On July 17, 2018, the European Union and Japan successfully concluded negotiations on a reciprocal finding of an adequate level of data protection, thereby agreeing to recognize each other’s data protection systems as “equivalent.” This will allow personal data to flow safely between the EU and Japan, without being subject to any further safeguards or authorizations.

This is the first time that the EU and a third country have agreed on a reciprocal recognition of the adequate level of data protection. So far, the EU has adopted only unilateral adequacy decisions with 12 other countries—namely, Andorra, Argentina, and Canadian organizations subject to PIPEDA, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the United States (EU-U.S. Privacy Shield)—which allow personal data to flow safely from the EU to these countries.

Background

On January 10, 2017, the European Commission (“the Commission”) published a communication addressed to the European Parliament and European Council on Exchanging and Protecting Personal Data in a Globalized World. As announced in this communication, the Commission launched discussions on possible adequacy decisions with “key trading partners,” starting with Japan and South Korea in 2017.

The discussions with Japan were facilitated by the amendments made to the Japanese Act on the Protection of Personal Information (Act No. 57 of 2003) that came into force on May 30, 2017. These amendments have modernized Japan’s data protection legislation and increased convergence with the European data protection system.

Key parts of the adequacy finding

Once adopted, the adequacy finding will cover personal data exchanged for commercial purposes between EU and Japanese businesses, as well as personal data exchanged for law enforcement purposes between EU and Japanese authorities, ensuring that in all such exchanges a high level of data protection is applied.

This adequacy finding was decided based on a series of additional safeguards that Japan will apply to EU citizens’ personal data when transferred to their country, including the following measures:

  • expanding the definition of sensitive data;
  • facilitating the exercise of individuals’ rights of access to and rectification of their personal data;
  • increasing the level of protection for onward data transfers of EU data from Japan to a third country; and
  • establishing a complaint-handling mechanism, under the supervision of the Japanese data protection authority (the Personal Information Protection Commission), to investigate and resolve complaints from Europeans regarding access to their data by Japanese public authorities.

Next steps

The EU and Japan will launch their respective internal procedures for the adoption of the adequacy finding. The Commission is planning on adopting its adequacy decision in fall 2018, following the usual procedure for adopting EU adequacy decisions. This involves (1) the approval of the draft adequacy decision by the College of EU Commissioners; (2) obtaining an opinion from EU Data Protection Authorities within the European Data Protection Board, (3) completing by a comitology procedure, requiring the European Commission to obtain the green light from a committee composed of representatives of EU Member States; and (4) updating the European Parliament Committee on Civil Liberties, Justice and Home Affairs. Once adopted, this will be the first adequacy decision under the EU General Data Protection Regulation.