In light of today’s increasing globalisation of international trade it is decisive for companies to transfer personal data globally. The EU Japan adequacy decision will set the necessary framework for such a global data transfer by allowing the free flow of data between both jurisdictions.
Draft adequacy decision
After the talks on reciprocal adequacy between the EU and Japan were successfully concluded in July 2018, the EU Commission has published the draft adequacy decision on 5th September 2018. In this decision, the EU Commission explains that Japan adopted Supplementary Rules in order to enhance its data protection standard. These Supplementary Rules apply in addition to the general data protection provisions under the recently amended Act on the Protection of Personal Information (APPI). In the same way as the provisions of the APPI, the Supplementary Rules are legally binding on Japanese businesses and enforceable by the independent supervisory authority (PPC) as well as by courts in Japan. Based on a detailed review the EU Commission concludes that the interaction between the provisions of the APPI and the Supplementary Rules ensure an adequate level of protection for personal data transferred to Japan.
The adoption of the adequacy decision by the College of Commissioners is now expected for 2019 after the conclusion of the further procedure.
Background: Adequacy Decision and SCCs
Data transfers to countries outside the EU/EEA are only admissible under the European General Data Protection Regulation (GDPR) if the processing as such is lawful and either
- the receiving country is deemed as “secure” by the Commission via an adequacy decision (Art. 44 GDPR); or
- safeguard mechanisms, such as Standard Contractual Clauses (SCCs), ensure a level of data protection comparable to that of the EU (Art. 45 GDPR).
Regarding data transfers from the EU/EEA to Japan, the conclusion of SCCs has been the most relevant safeguard mechanism so far. This will change with the adoption of the new adequacy decision as Japan will then be considered a secure country to which data transfers are expressly permitted.
Practical question: Impact on existing SCCs
Hardly examined is the impact of the adequacy decision on existing SCCs. The decision whether SCCs should continue to be in effect alongside the adequacy decision needs to be assessed on a case by case basis depending on the respective contractual structure. The following aspects should be considered in this context:
- SCCs may be used as “backup” in case the adequacy decision was repelled
- Controller to Controller: SCCs may be used for documentation purposes regarding the legal basis for the data processing, in particular in regard to legitimate interests (Art. 6 (1) lit. f GDPR)
- Controller to Processor: SCCs do not meet all requirements of data processing agreements under Art. 28 GDPR. Therefore, in case the data transfer has solely been based on SCCs, the parties need to conclude respective amendments to the existing clauses.