 millions).

Discussion with the Chairmen of KCC and KISA

The Chairman of KCC started by explaining that at the Korea-EU summit in October 2018, president Moon asked for a swift conclusion of the adequacy negotiations. He explained that in the discussions with the Commission, they reached an agreement according to which the 16 adequacy standards requirements are met by the KCC / Network Act and that the protection for onward transfers has been clarified in a specific legislation.

Regarding a question by a Member on the measures to involve the small and medium companies, it was said that if a company under the Network Act has more than 1000 employees, this company has to appoint a DPO. He explained that for the small companies, there are educational activities about the role of DPO and about the rules that have to be respected. Since 2016, KCC and KISA held more than 20 seminars for companies, preparing them also for GDPR compliance.

Therefore, the small businesses have an understanding of the basic legislation. To support the SMEs, different types of activities are foreseen by KCC. They have a dedicated toolkit for SMEs to self-assess their readiness to the GDPR.

On data flow, they explained that the Korean embassies in the Union receive many questions from Korean companies, specifically regarding compliance and they provide support for this. Also, at the governmental level, KISA held seminars for companies. Moreover, in November 2017, there was a seminar with the European Commission on how to respond to GDPR. For conglomerates, they have separate teams and collaborators to deal with GDPR implementation. KISA has a window as communication channels through their website or through telephone communication to reply to questions from companies to increase compliance of GDPR.

Regarding cyber-attacks, a Member asked which measures were in place. They said that Cybersecurity issues also affect personal data (75% of cyber-attacks result from Hacking). KISA is responsible for the private sector and they will create a cyber-centre. Through this new cyber-centre, they will be able to analyse and respond to such attacks through AI and be able to react faster to such attacks. They also want to respond to other security incidents (spams, etc) that affect personal data. They also need to look at traditional sectors such as the construction or transport ones to respond to such issues.

PE636.094v01-00 10/32 CR\1177539EN.docx EN Regarding resilience, there are many targets that could suffer from cyber-attacks, so they consider that prevention is important but they also need to detect as fast as possible threats and recover quickly. In this regard, KISA has also established a hotline for security issues for companies to contact them. They created a consultation body of security experts to meet and exchange on the latest aspects and developments. They have detected many recent attacks that attack the supply chain and can affect many companies.

The overarching authority on cyber security is under the President (office of security) and the relevant laws are the Network Act and the Antiterrorism Act, while public security is under the National Security (NIS) and the Ministry of Interior (MOIS).

KISA developed 3 principles regarding attacks to the private sector: - the first one is to be basic when responding to attacks; - the second one is to ensure resilience to answer as it is difficult to avoid attacks, so being ready and answering to them is important; - finally, the third principle is the collaboration at international level.

Establishing a big data centre within KISA is to ensure the correct implementation of these three principles.

Regarding certifications, they mentioned their high interest into Internet of Things (IOT) certifications. In South Korea, certification for personal data management system does exist. Big organisations (such as hospitals, etc) need to have such information management system in place, which is also foreseen under the network Act. Moreover, internet companies with 1 million users connections per day must have certification of their information management system.

IV. Meeting with the Ministry of Interior and Safety

Participants: Yoonkee CHUNG, Director General of E-Government Bureau; Eunha SHIN, Director and Changyong SHIN, Deputy Director

As this Ministry (MOIS)is in charge of enforcement of the PIPA, it was important to meet with representatives, which could explain how the system works. The Members received explanations of the way that the Korean administrative system works. It is a mix of European parliamentary system and American presidential system.

CR\1177539EN.docx 11/32 PE636.094v01-00 EN Regarding the PIPA, the MOIS has the first responsibility of protection of personal data in Korea. The Director explained that there are other Korean agencies (KCC/FSC) responsible in this field but if they want to amend the law, there needs to be prior consultation of the MOIS. Unlike the US presidential system, the MOIS may submit a bill to the National Assembly. No other government agency can amend law on data protection without MOIS. For instance, the PIPC was launched also in this respect.

PIPA and PIPC were established in 2011. Until 2011, only the act on protection in public institutions existed. It meant that information in private sector was not covered by any law. There was a conflict on the supervision’s part. The conflict was to know whether the MOIS should be the main body in charge of the public sector or if they should have a new authority. In 2011, the then President was from the private sector and he did not want a new government agency. However, it was understood that with the MOIS only it would not guarantee the independence. As a compromise, it was decided that on the top level the PIPC would be in charge of the overarching system and MOIS should be in charge with the routine of the implementation.

MOIS is also competent on e-government to implement cyber security measures in the government.

Regarding question on the independence of PIPC, it was admitted that, at this stage, it cannot fully exercise its functions in terms of independence, as it can neither implement investigations (enforcement) nor implement its own budget.

However, the Members were informed that last September 2018, all authorities agreed to upgrade PIPC into a full independent authority and a bill in this direction would be submitted to the national assembly in November 2018.

On a question regarding the change of scope for the adequacy the Members received the explanation that in 2015, the first attempt for a full adequacy was rejected regarding the problem of the supervisory agencies. During the last 3 years, the Government promoted a partial adequacy with KCC.

The current official Korean position is to continue the negotiations on a partial adequacy, while at the same time moving on the amendments to the PIPA in order to reinforce the powers of the PIPC and make it a fully independent body, which would ultimately allow for a full adequacy assessment.

Regarding the independence, they consider that the independence of investigation and investigation teams is ensured even if there is no mention of independence in the legal

PE636.094v01-00 12/32 CR\1177539EN.docx EN text. The current President requested on 30 August 2018 that all government bodies should discuss the launch of an independent data protection supervisory authority. This was discussed among the representatives of the task force (ICT, MOIS, etc) in late September and there was unanimous consensus that PIPC should become fully independent.

It was explained to the Members that the word “independence” can have different interpretations. The government interprets it as the MOIS should be a DP supervisor and the PIPC would be separated from the cabinet but would be under direct control of the Prime minister. The Chair of the PIPC would be par with a minister level and the vice chair would be a vice minister and the Director would be of the level of a secretary general.

The Korean Constitutional system provides that if there are issues between competences, the prime minister is the top authority. Moreover, if there are difficult issues, the President may coordinate the efforts. The Korea Constitutional Court has the power to mitigate any conflicts between authorities. According to the Director, the new PIPC would have a full independence in the investigation of infringement and put penalties on actors which do not respect the law. There are many legislative cases to make an agency completely independent; for instance if the board of audit shall execute all activities as independent body. A clear provision must be added to ensure its independence, even though it would be under the President’s office. The staff members of this authority would be governed under the Act on public servants.

In terms of cybersecurity, the Director explained that MOIS is responsible for public authorities only. The ministry of ICT and the one of Trade/energy are responsible for the private one. He also referred to the “Integrated data centre”, previously mentioned in the meeting with KCC/KISA, which was created for that purpose. They implemented a 5-layer analysis, 8-layer defence system to cut most of the irregular attempts and attacks.

CR\1177539EN.docx 13/32 PE636.094v01-00 EN V. Meeting with the Personal Information Protection Commission (PIPC)

Participants: Sang-hee PARK Director General; Seung-hee LEE, Director, Planning & Management Division; Hyun-ik KIM Deputy Director, Planning & Management Division; Hee- hyun KIM, Interpreter, Planning & Management Division; Sang-ho BAE, Director, Review Division; Hyun-sook KIM, Director, Bills Assessment Division; Yoo-min KANG, Director, Investigation Division; Geun-young AN, Director, Dispute Mediation Division

During this meeting with the representatives of the Personal Information Protection Commission (PIPC), Members were briefed about the powers of the Commission. They were first informed that the PIPC is a deliberation and decision making body.

Regarding the origin of the PIPC’s competence, PIPA was developed on the basis of directive 95/46. PIPC has oversight of key authorities, including the national assembly. They explained that the enforcement and oversight is carried by MOIS, which can inflict sanctions and corrective orders. Moreover, at this moment, PIPC is not entitled to conduct investigations in private sectors, but they can ask agencies to investigate. PIPC can give recommendations to public agencies but they do not have the power to investigate. They explained however that when they order something to agencies, these agencies usually comply with the order.

As already explained in previous meetings, regarding the private sector, PIPC has a very limited enforcement power. Moreover, regarding budget and high level officials, they confirmed that the competence is in the hands of the MOIS. They currently have 48 officers with 20% dispatched from the MOIS.

PIPC has competence on public sector. This covers constitutional agency / national assembly/ local authorities and central administration. The MOIS has competence on private sector and enforcement on this sector.

One special function of PIPC is interpreting the law + resolution on the application of the law. They explained that it goes as far as without PIPC review, no law can be amended or proposed.

They clarified that MOIS is not above the PIPC. PIPC is an independent deliberation public authority under the President. There are only two direct authorities under the President, the KCC and the PIPC.

On a prospective note, they explained that if modifications of the PIPA are passed in the

PE636.094v01-00 14/32 CR\1177539EN.docx EN national assembly, PIPC would become more independent. PIPC recommended last November 2017 that KCC and MOI pursue with full adequacy negotiations.

They consider that they comply with Article 52 GDPR (on independence of DPAs). Furthermore, the appointment and budget would also be solved by the passing of the amendment to the PIPA.

On their other functions, they explained that there is a separate commission dealing with dispute and mediation (as foreseen in the PIPA). PIPC employs workers as liaison with this commission. As foreseen by the PIPA, the mediation commission functions in an independent manner.

On a question regarding the guidelines on de-identification and why the PIPC did not sign them as other authorities, the PIPC did not endorse them because they said that they were not consulted. In such case, as explained above, it cannot become a law. In January 2017 PIPC deliberated that the relevant law has distinguished between pseudonymised and anonymised data as the GDPR does.

CR\1177539EN.docx 15/32 PE636.094v01-00 EN Wednesday, 31st October 2018 - Meetings with Academics, National Assembly and stakeholders

VI. Meeting with Academic specialists and law professors

Participants: Kyung-jin CHOI (Gachon University College of Law); Beom-Soo KIM (Yonsei University Graduate School of Information); Kwang-bae PARK (Lawyer, partner in Lee & Ko lawyers)

The Members met with two Law professors and a practitioner, specialised in data protection. The first speaker was Mr Beomsoo. He explained that he considers adequacy as a good decision for Korea, but he said that he finds the timing awkward at the moment, as there are some reshuffling in the government.

He said that KCC has done a wonderful job in terms of enforcement. Maybe even too much sometimes. In case of data breach, there is a mandatory notification of the breach to KCC and to the data subject, and this can also happen even for one single case.

PIPC has a different power, in case of bigger breach. He said that sometimes the law is considered too strong compared to GDPR as, in some respect, it does not allow any processing. For instance, for sharing with third party, a lot of information is needed, such as name, telephone of third party. He considers that the law is more specific and detailed than US/EU ones. Under the current structure, he said that he is not sure that data from Korea can be transferred outside to the EU, as it is based on individual consent.

The Network Act has been the law that governed personal data protection in the private sector (hotel industry, etc). The PIPA now covers all these sectors.

Mr Park explained the origins of the different laws. He explained that one element that pushed for changes was a case of breach where 20 million information of data subjects were hacked on a Korean website similar to Ebay. They then strengthen the law to cover the data processes and strengthened the rights of the data subjects.

He also expressed that the Korean law is comparable to GDPR. He stressed that it is consent-based with criminal liability. Korean companies comply with this obligation. For instance, he said that since 2013, if there is a transfer of data under the Network Act, one would need to have additional security measures.

PE636.094v01-00 16/32 CR\1177539EN.docx EN For Professor Choi, Korea has sufficient standards of data protection. When the PIPA was designed, it was referred to OECD principles and the Directive 95/46. They decided that they would require standards that are higher than those principles and Directive. Since the enactment of the Network Act in 2001, he said that there was a decision not to have a law lower than other countries, also in terms of sanctions. Also with PIPA in 2011, they referred to the Court of Justice jurisprudence.

He expressed than an EU adequacy decision will contribute to ensure the protection of the personal data of the EU citizens while maintaining the promotion of online international trade between the EU and Korea. Even if a partial adequacy decision would be made, it is anticipated that the remaining areas where the adequacy has not been determined will have the same level of protection.

On the independence of the KCC and PIPC, Professor Choi expressed that it should be judged based on the specific political situation and governance structure of Korea. KCC is an independent committee and has the executive power of the online field. PIPC is also an independent committee under the President. PIPC also has a unified interpretative power over the entire personal data protection sector, and is particularly influencing government agencies based on recent assessment of data breach incident factors. He cited as an example the fact that the National Intelligence Service has received the PIPC’s assessment during the preparation of the National Cyber Security Bill and after that, it included data protection provisions.

On the powers, for the KCC, he referred to the power of investigations, corrective order, penalties including administrative fines, etc. For the PIPC, it has the power to interpret the relevant provision related to personal data protection laws, assess data breach incident factors, and coordinate among governmental agencies, etc.

On the areas covered or not, it is true that within the legal framework, there is no clear cut of separation. For instance, for Samsung, when they produce and sell phone offline, it will not be covered by the Network Act. However, consumers also get online and create accounts to manage their phones or to purchase phones online. At that moment, the Network Act will start to apply.

CR\1177539EN.docx 17/32 PE636.094v01-00 EN VII. Meeting with the Ministry of Science, Technology and Innovation

Participant: Mr Wonki MIN, Vice-Minister for Science, Technology and Innovation

The Vice Minister underlined the importance of the EU-Korea relations. He also stressed his interest in the latest developments at EU level regarding robots and also in the adoption of the GDPR. He also referred to the Horizon 2020 Program as an important element of cooperation.

He explained that local AI principles cannot work, so they need to refer to the OECD and G20 to develop global guidelines that could be accepted by most of the countries. They nonetheless also understand the importance of still having one’s own rules. At this moment, he said that without data, you cannot develop good system of AI, machine to machine.

He expressed that a data economy is very important and should be based on pseudonymised data. He considers that if they are not identifiable, data could be used for research and business purposes. Regarding the respective competence, he clarified that his Ministry is working in promoting AI and robotics, while KCC is more responsible for implementation. He also said that his ministry is also competent about cybersecurity.

One point that he considered important is to understand how to ensure accountability in AI law. In this respect, one LIBE Member explained the situation regarding the EP report on robotics adopted at the beginning of the year.

In South Korea, there are two thoughts in the authorities on these AI/robotics developments:

- The ICT ministry is in favour of supporting emerging technology through the law and regulation, as you cannot stop the development of the technology. One element is that as there is fierce global competition, the regulatory framework should be flexible;

- There is another approach through the KCC and MOIS, as they care more about implementation of personal privacy

So, there is a need to strike a balance from a general perspective.

On Cybersecurity, he confirmed that it is very difficult to prevent attacks, which is why they work on improving the resilience of the system.

PE636.094v01-00 18/32 CR\1177539EN.docx EN On the influence of GDPR, he stated that the GDPR means a lot for Korea as well and it is a great achievement in Europe. At the same time, regarding the South Korea situation, he stressed that the independence and enforcement are two keys elements that will hopefully be provided to the PIPC, which would gather the competences of FSC and KCC to become independent.

He also explained that there is a policy to promote Big Data but that there are no specific rules on it, because there is currently no legal definition of Big Data. He finally stressed that in their national information law, they are proposing a revision of the law and there is an article mentioning the promotion of Big Data.

VIII. Meeting at the National Assembly: Public Administration and Security Committee

Participants: Ms Jae-Keun IN, Chair of the Public Administration and Security Committee and Members of the Committee

This Committee is in charge of the general supervision of authorities, including PIPC.

In this exchange with the Members of the national Assembly, the LIBE Members were informed on the current legislative developments of the South Korean Government. They explained that the government is working on the implementation of laws and that the GDPR is a guidance for Korea. On the adequacy, they recognised that the Korean system is still lacking but they are working on complementary rules to pass and improve the situation. The stressed that the KCC was the sole institution in charge of data protection in the past. With PIPC, there are shortcomings to make it independent. They recognised that they need to complement the current system of PIPA to strengthen the powers of this authority. One of the South Korean Member also admitted that one authority is reluctant to give up part of its powers to another institution. There are also discussions within the Assembly, between the competent committeess.

On the partial adequacy decision, they expressed their scepticism and stated that they would rather have a full adequacy assessment, which they consider would be more helpful to Korea and the EU.

Another South Korean participant expressed that individuals have the right to access their data, to correct it or to refuse to transfer it. This is not fully reflected into the PIPA text and they want to change it. About ethical points of AI, they said that it is not totally legalised in Korea but that they want to develop such rules.

CR\1177539EN.docx 19/32 PE636.094v01-00 EN IX. Meeting at the National Assembly: Science, ICT and Broadcasting Committee

Participants: Mr Woongrae NOH, Chair of the Science, ICT and Broadcasting Committee and Members of the Committee

The Chair of the ICT Committee explained that data protection is divided between different institutions. He confirmed that the Korean government is trying to concentrate all powers on data protection within the PIPC but that the National Assembly is not yet ready.

He stated that for him, there is information that can be integrated into one agency and some others aspect that should not be integrated into one sole agency. He said that there is a common objective regarding GDPR/PIPA, but in his opinion, regarding communications and financial services, there is more work to be done. So, to him KCC should continue to be competent for networks and Finances should be led by the FSC.

He also discussed with the Members about a proposal on AI, which contains 4 points: 1) Government should establish good foundations for child data protection. 2) It should ensure informed Consent 3) Legal deputy have to agree on child protection 4) Use appropriate language to explain AI to Children.

On informed consent, he stressed that the scope should be well defined to avoid companies using the data of children.

One lawmaker of the ruling party explained that while he was in the opposition, he was more interested in data protection. With the big data booming, Korean industry are growing. As member of the ruling party, he is also listening to the companies. There are different opinions even in the ruling party. He stated that taking into account all the meetings the members of the ICT committee had, they realised that the institutional aspects are stricter than any other country of the world. What is also needed is further international collaboration with the world to protect personal data.

Finally, the Members discussed other topics, such as the 5G technology to be soon deployed in South Korea.

PE636.094v01-00 20/32 CR\1177539EN.docx EN X. Meeting at the National Assembly: Meeting with the Chairperson of the Korea-EU Inter-Parliamentary Council

This meeting was a general discussion on the relations EU-South Korea with the Chair of the Korea-EU Inter-parliamentary Council, Mr Dong-young CHUNG.

CR\1177539EN.docx 21/32 PE636.094v01-00 EN Thursday, 1st November 2018 - Meetings with private sector and business organisations

X. Meeting with Samsung

Participants: Young Soo KIM, Vice President Head of Compliance Team; Choong-Hoon LEE, Security Lab, Samsung Research; Dahee KIM, Legal Counsel; Mahnjin HAN, Principal Professional, Global Public Affairs; Taeyoung PARK, Global Public Affairs

After a presentation given on the latest products, the delegation met with the Vice President in charge of compliance with data protection legislation. On GDPR and adequacy, Members were informed that Samsung prepared a lot to comply with the requirements of the GDPR on 25 May. Adequacy is important for Samsung because they need it for onward transfer from Europe. The business wants efficient and effective means of transfers of data.

They explained that they are using standard contractual clauses at the moment, but they see adequacy as a more comfortable system of data protection.

Samsung, as other industry actors, give their opinions to the political environment by their channels. Also scholars give their input. As far as GDPR is concerned, there are many other regulations in the world. But they see Europe as more serious and stricter than other places. Samsung has done a lot to reply to customers complaints or data subjects rights.

When asked about their implementation of privacy by design and default in their products, they explained that from the very start of the design, they obtained advice from their team of Privacy legal management system and lawyers and Data Protection Officers to integrate Privacy in their products. Also, they added that in terms of security aspects of the products, they do their best to prevent the information leakage from the design of the products.

They were asked about their position regarding requests from law enforcement or from Court orders to access data of customers. They replied that they have many premises in the world and have unified guidelines on how to comply with law enforcement access. Only when they have the legal responsibility to respond to law enforcement bodies, they reply. They maintain statistics from access requests that they receive. Based on the statistics, they publish transparency reports.

PE636.094v01-00 22/32 CR\1177539EN.docx EN They recognised that technology is developing at a fast level and that the law should follow. They try to best protect personal data especially sensitive ones like health. They make sure that they protect private information. They are trying to comply with the obligations of the GDPR. They use the data when they are allowed to and do not use data when it is not allowed under the GDPR.

They explained that they have their own guidelines that they follow based on the OECD guidelines. They make sure that they use personal data in the limit of their purposes. Beyond their purpose, they do not use the data, and they develop the retention policies only for the time allowed. They have other principles in place such as encryption and pseudonymisation.

X. Meeting with Naver

Participant: Ms Sungsook HAN, CEO of Naver

Naver is the largest search engine in South Korea with over 70 % of market share (74,7%). With the Russian Yandex and Chinese Baidu, it is the only other case where a national search engine supplements Google nationally. They also started a European branch in Paris. They are highly interested in GDPR and invested in it.

Naver owns many products, among which they have Line, Line plus corp, Naver Webtoon, Snow, LABS, NBP and Works mobile. Line is a global mobile platform. It was launched in 2011 and they reached 200 million users by 2013 already. It is the most popular messaging application in Japan.

Naver search engine has 30 million daily mobile visitors and 42 million registered users.

Regarding the developments in Europe, they explained that Naver is investing in Europe for the talents they can find there and its market in which they can bring their experience and their technology. Their European development is based on four pillars: investment, start-up support, research and services. As an example, they invested 200 million euros for European start-ups. They also developed Europe’s premier start-up campus and they have more than 80 AI expert researchers based in France. They focus their research mainly on AI, autonomous vehicles and robotics.

Regarding the data protection measures for search taken by Naver, they take a multi- layered approach to protect users’ data with year-long endeavours.

CR\1177539EN.docx 23/32 PE636.094v01-00 EN They mentioned that they have the following certifications:

ISO, PCI-DSS, PIMS-ISMS and SOC 2, 3 certification. This includes that they have monthly technical and organisational reviews, monthly e-finance service reviews and audits, quarterly location data reviews and yearly service reviews and audits.

These certifications are both international and national: - International ones: ISO and SOC 2/3 in 2013. Naver was the first company in Korea to acquire the SOC 2 and 3 at the same time; - National ones: provided by the Korean Government: PIMS (Personal information management system) and ISMS (Information security management system) to have local certification.

The explained that they conducted their own privacy impact assessment in 2010 for the first time. They built their own data management system and they have their direct management review and API review. For instance, they require strong passwords for creating accounts, but they also have strict rules in terms of technology,

They have technical security measures and organisational security measures in place. For instance, on technical measures, all search traffic is securely protected via HTTP Secure and the IP addresses are appropriately anonymised after a pre-defined time slot. For organisational measures, all employees’ access to search data are logged and reviewed for potential abuse and all employees’ access privileges are reviewed and authorised based upon their specific needs to use the search data. Moreover, Search functions are periodically reviewed and audited and users can request the deletion of specific search results based on their nature.

Regarding concerns on overseas transfers of data, they explained that a lot of systems and administrator’s tools are located in Korea. Hence it would require a lot of systems and administrator’s tools to provide an online service such as Customer inquiry management, bug tracking, crash report or performance metrics management system. Moreover, it would cost a considerable amount of money to place those systems in the EU and it would also slow down the deployment and expansion of service in the EU.

They also stressed that without adequacy, it would be a document nightmare (i.e. to use standard contractual clauses). Therefore, they consider an adequacy as a very important step.

PE636.094v01-00 24/32 CR\1177539EN.docx EN From Naver’s point of view, they wanted to highlight the following points: - Korea is one of the rare countries that has developed a very rigorous data protection legal framework: Not only are Korea’s personal data protection laws much in sync with the GDPR but Korea is in the process of revising its laws to be essentially equivalent; - Naver is one of the most respected online service providers in terms of security and privacy protection of users; - Adequacy decision would greatly enhance the user trust in Naver’s soon-to-be deployed web/app services.

On questions regarding fake news, they said that their system is not based on the same algorithm as Google. They have shown and categorised their sources by listing them as newspapers, official sources, etc. Hence they are quite free from the fake news situation that other search engines face.

About keywords using targeting ads, they said that do not use personal data for that. They also clarified that they will not incorporate this in their business model in the near future either, because they have been developing very well without it.

X. Meeting with KITA

Participants: Mr Young-joo KIM, Chairman of Korea International Trade Association (KITA) followed by a Roundtable Meeting with Korean companies' and economic group’s representatives: Hyun Lock Choo, NURI TELECOM; Taehyun Oh, Korea Institute for International Economic Policy; Ki Jun Kwon, Lawfirm Suojae; Jeong Kim, Celltrion Healthcare Co., Ltd; Song Yi Kim & Jeong Je Park, i-SENS; Ji Soo Park, K- GAMES; Min Chul Jung and Yong Hyuk Choi, Korea Financial Investment Association; Jaeho Song, Hyundai Steel; Tae Hoon Lee, Hoon Wearable X Inc; Austin Chang, Binna Cho and Byeong il Ryoo, KITA

The Chairman of KITA welcomed the delegation and described the activities of KITA.

KITA is a gathering of Korean businesses which wanted to boost their economic capabilities. The association was established 70 years ago, before the government was even established. KITA represents the majority of the share of trade in the country and the share export is higher than the one of Germany. The exchanges with the EU market have been growing since the EU-Korea partnership in 2011.

He stressed that it is key to respect the rules and regulations to survive in this sector.

CR\1177539EN.docx 25/32 PE636.094v01-00 EN The current level of protection of personal data is high, so it is not possible to use fully personal data. They would need flexibility for developing automotive and telemedicine, however, with the strict rules, it is difficult to use all the potential.

Due to these strict rules, a lot of big businesses have had problems to cooperate with businesses overseas. They stressed that more progress is needed in this area. One important element, which was stressed is that they want to attain adequacy decision to make business more fluid for the companies.

The GDPR has been disseminated around the World, so the EU is setting the global standard. Economic development and trade are important, but other aspects such as environment are also important.

In the discussion that followed with the companies, they touched upon the questions of Big Data and GDPR, they were interested in discussing the definition of profiling. Furthermore, they were also interested in the criteria used to define the scope of big data with profiling. In other questions, they asked about the relations between data controller and data processor. One of the companies involved in the Gaming sector explained that there are 4 major industries doing business in the EU and stressed that they are well prepared under GDPR. However, one problem mentioned is that the companies that have business in the EU have to appoint DPO.

------

PE636.094v01-00 26/32 CR\1177539EN.docx EN Committee on Civil Liberties, Justice and Home Affairs

Ad-hoc Delegation to Seoul, South Korea 29 October - 2 November 2018

DRAFT LIST OF PARTICIPANTS

MEMBERS OF THE EUROPEAN PARLIAMENT (protocol order)

Full Nr Name Group1 Member/ Country Substitute Claude MORAES 1 Chair of the LIBE Committee S&D F UK Head of the ad-hoc delegation

2 Josef WEIDENHOLZER S&D F AT

3 Michal BONI EPP F PL

4 Nathalie GRIESBECK ALDE F FR

5 József NAGY EPP F SK

1 EPP Group of the European People's Party (Christian Democrats) S & D Group of the Progressive Alliance of Socialists and Democrats in the European Parliament ALDE Alliance of Liberals and Democrats for Europe

CR\1177539EN.docx 27/32 PE636.094v01-00 EN COMMITTEE ON CIVIL LIBERTIES, JUSTICE AND HOME AFFAIRS

Ad-hoc delegation to SEOUL, SOUTH KOREA 29 October - 2 November 2018 Draft programme (version of 26/10/18 at 17:00 - Subject to changes)

Main thematic focus: Transfer of personal data under adequacy decision - Data flow - AI & Robotics - Cybersecurity - Internet of Things/Big Data - Machine to Machine

ALL PARTICIPANTS ARE REQUESTED TO CARRY THEIR PASSPORT AT ALL TIMES (ID card or EP badge is not sufficient)

INDIVIDUAL TRANSFER from the Seoul Airport to the Four Seasons Hotel Seoul (Address: 97 Saemunan-ro, Jongno-gu, Seoul, 03183)1.

Monday, 29th October 2018 - Travel day and EU Delegation to South Korea

18.00: Meeting in the lobby of the hotel and bus transfer from the hotel to the EU Residence of the Ambassador to South Korea Venue: 37-10 Itaewonro 55 gil, Seoul, Korea 2

18.30 - 19.30: Welcome by Mr Michael REITERER, Ambassador of the European Union. Briefing and Q&A with the EU Head of Delegation and senior officials on general situation in Korea and the issues related to data protection

19.30 - 21.00: Buffet dinner hosted by the EU Head of Delegation

21.00 - 21.30: Bus transfer from the EU residence to the Four Seasons hotel

- End of programme for 29 October 2018 -

1 Address in South Korean: 03283-서울시 종로구 새문안로 97 2 Address in South Korean: 서울특별시 이태원로 55길 37-10

PE636.094v01-00 28/32 CR\1177539EN.docx EN Tuesday, 30th October 2018 - Meetings at institutional level and stakeholders

08.25: Meeting in the lobby of the hotel and bus transfer from the Four Seasons hotel to the EU delegation Venue: 11th Floor, Seoul Square, 416 Hangang-daero, Jung-gu, Seoul, 04637, Korea1

09.00 - 10.30: Roundtable with representatives of civil society: - Eun woo LEE: Institute for Digital Rights - Byoung-il OH & Miru LEE: Korean Progressive Network Jinbonet - HyeJin BYEON: Center for health and Social change - Cheolhan YUN: Citizen's Coalition for Economic Justice - Seohyung LEE: Minbyun-Lawyers for a Democratic Society - Myung YUN & You Kyung HUH: Consumers Korea

10.30 - 10.50: Bus transfer from the EU delegation to the Four Seasons hotel

11.00 - 14.00: Korea Communications Commission / Korea Internet & Security Agency

11.00-11.15: Presentation by KCC / KISA by working level official 11.15-12.00: Questions and answers to working level officials 12.00-12.15: Photo session outside with the Presidents of KCC and KISA followed by 12.15-14.00: Working luncheon and continue questions and answers with Mr. Hyo- seong LEE, Chairman of the Korean Communications Commission (KCC) and Mr Seok-hwan KIM, President of the Korean Internet and Security Agency (KISA)

14.15 - 14.30: Bus transfer from Four Seasons hotel to Westin Chosun hotel Venue: 106 Sogong-ro, Sogong-dong, Jung-gu, Seoul, South Korea2

14.30 - 15.45: Meeting with the Ministry of Interior and Safety - Yoonkee CHUNG, Director of E-Government Bureau - Yunsook LEE, Director of Personal Information Protection Cooperation Division - Samgwang KIM, Director of Personal Information Protection Policy Division - Seyoung LEE, Director of E-Government Policy Division

15.45 - 16.00: Bus transfer from Westin Chosun hotel to 4F, Government Central Complex Venue: 209 Sejong-daero, Sejongno, Jongno-gu, Seoul

1 Address in South Korean: 서울특별시 중구 한강대로 416 (서울스퀘어빌딩 11 층), 04637 2 Address in South Korean: 중구, 소공로 106 서울, 대한민국 04533

CR\1177539EN.docx 29/32 PE636.094v01-00 EN 16.00 - 17.30: Meeting with the Personal Information Protection Commission (PIPC), - Sang-hee PARK Director General - Seung-hee LEE, Director, Planning & Management Division - Hyun-ik KIM Deputy Director, Planning & Management Division - Hee-hyun KIM, Interpreter, Planning & Management Division - Sang-ho BAE, Director, Review Division - Hyun-sook KIM, Director, Bills Assessment Division - Yoo-min KANG, Director, Investigation Division - Geun-young AN, Director, Dispute Mediation Division

17.30 - 17.40 Bus transfer to the Four Seasons hotel

18.30 Invitation to Members by the Slovak and Czech Ambassadors to a reception and dinner at the Four Seasons Hotel (to mark the 100th anniversary of the establishment of Czechoslovakia) (the rest of participants - free arrangements for the dinner)

- End of programme for 30 October 2018 -

Wednesday, 31st October 2018 - Meetings with Academics, National Assembly and stakeholders

07.55: Meeting in the lobby of the hotel

08.00: Bus transfer from the Four Seasons hotel to the EU delegation

08.30 - 10.30: Meeting with Academic specialists and law professors Chang-beom YIM (Dongguk University); Kyung-jin CHOI (Gachon University College of Law); Beom-Soo KIM (Yonsei University Graduate School of Information); Tae-Myeong CHUNG (Sungkyunkwan University College of information and Communication Engineering); Kwang-bae PARK (Lawyer, partner in Lee & Ko lawyers)

10.30 - 10.50: Break

10.50 - 12.00: Meeting with Wonki MIN, Vice-Minister for Science, Technology and Innovation of the Ministry of Science and ICT

12.00 - 13.20: Luncheon close to the EU delegation (Free arrangements)

13.20 - 13.55: Bus transfer from the civil society building to the National Assembly (via FR residence)

PE636.094v01-00 30/32 CR\1177539EN.docx EN Venue: 1 Uisadang-daero Yeongdeungpo-gu Seoul, 072333

14.00 - 14.30: Guided tour of the National Assembly

14.30 - 15.30: Meeting with Sangkyoo YEO, Chair of the Legislative and Judicial Affairs Committee and Members of the Committee

15.30 - 16.30: Meeting with Woongrae NOH, Chair of the Science, ICT and Broadcasting Committee and Members of the Committee

16.30 - 17.00: Meeting with the Chairperson of the Korea-EU Inter-Parliamentary Council

17.00 - 17.30: Transfer from the National Assembly to the Hotel Dinner: free arrangements

- End of programme for 31 October 2018 -

Thursday, 1st November 2018 - Meetings with private sector and business organisations

09.10: Meeting in the lobby of the hotel

09.15 - 09.55: Bus transfer from the hotel to Samsung DE-Light centre in Gangnam Venue: Samsung Electronics BD, 11, Seocho-Daero 74-Gil, Seocho-Gu, Seoul4

10.00 - 11.20: Visit and Meeting with Samsung Electronics (i) Tour and explanation of latest digital products (ii) Meeting on data protection - Young Soo KIM, Vice President Head of Compliance Team - Choong-Hoon LEE, Security Lab, Samsung Research - Dahee KIM, Legal Counsel - Mahnjin HAN, Principal Professional, Global Public Affairs - Taeyoung PARK, Global Public Affairs

11.20 - 11.50: Transfer to luncheon location (free arrangements)

12.00 - 13.00: Luncheon and bus transfer to Naver Venue: 16th Fl., Naver Green Factory, 178-1 Jeongja-dong, Bundang-gu, Seongnam-si, Gyeonggi-do, Korea5

3 Address in South Korean: 서울시 영등포구 의사당대로 1 (여의도동) 07233 4 Address in South Korean: 서울특별시 서초구 서초대로74길 11 삼성전자 빌딩 5 Address in South Korean:경기도 성남시 분당구 정자동 178-1 NAVER 그린팩토리 16층

CR\1177539EN.docx 31/32 PE636.094v01-00 EN 13.00 - 14.15: Meeting with Ms Sungsook HAN, CEO of Naver Topics: Discussion on Privacy and search engine

14.15 - 14.55: Bus transfer from Naver to Korea International Trade Association Venue: Trade Tower 51 floor, Reception Room (Address: 511, Yeongdongdae- ro, Gangnam-gu, Seoul, Korea)6

15.00 - 15.30: Meeting with Mr Young-joo KIM, Chairman of Korea International Trade Association (KITA)

15.30 - 16.30: Roundtable Meeting with Korean companies' and economic group’s representatives Venue: Trade Tower 50 floor, Meeting Room (Medium) - Jisun KIM & Seungyeon KO, Hyundai Autoever - Jeong KIM: Celltrion Healthcare Co., Ltd - Minchul JUNG & Yong-Hyuk CHOI Korean Financial Investment Association - Hyejin KWON, Law firm Suojae - Park Hyun JOENG, Korean Air

16.30 - 17.30: Bus transfer from KITA to the Four Seasons hotel

- End of programme for 1st November 2018 -

Friday, 2nd November 2018 - Travel day

PLEASE CALCULATE SUFFICIENT TIME FOR THE CHECK-OUT OF THE HOTEL

Individual Transfer to the Airport

Individual flight back to Brussels

6 Address in South Korean: 서울시 강남구 영동대로 511(삼성동)

PE636.094v01-00 32/32 CR\1177539EN.docx EN