The EU-Japan Economic Partnership Agreement between Japan and the European Union (“EU”) recently came into force, creating the world’s biggest open trading zone that covers 635 million people and almost one-third of the world’s total GDP. In the shadow of that agreement, however, another development—the mutual acknowledgment of data protection standards—took place, which should not be overlooked because it sets another world record. On January 23, 2019, the European Commission adopted its adequacy decision on Japan, acknowledging that Japan provides for an adequate level of data protection. Similarly, effective January 23, 2019, the Japanese independent data protection authority, the Personal Information Protection Commission (“PPC”), has also designated countries within the European Economic Area as having an equivalent level of data protection. This mutual acknowledgement created what is being referred to as the “largest area of safe data transfer” in the world.
These developments have important benefits for companies transferring data from the EU to Japan and vice versa, reducing burdens and giving companies greater access to customers. Below, we discuss the developments and describe what companies should consider in the future.
Process of Mutual Acknowledgement
Prior to this mutual acknowledgement, in 2015 Japan amended its privacy protection law, the Act on Protection of Personal Information (“APPI”). Those amendments came into force on May 30, 2017. After the European General Data Protection Regulation (“GDPR”) was unveiled in May 2016, the EU Commission proclaimed in January 2017 that it would start a dialogue with the PPC regarding a mutual acknowledgement of data protection standards. The parties successfully reached a final agreement in July 2018, just two months after the GDPR became directly applicable. Following the discussions between the delegates, the PPC has established so-called “Supplementary Rules” under the APPI in order to pave the way to an adequacy decision by the European Commission according to Art. 45 GDPR. In early September 2018, the process by the European Commission to adopt an adequacy decision regarding Japan was initiated, and it ended in the adoption of the adequacy decision on January 23, 2019. On the same day, the equivalency decision was proclaimed by the PPC.
How Is Personal Data From Europe Protected in Japan?
The Supplementary Rules established by the PPC apply to personal data transferred from the EU to Japan on the basis of the European Commission’s adequacy decision to ensure that personal data is protected in a way that is similar to the protection of personal data under the GDPR. The Supplementary Rules in particular:
(i) extend the scope of sensitive data that is subject to special requirements under the APPI to align with the scope of the special categories of data under the GDPR;
(ii) contain additional conditions for onward data transfers to recipients located outside the European Economic Area and Japan (consent or sufficient safeguards being required);
(iii) broaden the scope of data on which data-subject rights regarding access and rectification can be exercised to correspond to the affected individual’s rights under the GDPR;
(iv) limit the data processing by the data transferee to the purpose for which it was collected by the original data controller; and
(v) require deletion of information on the anonymization method in order for data to be qualified as anonymized data.
According to the PPC, the Supplementary Rules must be observed by Japanese businesses being supervised by the PPC and are enforceable—just like the rights granted to individuals on the basis of the APPI—by the courts and the PPC. The PPC also established a mechanism for handling, investigating and resolving complaints from Europeans about access to their data by Japanese administrative/law enforcement authorities, which will be administered and supervised by the PPC.
Advantages for European Companies
From a European perspective, the adequacy decision means that European companies can now transfer personal data to Japan without entering into so-called standard contractual clauses issued by the European Commission (notified under document C (2010) 593, C (2001) 1539 and C (2004) 5271) or ensuring that sufficient safeguards are in place by other means—safeguards that had been required even when personal data was to be transferred only within a company group.
For a controller-to-controller relationship, this means that in the future personal data can be transferred from a controller in the EU to another controller in Japan without having to enter into obligatory data transfer agreements. An exception applies in the case that both controllers are regarded to be joint controllers. In that case, they are obliged to determine their respective responsibilities in a contract pursuant to Art. 26 GDPR.
In the case of a data transfer from an EU controller to a Japanese processor, only a data processing agreement according to Art. 28 GDPR is necessary.
These changes reduce the burden on data transfers, which is particularly helpful in cases of complex data-flow structures. This decision also facilitates chain-data processing where processors in the EU engage further subprocessors in Japan, as the standard contractual clauses were not meant to be used in a processor-to-subprocessor relationship where the processor is established within the EU.
EU companies now effectively have greater access to Japanese customers and a lower risk of noncompliance fines, which under the GDPR can be significant.
Advantages for Japanese Companies
From a Japanese perspective, the acknowledgement of an equivalent level of data protection in the EU means that in the future transfers of personal data to recipients in the EU are no longer subject to additional safeguards for cross-border transfer under Art 24 APPI. Thus, it will no longer be necessary to obtain prior consent from the affected individuals for the cross-border transfer or to ensure an equivalent standard of protection by contractual/intragroup arrangements.
The EU adequacy decision facilitates, for example, the export of customer data from European business partners to Japanese companies and access to European customers by Japanese companies.
What Companies Should Do in the Future and What They Should Consider