Significant progress has been made over the past 11 months to bridge the differences between Japan's privacy protection requirements under the Act on the Protection of Personal Information (APPI) and those of the EU under the GDPR.
In December 2017, Japan's data privacy authority, the Personal Information Protection Commission (PPC) published a joint-statement with the European Commission (EC) regarding mutual adequacy findings between Japan and the EU on transfers of data.
The importance of this objective was reaffirmed in the meeting, especially in light of the recent finalization of the negotiations of the Economic Partnership Agreement (EPA) between Japan and the EU. Mutual adequacy findings enhancing free data flows will complement and enhance benefits of the Japan-EU EPA, while strengthening protection of the fundamental right to privacy.
The next agreed stage is to work on the details of solutions and accelerate the pace of the talks. Further discussions will also be held between the PPC Secretariat and the EC Directorate-General for Justice and Consumers to finalize forthcoming amendments to the PPC Rules and prospective additional Guidelines for the mutual adequacy findings as outlined below. The ambitious plan is to finalize the discussion of the necessary changes to achieve mutual adequacy on data transfers in Q1 2018 with a high-level meeting with the EU to occur early in the year.
Forthcoming Amendments to the PPC Rules for Transfer of Personal Data from Japan to the EU
To establish a fundamental framework for mutual and smooth transfers of personal data between Japan and the EU, in June 2017, the PPC proposed the following criteria to be set forth as amendments to the PPC Rules for designating a foreign country (which is an alternative measure to obtaining the data subject's consent for a cross-border transfer of personal data from Japan to a foreign country under Article 24 of the APPI):
- there are statutory provisions or codes equivalent to those relating to the obligations of personal information handling business operators defined under the APPI, and the policies, procedures and systems to enforce compliance with these rules can be recognized;
- there is an independent personal data protection authority, and the authority has ensured the necessary enforcement policies, procedures and systems;
- the necessity for a foreign country designation can be recognized as in Japan’s national interests;
- mutual understanding, collaboration and cooperation are possible; and
- establishing a framework to pursue mutual smooth transfer of personal information is possible while seeking the protection thereof.
On 7 December 2017, the PPC published draft amendments to the PPC Rules reflecting the above criteria (see here - Japanese language only) and invited public consultation on the draft amendments until January 5, 2018. The result of this consultation will be made public in due course.
Possible PPC Guidelines for Processing of Personal Data to be Transferred from EU to Japan
In February 2018, the PPC further reported on a plan to establish additional Guidelines being applicable to personal data transferred from the EU to process it in Japan under the mutual adequacy findings. The PPC recognizes the following major differences between the APPI and the GDPR, and plans to reflect them in the additional Guidelines (see here Japanese language only):
(a) Sensitive data – personal data regarding sex life, sexual orientation, and labor union membership transferred from the EU shall be treated as equivalent to “special care-required personal information (yōhairyo kojinjyōhō)” under the APPI;
(b) Scope of the data subject’s rights on the retained personal data – the data subject’s rights requesting disclosure, correction, suspension of usage, etc. shall be given to any personal data transferred from the EU regardless of the duration of the data retention period;
(c) Clarification for scope of data usage purposes – data usage purposes for personal data transferred from the EU shall be limited to the scope of the purposes specified upon collection to be confirmed through the confirmation and record retention obligations upon transfer/receipt of personal data to/from a third party under Articles 25 and 26 of the APPI;
(d) Re-transfer from Japan to another country outside of the EU - for a re-transfer of personal data by way of data subject’s consent, the data subject must be sufficiently informed of the re-transferred country’s circumstances and such country must have data protection laws equivalent to the protection under the APPI to be ensured by contracts or the like; and
(e) Anonymized data – "anonymization" of personal data transferred from the EU shall mean no one can re-identify a specific individual data subject by discarding decryption keys (different from "pseudonymization"). Such data is treated as "anonymously processed information (tokumei-kakō jyōhō)" under the APPI.
The Guidelines are intended to cover non-EU members of the EEA (Iceland, Liechtenstein and Norway) pursuant to the EEA Agreement. Please also note that the Guidelines may be mandatory in Japan, but will likely not be mandatory in other jurisdictions such the EU and the US.
Getting ready for the future
Although the mutual adequacy findings when agreed will result in aligning the regulations on the cross-border transfer of personal data between Japan and the EU, there are further differences between the APPI and GDPR, including: data protection officer (DPO) requirements, security breach notification, profiling, data portability, etc., in addition to the five major items outlined in the section above. As a result, companies handling personal data from/in the EU will have to carefully monitor further developments under the GDPR as well as relevant amendments to the PPC regulations.