On January 23 2019, the European Commission (EC) has adopted an adequacy decision on Japan whereby allowing for a free flow of personal data between the EU Member States and Japan.
This blog will give you more insight into the background and content of the decision, and will also briefly discuss the expectations for future adequacy decisions.
In January 2017, the European Commission (EC) launched the dialogue with Japan regarding the topic of reaching an adequacy decision. This dialogue was successfully concluded in July 2018 with the agreement that both parties will recognize each other’s data protection system as adequate, whereby allowing personal data to be transferred safely between the European Union (EU) and Japan. Following this agreement, a procedure was launched in September 2018 to realize this goal which included the opinion of the European Data Protection Board (EDPB) and the agreement from a committee composed of representatives of the EU Member States. The decision was adopted by both the EC and Japan and became applicable on January 23 2019. This adequacy decision concerns the protections provided under the Japanese Act on the Protection of Personal Information (APPI) and will apply to all transfers of personal data to business operators in Japan.
What does an adequacy decision entail?
An adequacy decision is one of the mechanisms that the General Data Protection Regulation (GDPR) provides for the transfer of personal data from the European Economic Area (EEA) (the 28 EU Member States as well Norway, Liechtenstein and Iceland) to a country outside of the EEA (third countries). It is taken by the EC and establishes that a third country provides a level of data protection that is essentially equivalent to that provided for in the EU. Upon the adoption of an adequacy decision, personal data can flow safely from the EEA to the respective third country without being subject to further safeguards or authorizations.
It should be noted that the adequacy standard does not imply an exact replica of the standard in the EU, but it involves a comprehensive assessment of the third country’s relevant systems. The European Data Protection Authorities have established various elements that must be taken into account which include evaluating the country’s rules on access to personal data by public authorities for law enforcement as well as its national security and other public interest purposes. Accordingly, the EC has recognized various privacy systems as adequate, for instance that of Argentina, Israel and New Zealand. The EC has also adopted a partial adequacy finding for Canada and for the United States under the Privacy Shield (more information about the adequacy decisions can be found here).
How does Japan meet the adequacy criteria?
As described above, there are various elements that the EC considers in evaluating whether a country meets the standard of essential equivalence. For Japan to meet this standard, there were several safeguards that it had to implement in addition to modernizing its data protection legislation. The latter created an increased cohesion between the GDPR and Japan’s national legislation as the APPI now for instance recognizes data protection as a fundamental right and has also formalized the supervision and enforcement by an independent data protection authority (the Personal Information Protection Commission). Other safeguards that Japan implemented include its commitment to establish a system for addressing complaints under the supervision of the Personal Information Protection Commission in order to ensure that complaints from Europeans with regard to potential access to their personal data by Japanese law enforcement and national security authorities will be adequately examined and resolved. Moreover, Japan has ensured that the further transfer of Europeans' data from Japan to another third country will be subject to a higher level of protection.
Can we expect more adequacy decisions to be taken by the EC soon?
The EC has shared its intention to actively engage with other key trading partners as well, such as Korea, but also with India, Mercosur and other third countries that are keen on obtaining an adequacy finding. As commercial exchanges increasingly depend on personal data flows and considering that the privacy and security of such data is an absolute must under the GDPR, it is not surprising that countries are keen on obtaining such a decision. Additionally, greater compatibility between different data protection landscapes seems to be increasing. We will keep our readers updated regarding developments around other adequacy findings.