The EU-Japan Economic Partnership Agreement between Japan and the European Union (“EU”) recently came into force, creating the world’s biggest open trading zone that covers 635 million people and almost one-third of the world’s total GDP. In the shadow of that agreement, however, another development—the mutual acknowledgment of data protection standards—took place, which should not be overlooked because it sets another world record. On January 23, 2019, the European Commission adopted its adequacy decision on Japan, acknowledging that Japan provides for an adequate level of data protection. Similarly, effective January 23, 2019, the Japanese independent data protection authority, the Personal Information Protection Commission (“PPC”), has also designated countries within the European Economic Area as having an equivalent level of data protection. This mutual acknowledgement created what is being referred to as the “largest area of safe data transfer” in the world.
These developments have important benefits for companies transferring data from the EU to Japan and vice versa, reducing burdens and giving companies greater access to customers. Below, we discuss the developments and describe what companies should consider in the future.
Process of Mutual Acknowledgement
Prior to this mutual acknowledgement, in 2015 Japan amended its privacy protection law, the Act on Protection of Personal Information (“APPI”). Those amendments came into force on May 30, 2017. After the European General Data Protection Regulation (“GDPR”) was unveiled in May 2016, the EU Commission proclaimed in January 2017 that it would start a dialogue with the PPC regarding a mutual acknowledgement of data protection standards. The parties successfully reached a final agreement in July 2018, just two months after the GDPR became directly applicable. Following the discussions between the delegates, the PPC has established so-called “Supplementary Rules” under the APPI in order to pave the way to an adequacy decision by the European Commission according to Art. 45 GDPR. In early September 2018, the process by the European Commission to adopt an adequacy decision regarding Japan was initiated, and it ended in the adoption of the adequacy decision on January 23, 2019. On the same day, the equivalency decision was proclaimed by the PPC.
How Is Personal Data From Europe Protected in Japan?
The Supplementary Rules established by the PPC apply to personal data transferred from the EU to Japan on the basis of the European Commission’s adequacy decision to ensure that personal data is protected in a way that is similar to the protection of personal data under the GDPR. The Supplementary Rules in particular:
(i) extend the scope of sensitive data that is subject to special requirements under the APPI to align with the scope of the special categories of data under the GDPR;
(ii) contain additional conditions for onward data transfers to recipients located outside the European Economic Area and Japan (consent or sufficient safeguards being required);
(iii) broaden the scope of data on which data-subject rights regarding access and rectification can be exercised to correspond to the affected individual’s rights under the GDPR;
(iv) limit the data processing by the data transferee to the purpose for which it was collected by the original data controller; and
(v) require deletion of information on the anonymization method in order for data to be qualified as anonymized data.
According to the PPC, the Supplementary Rules must be observed by Japanese businesses being supervised by the PPC and are enforceable—just like the rights granted to individuals on the basis of the APPI—by the courts and the PPC. The PPC also established a mechanism for handling, investigating and resolving complaints from Europeans about access to their data by Japanese administrative/law enforcement authorities, which will be administered and supervised by the PPC.
Advantages for European Companies
From a European perspective, the adequacy decision means that European companies can now transfer personal data to Japan without entering into so-called standard contractual clauses issued by the European Commission (notified under document C (2010) 593, C (2001) 1539 and C (2004) 5271) or ensuring that sufficient safeguards are in place by other means—safeguards that had been required even when personal data was to be transferred only within a company group.
For a controller-to-controller relationship, this means that in the future personal data can be transferred from a controller in the EU to another controller in Japan without having to enter into obligatory data transfer agreements. An exception applies in the case that both controllers are regarded to be joint controllers. In that case, they are obliged to determine their respective responsibilities in a contract pursuant to Art. 26 GDPR.
In the case of a data transfer from an EU controller to a Japanese processor, only a data processing agreement according to Art. 28 GDPR is necessary.
These changes reduce the burden on data transfers, which is particularly helpful in cases of complex data-flow structures. This decision also facilitates chain-data processing where processors in the EU engage further subprocessors in Japan, as the standard contractual clauses were not meant to be used in a processor-to-subprocessor relationship where the processor is established within the EU.
EU companies now effectively have greater access to Japanese customers and a lower risk of noncompliance fines, which under the GDPR can be significant.
Advantages for Japanese Companies
From a Japanese perspective, the acknowledgement of an equivalent level of data protection in the EU means that in the future transfers of personal data to recipients in the EU are no longer subject to additional safeguards for cross-border transfer under Art 24 APPI. Thus, it will no longer be necessary to obtain prior consent from the affected individuals for the cross-border transfer or to ensure an equivalent standard of protection by contractual/intragroup arrangements.
The EU adequacy decision facilitates, for example, the export of customer data from European business partners to Japanese companies and access to European customers by Japanese companies.
What Companies Should Do in the Future and What They Should Consider
- The Supplementary Rules clearly state that additional protection for data from the EU under the Supplementary Rules will only apply to data transferred on the basis of the adequacy decision. Therefore, companies located in the EU should assess whether it is more suitable for them to (continue to) rely on the standard contractual clauses issued by the European Commission or exploit the mechanisms under the adequacy decision.
- If the companies come to the conclusion that keeping the standard contractual clauses issued by the European Commission updated is too much administrative work (e.g., in the case of complex data structures with frequent changes in the data flows and/or purpose of use), data transfer on the basis of the adequacy decision may be preferable. In that event, companies in Japan that plan to import data from the EU based on the adequacy decision should review their internal policies to check whether they can comply with the further requirements under the Supplementary Rules before agreeing to data transfer on the basis of the adequacy decision.
- Companies in the EU should review their Privacy Policies to ensure accuracy of their Policies when setting out the way the company safeguards the data transfer to Japan (i.e., whether they rely on SCCs or on the adequacy decision) to comply with the information obligation under Art. 13/14 GDPR.
- If companies decide to rely on the adequacy/equivalency decision, they should review whether existing contracts need to be amended to reflect the changed basis for the data transfer.
- The validity of three decisions of the EU Commission concerning the standard contractual clauses is currently under review by the European Court of Justice, which may possibly lead to the invalidity of such clauses that are currently in use. Furthermore, the EU Commission will review its adequacy decision concerning Japan on a regular basis, and therefore the adequacy decision could potentially be withdrawn. Thus, companies should monitor developments surrounding data transfer mechanisms to confirm they are still in effect.
- In contrast to data transfers from the EU to Japan based on the adequacy decision of the European Commission where the requirements under the Supplementary Rules must be observed, the data transfers based on the equivalence decision by the PPC does not require any further safeguards. Therefore, companies exporting personal data from Japan to the EU should rely on the equivalence decision.
An Important Word of Caution
This mutual acknowledgement has been praised as “creating the largest area of safe data flow.” However, this should not be misunderstood as “creating the largest area of free data flow.” Under the GDPR, the processing of personal data is (and will still generally be) prohibited unless there is a legal basis for such processing. This first step of finding a legal basis for processing remains unaltered. Only at a second step do changes occur due to the adequacy decision. This second step concerns international data transfer. The GDPR requires that the level of protection of natural persons (and thereby their personal data) guaranteed by the GDPR is not undermined due to international data transfer. The GDPR recognizes several options for ensuring an adequate protection. One of these is a transfer on the basis of an adequacy decision. If countries are not recognized by the European Commission to provide for an adequate level of data protection, they have to rely on other safeguards (such as the conclusion of SCCs). Thus, the “only” change brought about by the adequacy decision is that this second step of ensuring sufficient protection can be overcome more easily.
All other requirements under the GDPR still have to be observed. This, in particular, also means that if Japanese companies offer goods or services to, or monitor the behavior of, data subjects in the EU, these companies must comply with all requirements under the GDPR. The same applies to the processing of personal data according to the APPI.
It should be noted that while Japanese companies exporting personal data to the EU are exempted from cross-border data transfer requirements under Art. 24 APPI, they still need to comply with the requirements under Art. 23 APPI (which are applicable to both domestic and cross-border data transfer), which specifies the circumstances under which data may be transferred in general.
Moreover, if European companies collect personal data of individuals in Japan in relation to offering goods or services to them, these companies will still have to comply with further requirements under the APPI.
Along with the EU-Japan Economic Partnership Agreement, this development has the potential to enhance new working and business opportunities. It is also a great step forward for international businesses. This mutual acknowledgement shows that implementing a high level of data protection is a chance, and not just the establishment of “further obstacles.” It creates new possibilities of international cooperation and can facilitate global growth. Given these developments, other non-privacy approved countries may reconsider their privacy approach and acknowledge the importance of data protection to ensure a level competitive field for their own companies.
In two years’ time, a first review of the adequacy decision on Japan will be conducted, and subsequent reviews will take place at least every four years. There remains hope that not only will this adequacy decision last but also that the EU will find a similar solution regarding the data transfer to South Korea. Dialogues between the EU and South Korea about acknowledging each other’s data protection standards are ongoing.