On 17 July 2018, the European Union and Japan reached an agreement to recognize each other’s data protections systems as “equivalent”. Once adopted, this “adequacy decision” will allow businesses to transfer personal data from the European Economic Area to Japan and vice versa without being required to provide further additional safeguards for each transfer.
Data transfers from the Europe to Japan
The General Data Protection Regulation (GDPR) replaced the so called Data Protection Directive last year, with the declared aim of harmonizing data privacy laws across Europe, protecting and empowering all EU residents’ data privacy and reshaping the way organizations across the world approach data privacy with an extensive geographical scope.
An adequacy decision is the most straightforward tool provided under the GDPR to allow the free flow of personal data between EEA members and a third country. Its adoption involves a comprehensive assessment by the Commission of the target country’s data protection framework, the relevant redress mechanisms available for individuals and the international commitments or other obligations, in particular in relation to data protection, which must be adhered to by the target country.
This adequacy decision is grounded on the level of protection granted by the Japanese Personal Information Protection Act (the “PIPA”). To comply with the EU strict standards, in September 2018, Japan’s Personal Information Protection Commission provided additional safeguards to protect EU citizen’s data, and issued the final supplemental rule that applies to personal data transferred from EU to Japan within the adequacy framework.
This PPC EU Supplement Rule: (i) expands the scope of “sensitive personal information” to include information regarding sexual orientation or labor union membership, thereby subjecting such information to stricter restriction under the PIPA; (ii) eliminate an exemption for personal data that is deleted within 6 months; and (iii) narrow the scope of “de-identifiable personal information.”
It should be noted that in the PPC EU Supplement Rule, it notes that the PPC has an authority to take appropriate administrative actions for failure of compliance with the safeguards provided therein, citing its general authority provided for cases of immediate infringement of rights and benefits of individuals, even though such safeguards are arguably stricter standards than what the PIPA provides. The PPC EU Supplement Rule becomes effective when the EU’s adequacy decision becomes effective.
From Japan to Europe
Under the PIPA, a business is likely to be required to obtain prior affirmative consent from relevant individuals (as opposed to an opt-out option) to provide personal data to a party outside of Japan. One of the statutory exceptions is that the recipient is located in a country or region designated by the PPC as having personal data protection system equivalent to the standards of the PIPA.
In this regard, the PPC has agreed to recognize EU as a region providing equivalent protection as the PIPA and issue a final designating order when the EU completes its adequacy determination. For businesses, this means that, going forward, transfer of personal data from Japan to the EU may be arranged with appropriate disclosure of a privacy policy and without obtaining express affirmative consent from relevant individuals.
The world’s largest area of free flow of data
We can only welcome this joint effort to facilitate data transfers between our two economies and create the world’s largest area of free flow of data while at the same time ensuring adequate protection over personal data of the respective residents. As soon as this legal scheme is effective and in force, businesses will enjoy the benefits of the new data transfer framework, something that must be read in the context of the new EU-Japan Economic Partnership Agreement, which should become effective as soon as February 1, 2019.
The PPC has already completed its adopting efforts, and on the European side, the European Data Protection Board gave its greenlight on December 5; after that, the European Commission’s final adopting decision is expected to happen soon.
As a final comment, it should be noted that the Data Agreement concerns personal data transfer in between EU and Japan only; any transfer of private data of EU individuals from Japan to other countries, such as the US, will require careful consideration of all applicable laws and regulations.