The European Commission announced on 23 January 2019 that it has adopted an adequacy decision on Japan (its press release can be found here).[1] This is a result of the assessment process which began on 5 September 2018, the background of which can be found in our previous blog here.

Japan’s data protection authority, the Personal Information Protection Commission (PPC), has also adopted its equivalent decision on Japanese personal data flows to the EU. This mutual recognition allows the safe free flow of personal data between the two territories, creating the world’s largest arena of secure data flows.

New rules for Japanese Business Operators

The European Commission has found that Japan’s data protection legislation and practice constitutes an “adequate framework”. This is based on analysis of the Japanese Act on the Protection of Personal Information (APPI) already in place, together with the newly agreed Supplementary Rules (see below).

The adequacy decision is limited to the protection of personal information by “Personal Information Handling Business Operators” (Business Operators) within the meaning of the APPI. Some data importers in Japan conducting certain types of data processing are excluded from this adequacy decision. These can be found in Article 76 if the APPI, for example, broadcasting institutions processing personal information for press purposes. If EU personal data are exported to those excluded data importers, a different legal ground will be required.

Japan’s improvements to the APPI, applicable to all personal data in Japan, has assisted the European Commission’s decision by evidencing commonalities between the two regimes. Japan has introduced extra crucial safeguards for EU personal data. Some of these are:

The Supplementary Rules

The Supplementary Rules under the APPI for the Handling of Personal Data Transferred from the EU based on an Adequacy Decision (Rules), are a set of rules which tie the two economies together to ensure the same guarantees provided by EU law for EU personal data will be applicable in Japan. As on the adequacy decision date, the Rules are in force. The Rules are legally binding on Japanese Business Operators handling EU personal data and are enforceable by the PPC. Some of the key features of the Rules are as follows:

  • When a Japanese Business Operator processes EU personal data, it must provide equivalent rights of access, rectification and deletion for the EU individual as found in the EU General Data Protection Regulation (GDPR).
  • The Rules expand the category of special categories of data (referred to “sensitive” data) EU personal data for Japanese Business Operators to include sex life, sexual orientation and trade union membership status. This allows the enhanced protections for this category of data to cover all “sensitive” personal data under the GDPR.
  • A Japanese Business Operator must obtain the consent of EU individuals if it wishes to transfer EU personal data from Japan to a third country (a non EU/EEA country). As an exception to obtaining consent, appropriate instruments must be used to give an equivalent level of protection as dictated by the APPI (by means of contract or binding agreement). These correspond to the instruments used in the GDPR to ensure appropriate safeguards (in particular, contractual clauses and binding corporate rules).

Criminal law enforcement and national security assurances

Japanese public authorities will now only access EU personal data if “necessary and proportionate” as weighed by independent oversight, for the purposes of criminal law enforcement and national security.

A new complaints procedure

Japan will establish a system for managing and solving complaints from EU data subjects that will be supervised by the PPC.

Actions for Japanese Business Operators handling personal data

Data processes

Japanese Business Operators must check personal data is:

  1. processed under appropriate security measures,
  2. processed only to the extent necessary for the purpose for which the data was transferred,
  3. kept accurate and up to date,
  4. processed with additional safeguards if “sensitive”, noting the extension of this definition for EU personal data, as stated above,
  5. for EU personal data, can only be transferred to third countries if the EU individual has consented or if other instruments are used, as stated above;
  6. if transferred to processors or controllers in Japan, done under proper agreements securing the data and establishing responsibilities.

Data retention policy

Japanese Business Operators must have a data retention policy to ensure that personal data are only kept for the time necessary to fulfil the purpose for which the data was transferred.

Data subject rights

Japanese Business Operators must implement systems and controls to ensure that EU individuals are able to request access/correction/deletion of his/her personal data.

Privacy policies

Japanese Business Operators must have a privacy policies made available to EU individuals to provide information about the purposes for processing their personal data.

The European Commission has provided a brief summary of the new data protection obligations for Japanese Business Operators that can be found here.

As this is a joint adequacy decision, European companies importing Japanese Personal Data must ensure similarly that they are handling such data in accordance with Japanese data privacy rights.

Further comment

This is the first adequacy decision made under the GDPR. It remains to be seen whether the European Commission will decide to review existing adequacy decisions under the previous EU data protection framework.  It is also up for periodic review to determine whether the adequacy decision on Japan should continue.

The European Commission has demonstrated ambition by actively promoting its data protection values and furthering the convergence of legal systems globally to foster cross border data flows. Talks launched on 5 September 2018, are currently underway with South Korea in view of another adequacy decision. The Communication published by the European Commission setting forth its strategy on adequacy decisions can be found here.

[1] What is an adequacy decision?
The European Commission can decide whether a third country (a non EU/EEA country) provides equivalent standard of protection for personal data. This is decided by analysis of the third country’s data protection framework including its international commitments and its domestic law. The European Commission conducts thorough assessments of both the third country’s:
  1. security guarantees to personal data, and
  2. redress procedures available for data subjects.
If a third country is given an adequacy decision, EU personal data can flow to that country as if it were being transferred within the EU. A list of other adequate territories can be found here.