On 23 January 2019, the European Commission adopted an adequacy decision in relation to Japan, creating, in the words of Justice Commissioner Věra Jourová, “the world's largest area of safe data flows”.
The Commission’s adequacy decision, which is the first under the EU General Data Protection Regulation (GDPR), was forged on the basis of a number of additional safeguards that Japan agreed to put in place to ensure that personal data transferred from the EU to Japan enjoys protection guarantees in line with EU standards.
These include “supplementary rules” providing additional safeguards to strengthen, for example, the protection of sensitive data; the exercise of individual rights and the conditions under which EU data can be further transferred from Japan to another third country; assurances as regards access of Japanese public authorities for criminal law enforcement and national security purposes; and a mechanism for handling complaints from Europeans regarding access to their data by Japanese public authorities.
The GDPR provides for different tools to transfer personal data to third countries, including adequacy decisions. The European Commission has the power to determine whether a third (i.e., non-EU) country offers an adequate level of data protection by providing a comparable level of protection of personal data to that in the EU, through its domestic law or its international commitments.
Where a third country is given adequacy status, personal data can flow safely from the EU to that country, without being subject to any further safeguards or authorisations. Adequacy does not require the third country's data protection system to be identical to the EU’s. Rather, it is based on the standard of "essential equivalence" and involves a comprehensive assessment of the third country's data protection framework — both of the protection guarantees applicable to personal data and of the relevant oversight and redress mechanisms available. The European Parliament and European Council can request the Commission to maintain, amend or withdraw adequacy decisions.
The Commission has so far adopted adequacy decisions for the following countries and territories: Andorra, Argentina, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US. The decisions on Canada and the US are "partial" adequacy decisions. The decision on Canada applies only to private entities falling under the scope of the Canadian Personal Information Protection and Electronic Documents Act. The EU-US Privacy Shield framework is a "partial" adequacy decision, as, in the absence of a general data protection law in the US, only the companies committing to abiding by the Privacy Shield principles benefit from free data transfers. The Commission is also in the process of negotiating an adequacy decision with South Korea.
The Commission’s adequacy decision on Japan
The Commission’s adequacy decision concerns the protections provided under the Japanese Act on the Protection of Personal Information (APPI). It therefore applies to all transfers of personal data to business operators in Japan.
The decision was based on a series of additional safeguards that it has been agreed will apply to the data of Europeans when transferred to Japan. For instance, the Japanese definition of “sensitive data” will be expanded, the exercise of individual rights will be facilitated, and the further transfer of Europeans' data from Japan to another third country will be subject to a higher level of protection. These “supplementary rules” will be binding on Japanese companies importing data from the EU and enforceable by the Japanese independent data protection authority, namely, the Personal Information Protection Commission (PPC), and courts.
Japan has also agreed to establish a system of handling and resolution of complaints, under the supervision of the PCC, to ensure that potential complaints from Europeans as regards access to their data by Japanese law enforcement and national security authorities will be effectively investigated and resolved.
The Japanese government also gave assurances to the Commission regarding safeguards concerning the access of Japanese public authorities for criminal law enforcement and national security purposes, ensuring that any such use of personal data would be limited to what is necessary and proportionate and subject to independent oversight and effective redress mechanisms.
The adequacy decision and the equivalent Japanese decision are effective immediately. After two years, a first joint review will be carried out to assess the functioning of the framework, covering all aspects of the adequacy finding, including the application of the supplementary rules and the assurances for government access to data. The European Data Protection Board — the body composed of EU data protection authorities — will participate in the review regarding access to data for law enforcement and national security purposes. Subsequently, a review will take place at least every four years.
The EU and Japanese reciprocal adequacy decisions complement the EU-Japan Economic Partnership Agreement, which came into force on 1 February 2019. In a statement, the European Commission said that European companies will “benefit from free data flows with a key commercial partner, as well as from privileged access to the 127 million Japanese consumers. The EU and Japan affirm that, in the digital era, promoting high privacy and personal data protection standards and facilitating international trade must and can go hand in hand.”
By contrast, the EU is refusing to engage with the UK on the matter of the UK’s adequacy until after Brexit and, if no EU withdrawal agreement is reached before 29 March 2019, the economic impact of the UK’s pending inadequacy should not be underestimated. Although there are alternative measures that UK businesses can take to ensure that they can receive personal data from the EEA, the clear commercial benefits of automatic cross-border data flows will be lost. To quote from the Institute for Government’s October 2018 paper on Data adequacy: “Any restriction placed on data flows would act as a barrier to trade, putting UK businesses at a competitive disadvantage.”
Additionally, if the UK leaves the EU without a deal, there is no guarantee that an adequacy decision will be forthcoming, at least in the short term. The political impetus toward adequacy will be lost. The Institute for Government notes that the fastest adequacy assessment so far, for Argentina, took 18 months — and delay might arise if the EU takes issue with the UK’s handling of data under the Investigatory Powers Act 2016, aspects of the Data Protection Act 2018 concerning immigration control, and the UK’s data sharing arrangements with other third countries.