On July 17, 2018, less than two months after the General Data Protection Regulation (GDPR) went into effect, Japan and the European Union agreed to recognize each other's data protection regimes as providing adequate protections for personal data. The European Commission said in a press release that the move will create "the world's largest area of safe data flows." Once finalized, these "reciprocal adequacy" decisions will allow personal data to flow between companies in Japan and the EU without being subjected to additional safety checks. From a European perspective, Japan will be recognized as having "adequate safeguards" in place for data protection, meaning that specific transfer agreements with Japanese entities may no longer be required.
Even though the EU already has unilateral adequacy decisions with several other countries, this is the first time the EU and a third country have agreed on a reciprocal recognition of the adequate level of data protection. Other countries may follow suit and similarly obtain reciprocity.
This is the first time the EU and a third country have agreed on a reciprocal recognition of the adequate level of data protection.
The mutual adequacy finding will complement the existing trade benefits of the Japan-EU Economic Partnership Agreement and contribute to the Japan-EU strategic partnership by facilitating the data flow between them. Companies are expected to benefit from unhindered, safe and free data transfers between the two economies that would remain restricted in the absence of the reciprocity recognition.
Processing Personal Data Transfers From EU to Japan
The European Commission is expected to formally adopt its adequacy decision on Japan this fall. After Japan is whitelisted, personal data transferred from companies in the EU will be deemed to be protected by the same standards as in the EU if processed in accordance with Japanese law. To achieve this, Japan agreed to implement additional safeguards to align with the EU's standards. Specifically, Japan agreed to put in place stricter guidelines for the re-transfer of personal data that originally was transferred from within the EU to a company in a third country and additional limitations on the use of sensitive data. Japan also agreed to implement a new mechanism to allow EU residents to file complaints with Japan's data protection authority if public authorities in Japan unlawfully access their data.
On September 7, 2018, Japan's Personal Information Protection Commission (PPC) announced supplementary rules regarding how personal data transferred from the EU should be processed following the adequacy recognition. The rules will come into effect when the European Commission formally adopts that Japan has secured adequate level of protection for personal data pursuant to Article 45 of the GDPR. According to the rules, five major substantive changes will be implemented with respect to the current Japanese regulations, as summarized in the chart below. These changes are intended to tighten data privacy regulations in Japan to align with the GDPR. The rules will apply only to personal data transferred from the EU under the adequacy recognition.
Other Differences Between Japan's Data Privacy Law and GDPR
Entities operating in Japan must comply with its Act on Protection of Personal Information (APPI), whether or not cross-border data transfers occur. APPI is different from the GDPR in several respects; the material differences are highlighted in the chart below. Generally, the GDPR provides greater protection for data subjects and stricter regulations on the companies that process personal data than the APPI.
The PPC supplementary rules will not address these differences, as that would be beyond the intended scope. These gaps may only be filled through an amendment to the APPI. That being said, given that the APPI underwent major and thorough revisions that took effect in 2017, it is uncertain whether another fundamental revision to the APPI would be implemented anytime soon. Therefore, for entities operating in Japan, it is important to grasp the differences between the APPI and the GDPR, which has become the global standard.
Practical Implications and Considerations
Today, some companies that transfer personal data from the EU to Japan do so pursuant to standard contractual clauses (SCCs) published by the European Commission. Japanese companies using SCCs might assume that they can readily terminate these agreements once the adequacy decision is formally adopted. However, companies should keep in mind that the adequacy decision only applies to EU-Japan transfers, and SCCs between the EU and other jurisdictions will need to remain in place. Companies should also keep in mind that the EU is likely to issue an updated version of the SCCs that complies with GDPR requirements and replaces current SCCs.
Discussions Between Japan and Other Nations
In order to ensure the mutual and smooth transfer of personal data between companies in Japan and the U.S., PPC is in discussions with the U.S. Department of Commerce to promote cooperative relationships for the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules system, a multilateral arrangement to certify compliance with the APEC Privacy Framework. PPC is seeking to promote the participation of other Asian countries as well as domestic enterprises, with an aim to interoperate with the EU's personal data transfer regime.
The Japanese government also is in discussions with certain U.K. authorities, including the Department of Digital, Culture, Media and Sport, and the Information Commissioner's Office, for a personal data transfer agreement that would ensure smooth transfer of data between companies in those two countries as well.
The author wishes to acknowledge the contributions of Stuart D. Levi, Mitsuhiro Kamiya, Helena J. Derbyshire and Ken D. Kumayama.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.