Japan Receives the First Adequacy Decision Under the GDPR
On 23 January 2019, Japan became the first country to earn an adequacy decision from the European Commission (EC) after the General Data Protection Regulation (GDPR) came into force on 25 May 2018. These decisions, which govern cross-border data transfers from the EU, reflect the adequacy of a third-country’s level of data protection compared to the EU’s own legislation.
Coming on the heels of the EU-Japan Economic Partnership Agreement which was approved late last year and took effect on 1 February 2019, the new adequacy decision will ensure a smooth flow of data between the EU and Japan and facilitate the increased volume of data transfers that will inevitably follow in the wake of the new partnership agreement.
The adequacy decision was mutual: Japan’s own recently amended Act on the Protection of Personal Information (APPI) required third-party countries to have a level of data protection equal to that of Japan for the free flow of data transfers.
The reciprocal adequacy decisions were welcomed by officials on both sides of the negotiations, with Justice Commissioner Věra Jourová declaring that they enabled the creation of “the world’s largest area of safe data flows”.
Supplementary APPI Rules
The European Commission’s decision came after two years of dialogue and negotiations with the Japanese Government. An understanding between the two parties was reached after Japan agreed to put additional safeguards in place to ensure that EU data transfers will enjoy protection guarantees in line with European standards.
In September 2018, the Personal Information Protection Commission of Japan (PPC) introduced a set of supplementary rules to further align the APPI to the GDPR and strengthen the protection of sensitive information, the exercise of individual rights and the conditions under which EU data can be transferred from Japan to third countries. These additional rules, which would only be implemented in case of a positive adequacy decision, apply exclusively to companies importing data from the EU and are enforceable by the PPC and Japanese courts.
Among other stipulations, the Supplementary Rules expanded the meaning of the APPI’s special care-required personal information to include an individual’s sex life, sexual orientation or trade-union membership, which are listed as special categories of personal information under the GDPR.
They also further specified that anonymously processed information must make the de-identification of the individual irreversible through the deletion of the processing method or related information. This is, no doubt, to ensure that the laxer rules governing anonymized data under the APPI do not risk the disclosure of personal information.
Companies wishing to further transfer EU data to individuals or entities abroad cannot do so if the third country does not have an adequate level of data protection in place, unless prior consent of EU data subjects is obtained for such a transfer or a contract or binding agreement similar to the GDPR’s standard contractual clauses (SCC) is put in place to ensure a level of data protection equal to that of the APPI.
One point of concern raised during the negotiations by the European Data Protection Board (EDPB) was that of access to data for law enforcement and national security purposes. The Japanese government gave assurances to the Commission that any access to data by Japanese public authorities for criminal law enforcement and national security purposes would be limited to what is necessary, proportionate and subject to independent oversight and effective redress mechanisms.
A system meant to investigate and resolve complaints from EU data subjects regarding access to their data by Japanese public authorities will also be put in place. The new complaint-handling mechanism will be administered and supervised by the independent PPC.
The Future of the Japan adequacy decision
The European Commission’s adequacy decision and its Japanese equivalent are effective as of 23 January 2019. Its functioning will be jointly reviewed in two years by the EC and the PPC at which time they will assess the framework and how the APPI and its supplementary rules were applied since the decision came into effect. The EDPB will also be part of the review to ensure that the Japanese government has kept to its assurances concerning law enforcement access to data.
If all goes well during the first review, further evaluations will subsequently take place only every four years.