On 5 September 2018, the EU Commission commenced proceedings to adopt an Adequacy Decision in relation to Japan's protection of personal data by issuing a draft 'Commission Implementing Decision'. This is an important step towards the culmination of discussions between the EU and Japan that were initiated in January 2017, with the aim of permitting the free flow of personal data between the parties. These discussions were part of the broader free trade negotiations between Japan and the EU, which concluded with a successful agreement on 17 July 2018.
Japan and the EU alike will now need to fulfil all required next steps (see below) in order for the adequacy decision to be adopted. Subject to these procedures being fulfilled, this will:
- result in the largest area of legitimised cross-border transfers of personal data worldwide; and
- provide a template for other EU adequacy decisions following the coming into force of the EU General Data Protection Regulation ("GDPR").
Prelude to the Adequacy Decision
After more than a year of negotiations, on 17 July 2018 a 'Joint Statement' was issued by Haruhi Kumazawa, (Commissioner of the Personal Information Protection Commission of Japan (Japan's independent data protection authority)) and Věra Jourová (EU Commissioner for Justice, Consumers and Gender Equality), declaring the reciprocal recognition of both data protection systems as 'equivalent'. Although an agreement as to equivalence was made, internal procedures at national level were required to be completed by both parties in order to facilitate seamless data transfers between the EU and Japan.
The Joint Statement indicates that 'the mutual adequacy finding will create the world's largest area of safe data transfers' and reaffirmed the commitment of both parties 'to shared values concerning the protection of personal data, and to strengthen their cooperation and demonstrate their leadership, in shaping global standards based on a high level of protection of personal data.' The launch of the draft 'Commission Implementing Decision' represents a solid step in the direction of realising the aspirations of the Joint Statement.
The Joint Statement was released on the same day that the EU and Japan signed the Economic Partnership Agreement, an EU-Japan free trade agreement. The Joint Statement observed that the mutual adequacy finding will 'complement and enhance the benefits of the Economic Partnership Agreement and contribute to the strategic partnership between Japan and the EU'. This was a positive statement in a period of increasing uncertainty surrounding international transfer mechanisms, given the challenge against the adequacy decision approving the EU-US Privacy Shield framework that is pending before the European Court of Justice.
What is an Adequacy Decision under the GDPR?
Under the GDPR, as under the prior EU data protection framework, a transfer of personal data to a third country or to an international organisation may only take place if one of several conditions are met, including the applicability of an adequacy decision. A European Commission adequacy decision in favour of a third country means that personal data can flow freely from the EU to that third country without the need for additional safeguards, as if it were being transferred within the EU.
Whilst an adequacy decision does not require the two data protection frameworks to be identical, a thorough analysis and assessment of the framework to determine whether it is 'essentially equivalent' is required. When assessing the adequacy of the foreign jurisdiction's data protection regime, Article 45(2) of the GDPR states that the European Commission shall take into account, amongst other things, the following factors: the rule of law; respect for human rights and fundamental freedoms; relevant legislation; the existence and effective functioning of one or more independent supervisory authorities; and, the international commitments the third country or international organisation has entered into.
Without an adequacy decision, alternative appropriate safeguards must be relied on to transfer personal data to a third country such as the European Commission approved standard contractual clauses or binding corporate rules, each of which is subject to additional requirements, conditions and restrictions. An adequacy decision is therefore seen as the most straightforward way to transfer data outside of the EEA.
What Rules Apply in Respect of Transfers of Personal Data from Japan to the EU?
The mutual adequacy finding outlined in the Joint Statement, signifies that Japan considers the EU to be a foreign country with equivalent standards of protection for personal data. Like the EU, under Articles 24 and 75 of Japan's Act on the Protection of Personal Information ('APPI'), the transfer of Japanese personal information is restricted from export outside of Japan unless strict requirements are met. A mechanism to enable transfer is that the foreign country has a personal information protection system recognised to have equivalent standards to that of Japan. This standard is set by the rules of the Personal Information Protection Commission (PPC).
Adopting an adequacy finding is not a decision the EU Commission will take lightly. This is all the more the case given the successful challenge against the EU-US Safe Harbor Framework before the European Court of Justice, and the pending challenge against the successor arrangement, the EU-US Privacy Shield. The Commission will also be mindful of the non-binding resolution which the European Parliament adopted in July, calling for the suspension of the EU-US Privacy Shield. Both Japan and the EU will now initiate the proceedings necessary to fulfil their respective commitments under the Joint Statement and complete the internal procedures required under their respective laws.
For the EU, this will require an implementing act of the European Commission in accordance with the examination procedure referred to in Article 93(2) GDPR. The European Commission press release of 5th September 2018, confirms that the draft adequacy decision will now go through the following procedure:
- Opinion from the European Data Protection Board
- Consultation of a committee composed of representatives of the Member States (comitology procedure)
- Update of the European Parliament Committee on Civil Liberties, Justice and Home Affairs;
- Adoption of the adequacy decision by the College of Commissioners.
Furthermore, the implementing act must contain a mechanism for periodic review.As part of the Joint Statement issued in July, Japan committed to implement a set of rules providing EU individuals whose personal data is transferred to Japan with additional safeguards that are intended to bridge any differences between the two data protection systems. Amongst other things, this set of rules were to provide stronger protection in the following areas:
- The Japanese law's definition of 'sensitive personal information', as it relates to EU data subjects, will be expanded to include sex life, sexual orientation and labour union membership status;
- Additional restrictions will be placed on the onward transfer of EU personal data by the recipient in Japan to other countries;
- EU data subjects will have rights to access and rectification of their data;
- Japan's independent data protection authority, the PPC, will have the authority to enforce the rules on behalf of EU data subjects; and
- The Japanese Government will give assurances that access to EU data subject information will be limited to what is necessary and proportionate and subject to independent oversight. There will be a mechanism for the purposes of investigating and resolving complaints relating to the accessing of EU personal data by Japanese public authorities. The mechanism is to be administered and supervised by the PPC.
Recently, Japan issued Supplementary Rules and provided a representation from the Japanese government to the European Commission in order to address the above concerns in regard to Japan's equivalency. The Supplementary Rules are to go into effect once each side has finalized their adequacy decision. The rest of the steps needed to finalize the adequacy decision on Japan's side are expected to be completed this Fall.
Scope of the Adequacy Decision
Once adopted, the adequacy decision on Japan will cover most transfers of personal data between the EU and Japan for commercial purposes, between organisations. The current draft of the 'Commission Implementing Decision', however, 'does not cover personal data transferred to recipients falling within one of the following categories, and all or part of the purposes of processing of the personal data corresponds to one of the listed purposes, respectively:
(a) broadcasting institutions, newspaper publishers, communication agencies or other press organisations (including any individuals carrying out press activities as their business) to the extent they process personal data for press purposes;
(b) persons engaged in professional writing, to the extent this involves personal information;
(c) universities and any other organisations or groups aimed at academic studies, or any person belonging to such an organisation or group, to the extent they process personal information for the purpose of academic studies;
(d) religious bodies to the extent they process personal information for purposes of religious activity (including all related activities); and
(e) political bodies to the extent they process personal information for the purposes of their political activity (including all related activities).'
A commitment has been made by both parties to ensure the relevant internal procedures required to adopt an adequacy decision will be completed by the end of autumn 2018.
After the date on which the adequacy decision is adopted, Article 45 (3) of the GDPR provides that a periodic review of the decision must take place at least every four years. All existing adequacy decisions are currently under review by the European Commission.
The Effects of an Adequacy Decision
Once all of these steps have been completed, data subjects whose personal data is transferred between the EU and Japan will benefit from enhanced levels of protection. Companies operating in Japan and Europe will need to ensure they have in place the proper processing and handling policies required locally in each jurisdiction in order to comply with the applicable laws governing the processing of personal data at the national level, and they will also need to comply with the additional rules imposed as a condition of the adequacy finding.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.