On 17 July 2018, the EU Commission (“Commission”) and Japan concluded the negotiations on a reciprocal finding of an adequate level of data protection by both sides.
Under the General Data Protection Regulation (“GDPR”) which became effective across Europe on 25 May 2018, an adequacy decision adopted by the Commission is one of the ways which allows personal data to be transferred outside the European Economic Area (“EEA”). An adequacy decision is adopted if the Commission, after its assessment of the level of protection in the recipient jurisdiction, decides that the recipient jurisdiction ensures an adequate level of protection to the personal data of EU data subjects.
This is the first time the Commission and a third country have agreed on reciprocal recognition in respect of data protection adequacy. The other countries or territories which have been assessed by the Commission as having an adequate level of protection of personal data are all based on the Commission’s unilateral decisions (e.g. New Zealand, Canada and Switzerland). Reciprocal recognition means that not only can personal data be transferred from the EEA to Japan in compliance with the GDPR, it can also be transferred from Japan to the EU in compliance with the Japanese law.
NEXT STEPS TO FINALISE THE ADEQUACY DECISION
The reciprocal recognition is not an official adequacy decision adopted by the Commission under the GDPR yet. The Commission will now launch a process, which will eventually lead to the adoption of an adequacy decision under the GDPR. The process includes obtaining an opinion from the European Data Protection Board and the green light from a committee consisting of representatives of the EU Member States.
In the meantime, Japan has committed to implement additional safeguards to protect personal data of EU data subjects (i.e. individuals who are within the EEA regardless of his/her nationality), before the Commission formally adopts the adequacy decision. The additional safeguards include (i) a set of rules, which bridges several differences between the Japan data protection regime and the GDPR, and (ii) a complaint-handling mechanism for handling complaints from EU data subjects regarding access to their personal data by Japanese public authorities.
IMPLICATIONS OF AN ADEQUACY DECISION UNDER THE GDPR
Once the Commission adopts the adequacy decision under Article 45 of the GDPR, personal data can be transferred from the EEA to Japan without any further safeguard being necessary.
Without an adequacy decision, transfers of personal data from the EEA to other non-EEA countries or territories are prohibited unless one of the safeguards set out in Article 46 of the GDPR is available or one of the derogations set out in Article 49 applies. Those safeguards which are most commonly adopted by businesses include binding corporate rules and a data transfer agreement between a data transferor and a data transferee adopting the standard data protection clauses approved by the Commission (i.e. EU Model Clauses).
Japan is the second jurisdiction in APAC (after New Zealand) which has been whitelisted by the Commission. Please note that the Commission reviews its adequacy decisions regularly and has the ability not to renew the decision in the future.
Other APAC jurisdictions may want to follow Japan’s example to meet the Commission’s requirement on providing adequate level of protection to personal data under local data protection laws, as this can facilitate businesses in transferring personal data to and from the EEA. For example, the Commission is also in ongoing talks with South Korea in relation to adequacy of the Korean data protection regime. In the meantime, Japan may benefit from this adequacy decision as companies in Asia may want to move their activities involving processing of personal data of EU data subjects to Japan.