Aug 82018

Japan Granted Adequacy Deal on Data Protection by the EU

Geraldine Scali, Akira Nakazawa, Tomoki Ishiara, William RM Long and Jasmine Agyekum
, , ,

On July 17, 2018, the European Commission released a press release announcing Japan and the European Union have concluded talks on reciprocal adequacy of their respective data protection systems, alongside a corresponding Q&A on reciprocal adequacy. After successful negotiations, both jurisdictions have reached a mutual adequacy arrangement, recognising the adequacy in each jurisdiction’s data protection framework and representing the first time that the EU and a third country have agreed on a reciprocal recognition of the level of “adequate” data protection.

As part of the agreement, the Commission has established that Japan provides a comparable level of protection of personal data to that of the European Union, enabling the personal data of individuals in the EU to be lawfully transferred from the European Economic Area (EEA) to Japan, without further safeguards or authorisations. The deal will apply to all transfers of personal data to business operators in Japan, in connection with protections provided under the Japanese Act on the Protection of Personal Information (APPI).

In connection with the agreement, Japan has committed itself to implementing additional safeguards to protect the personal data of individuals in the EU, prior to the Commission formally adopting its adequacy decision. The additional safeguards include a set of rules providing individuals in the EU whose personal data is being transferred to Japan with additional safeguards that will bridge the gap between the two data protection systems and to which Japan will adopt and apply where personal data of EU individuals is transferred to Japan. Such rules will include:

  • strengthening protections for sensitive personal data (personal data revealing racial or ethnic origin, political, religious or philosophical beliefs, trade union membership or data on an individual’s sexual orientation);
  • clarifying the conditions for onward transfer of personal data where the personal data is further transferred from Japan to a third country (non-EEA Member State);
  • facilitating the exercise of EU individuals’ rights to access and rectify their personal data;
  • limiting use of personal data provided by third party to the original purpose of use by the third party; and
  • requiring that details of anonymization methods be deleted to prevent re-identification.

These rules will be implemented as special guidelines for EU-Japan personal data transfer, have binding effect on Japanese companies importing personal data from the EU and will be enforceable by the Japanese independent data protection authority, the Personal Information Protection Commission (PPC) and Japanese courts.  In connection with the agreement, Japan has also committed to creating a complaint-handling mechanism to investigate and resolve complaints from EU individuals whose personal data is being processed in Japan. The new mechanism will be administered and supervised by the PPC, and is intended to ensure that, in particular, complaints by EU individuals relating to processing by Japanese law enforcement and security authorities are effectively investigated and resolved.

Under the mutual adequacy finding, PPC designates the EEA as a foreign jurisdiction with equivalent standards of protection for its citizens personal data to those provided under Article 24 of the APPI, which was put into effect on May 30, 2017. Similarly, the European Commission accepts Japan has achieved a level of data protection adequate or equivalent to the EU’s General Data Protection Regulation (GDPR), which came into force on 25 May 2018.

Once the deal has been adopted, it will cover all personal data exchanged between the two jurisdictions for commercial purposes and personal data exchanged for law enforcement purposes between EU and Japanese authorities, ensuring that a high level of data protection is applied in all such exchanges.

Next Steps

The Commission is planning to adopt the adequacy decision in autumn 2018, following:

  • an opinion obtained by the European Data Protection Board, an EU wide supervisory data authority comprised of the 28 EU Member State supervisory data authorities;
  • approval and adoption of the draft adequacy decision by a committee composed of representatives of the 28 EU Member States; and
  • an update to the European Parliament Committee on Civil Liberties, Justice and Home Affairs.

While such formal adequacy steps are ongoing, Japan will finalise its own adequacy finding in order to recognise the adequate level of data protection given by the EU.  This will include the implementation of guidelines for heightened privacy rights within six months or more.

The mutual adequacy arrangement was reached in conjunction with a trade agreement between Japan and the EU, the EU-Japan Economic Partnership Agreement. The mutual adequacy arrangement is intended to complement the provisions of the EU-Japan Economic Partnership Agreement, which applies without prejudice to each jurisdiction’s legislation in the field of data protection.

Japan’s expected formal adequacy finding will see it join Andorra, Argentina, Canada, Faeore Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay in achieving an adequate status of data protection comparable to that of the EU. As noted in the Commission press release, the agreement also creates the world’s largest area covered by mutual agreement on data protection standards and the safe transfer of personal data.

Geraldine Scali

gscali@sidley.com

Akira Nakazawa

anakazawa@sidley.com

Tomoki Ishiara

Tokyo

tishiara@sidley.com

William RM Long

London

wlong@sidley.com

Jasmine Agyekum

jagyekum@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.