Transborder data flow

Transborder data flow (국제적인 개인정보의 이전, 개인정보의 국제유통/個人情報 國際流通), abbreviated as TBDF, means cross-border flow of personal data.

The term derives from the Organisation for Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (September 23, 1980). TBDF has been one of the issues which the OECD Guidelines, Council of Europe Convention (CoE 108), and European Union (EU) Data Protection Directive (Directive 95/46/EC) take care of for data protection. In this regard, Fair Information Practices (FIPs) function as core principles. All three organizations revised and extended the original U.S. statement of FIPs, with the OECD Privacy Guidelines being the version most often cited in subsequent years.

Statutory ground
Statutory ground for TBDF is found in the following two laws:

Article 17 (Provision of Personal Information) of the Personal Information Protection Act (개인정보보호법)
 * (1) The personal information processor may provide (or share, hereinafter the same applies) the personal information of data subjects to a third party in the case applicable to any of the following Subparagraphs:
 * 1. Where the consent is obtained from data subjects; or
 * 2. Where personal information is provided within the scope of purposes for which personal information is collected under Subparagraphs 2, 3 and 5 of Article 15(1);
 * (2) The personal information processor shall inform data subjects of the followings when it obtains the consent under Subparagraph 1 of Paragraph (1). The same shall apply when any of the followings is modified:
 * 1. The recipient of personal information;
 * 2. The purpose of use of personal information of the said recipient;
 * 3. Particulars of personal information to be provided;
 * 4. The period when personal information is retained and used by the said recipient; and
 * 5. The fact which data subjects are entitled to deny consent, and disadvantage affected resultantly from the denial of consent.
 * (3) When the personal information processor provides personal information to a third party overseas, it shall inform data subjects of any of Subparagraphs of Paragraph (2), and obtain consent from data subjects. The personal information processor shall not enter into a contract for the cross-border transfer of personal information in violation of this Act.

Article 14 (International Cooperation) of ditto
 * (1) The government shall work out policy measures necessary to enhance the data protection standard in the international environment.
 * (2) The government shall work out relevant policy measures so that the rights of data subjects may not be infringed upon owing to cross border transfer of personal information.

Article 63 (Protection of Out-bound Personal Information) of the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. (정보통신망 이용촉진 및 정보보호 등에 관한 법률)
 * (1) The information and communications service providers, etc. shall not enter into any international contract of which contents violate the provisions of this Act with respect to the personal information of users.
 * (2) The information and communications service providers, etc. shall obtain the consent of users when they intend to transfer the personal information of such users to abroad.
 * (3) The information and communications service providers, etc. shall, when they intend to obtain the consent pursuant to Paragraph (2), notify the user in advance of the whole matters stated in the following Subparagraphs:
 * 1. The items of personal information to be transfered;
 * 2. The state to which personal information will be transferred, the date and time of transfer and the method thereof;
 * 3. The name (referring to the company name and the contact points of the officer in charge of data protection in case of a juridical person) of a person who will be provided with the personal information; and
 * 4. The purpose of utilization, and the period of retention and utilization, of personal information on the part of a person who will be provided with the personal information.
 * (4) The information and communications service providers, etc. shall take the protective measures as prescribed by the Presidential Decree when they transfer the personal information to abroad with the consent pursuant to Paragraph (2).