On 23 January 2019, the European Commission (the “EU Commission”) authorized the free flow of personal data to Japan. This “adequacy decision,” issued jointly with a mirroring decision by the Japanese government, allows personal data to transfer between the European Union (the “EU”) and Japan freely and under strong guarantees of protection. The outcome of lengthy negotiations resulting in Japan strengthening its privacy rules to follow EU standards, the adequacy decision arrives a few days before the EU-Japan free trade agreement enters into force in February 2019.
How Did We Get Here?
Even though the EU already has unilateral adequacy decisions with several other countries (such as Argentina, Canada, Switzerland and, through the Privacy Shield, the United States), this is the first time the EU and a third country agreed on a mutual recognition of the adequate level of data protection.
The General Data Protection Regulation (“GDPR”), the EU privacy law that entered into force in May 2018, empowers the EU Commission to issue adequacy decisions when a foreign country or international organization provides a level of protection that is deemed adequately comparable to the EU privacy framework. An adequacy decision allows the free flow of data without the additional safeguards that would otherwise be necessary for outbound transfers— standard contract clauses, binding corporate rules, etc.
In making adequacy decisions, the EU Commission performs a comprehensive assessment of the guarantees offered under the domestic laws of its counterparty. Such an assessment uses criteria including, inter alia, the existence and effective functioning of data protection authorities and the ability of authorities to access the transferred data.
In the case of Japan, the negotiations concluded with changes to Japanese legislation, most notably, the introduction of wider individual privacy rights and the establishment of the Personal Information Protection Commission (the “PPC”), an independent supervisory authority. In addition, Japan adopted, under “supplementary rules,” provisions imposing a higher standard for protecting personal data originating from the EU. These supplementary rules are legally binding and enforceable by the PPC.
With the adequacy decision entering into force immediately, companies can, as of today, rely on the EU adequacy decision as authorization to transfer personal data from the EU to Japan and vice versa. However, while the adequacy decision may be applicable indefinitely, it will be “continuously monitored” by the EU Commission. In fact, the decision itself states that it will be subject formally to periodic review (as required by Art. 45 GDPR), the first being in two years’ time. If the level of privacy protection offered under Japanese law ever changes, the EU Commission may decide to amend or revoke its decision.