On July 17, 2018, the European Commission released a press release announcing Japan and the European Union have concluded talks on reciprocal adequacy of their respective data protection systems, alongside a corresponding Q&A on reciprocal adequacy. After successful negotiations, both jurisdictions have reached a mutual adequacy arrangement, recognising the adequacy in each jurisdiction’s data protection framework and representing the first time that the EU and a third country have agreed on a reciprocal recognition of the level of “adequate” data protection.
As part of the agreement, the Commission has established that Japan provides a comparable level of protection of personal data to that of the European Union, enabling the personal data of individuals in the EU to be lawfully transferred from the European Economic Area (EEA) to Japan, without further safeguards or authorisations. The deal will apply to all transfers of personal data to business operators in Japan, in connection with protections provided under the Japanese Act on the Protection of Personal Information (APPI).
In connection with the agreement, Japan has committed itself to implementing additional safeguards to protect the personal data of individuals in the EU, prior to the Commission formally adopting its adequacy decision. The additional safeguards include a set of rules providing individuals in the EU whose personal data is being transferred to Japan with additional safeguards that will bridge the gap between the two data protection systems and to which Japan will adopt and apply where personal data of EU individuals is transferred to Japan. Such rules will include:
- strengthening protections for sensitive personal data (personal data revealing racial or ethnic origin, political, religious or philosophical beliefs, trade union membership or data on an individual’s sexual orientation);
- clarifying the conditions for onward transfer of personal data where the personal data is further transferred from Japan to a third country (non-EEA Member State);
- facilitating the exercise of EU individuals’ rights to access and rectify their personal data;
- limiting use of personal data provided by third party to the original purpose of use by the third party; and
- requiring that details of anonymization methods be deleted to prevent re-identification.
These rules will be implemented as special guidelines for EU-Japan personal data transfer, have binding effect on Japanese companies importing personal data from the EU and will be enforceable by the Japanese independent data protection authority, the Personal Information Protection Commission (PPC) and Japanese courts. In connection with the agreement, Japan has also committed to creating a complaint-handling mechanism to investigate and resolve complaints from EU individuals whose personal data is being processed in Japan. The new mechanism will be administered and supervised by the PPC, and is intended to ensure that, in particular, complaints by EU individuals relating to processing by Japanese law enforcement and security authorities are effectively investigated and resolved.
Under the mutual adequacy finding, PPC designates the EEA as a foreign jurisdiction with equivalent standards of protection for its citizens personal data to those provided under Article 24 of the APPI, which was put into effect on May 30, 2017. Similarly, the European Commission accepts Japan has achieved a level of data protection adequate or equivalent to the EU’s General Data Protection Regulation (GDPR), which came into force on 25 May 2018.
Once the deal has been adopted, it will cover all personal data exchanged between the two jurisdictions for commercial purposes and personal data exchanged for law enforcement purposes between EU and Japanese authorities, ensuring that a high level of data protection is applied in all such exchanges.
The Commission is planning to adopt the adequacy decision in autumn 2018, following:
- an opinion obtained by the European Data Protection Board, an EU wide supervisory data authority comprised of the 28 EU Member State supervisory data authorities;
- approval and adoption of the draft adequacy decision by a committee composed of representatives of the 28 EU Member States; and
- an update to the European Parliament Committee on Civil Liberties, Justice and Home Affairs.
While such formal adequacy steps are ongoing, Japan will finalise its own adequacy finding in order to recognise the adequate level of data protection given by the EU. This will include the implementation of guidelines for heightened privacy rights within six months or more.
The mutual adequacy arrangement was reached in conjunction with a trade agreement between Japan and the EU, the EU-Japan Economic Partnership Agreement. The mutual adequacy arrangement is intended to complement the provisions of the EU-Japan Economic Partnership Agreement, which applies without prejudice to each jurisdiction’s legislation in the field of data protection.
Japan’s expected formal adequacy finding will see it join Andorra, Argentina, Canada, Faeore Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay in achieving an adequate status of data protection comparable to that of the EU. As noted in the Commission press release, the agreement also creates the world’s largest area covered by mutual agreement on data protection standards and the safe transfer of personal data.