The European Commission has issued an "adequacy decision" in respect of Japan reducing the regulatory burden of transferring personal data from the EU to Japan. Japan has made an equivalent decision for transfers to the EU.
The EU General Data Protection Regulation (the “GDPR”) restricts the transfer of personal data from the EU to non-EU countries. Such transfers are only permitted in specified circumstances. One such circumstance is where the European Commission has made a decision that the destination country has an adequate regime for the protection of personal data. This is known as an "adequacy decision." An adequacy decision enables organisations to export personal data from the EU without the need to obtain consent from data subjects and without having to put in place specified safeguards (such as standard contractual clauses or binding corporate rules).
The European Commission has previously made twelve adequacy decisions that recognised the adequate level of protection provided by select non-EU jurisdictions, including Switzerland, New Zealand, and the USA (for organisations affiliated with the Privacy Shield framework).
On 23 January 2019, a new step was taken in streamlining flows of personal data between EU and non-EU countries. The European Commission adopted an adequacy decision on the transfer of personal data to Japan, whilst an equivalent decision was adopted by Japan. According to the European Commission, these mutual decisions create the world’s largest area for safe personal data flows.
This agreement, along with the EU-Japan Economic Partnership Agreement due to come into force next month (see here for further information) is intended to further strengthen the trading relationship between the EU and Japan, and builds upon a joint declaration made in July 2017 by the Japanese Prime Minister, Shinzo Abe, and Commission President, Jean-Claude Juncker, to continue to facilitate data exchanges by ensuring a common level of protection.
Meeting Adequacy Standards
Japan has taken a number of measures to ensure its protection regime meets a sufficient standard for personal data received from the EU. In particular, Japan has:
- implemented Supplementary Rules that apply only to personal data transferred from the EU to bridge differences with the EU’s systems, including in relation to the protection of sensitive data, data subjects’ rights and the rules on onward transfer of personal data originating from the EU;
- given assurances that only necessary and proportionate access to personal data from the EU would be permitted for criminal law enforcement and national security purposes; and
- introduced a complaints-handling mechanism to investigate and resolve complaints from EU data subjects regarding access to their data by Japanese public authorities.
The mutual adequacy arrangement allows personal data to be transferred lawfully between the two jurisdictions.
The EU-Japan agreement came into operation on 23 January 2019. A two year review will be undertaken in 2021 to assess and reflect on the functioning of the framework.
Currently the UK is subject to, and able to benefit from, the mutual EU-Japan adequacy decisions as an EU member state. This may change on the UK’s eventual departure from the Union. However, the UK government has proposed legislation that would mean all adequacy decisions currently in force, and all those adopted up until exit day, remain effective on the UK following departure. This would mean that data transfers to Japan from the UK following Brexit would still be based upon the new adequacy decision, although this remains subject to change prior to, or in the period following, exit day. There is no guarantee that Japan’s equivalent decision would extend to the UK upon departure.
The EU-Japan mutual adequacy arrangement will simplify the measures and documentation required for EU-Japan personal data transfers, although EU-based organisations should still ensure that appropriate data processing and sharing agreements are made with corresponding parties in Japan. Those looking to rely on the EU-Japan adequacy decision for the establishment of long-term data sharing agreements should be mindful that the GDPR requires the European Commission to monitor adequacy decisions on an ongoing basis and repeal adequacy decisions if necessary.
Japanese organisations will also have to take into account the supplementary rules that will apply to personal data received from the EU and which treat EU imported personal data differently to other personal data processed under Japan’s data protection regime.