On 5 September 2018, the EU Commission officially launched the procedure for the recognition of the adequate protection of personal data by Japan. The Commission published its proposed adequacy decision while at the same time EU Commissioner Jourová, in charge of Justice, Consumers and Gender Equality briefed the College of the EU Commission (which consists of the 28 Commissioners) on the next steps. The draft adequacy decision can be found here.
This important step follows long lasting discussions between both parties, which started in 2017 and resulted into a political agreement between the European Union and Japan that was announced this summer. This political agreement was the kick-off of the formal procedures in the EU and Japan to officially recognise each other as offering a comparable level of data protection. The recognition in the EU is done through the adoption of an “adequacy decision” taken by the EU Commission on the basis of Articles 45 and 93 of the General Data Protection Legislation (“GDPR”). It acknowledges that a third country, a territory or specified sectors within a third country ensures an adequate level of data protection. The adequacy decision has relevance for the entire European Economic Area (“EEA”), which means that the three EEA Member States (Iceland, Liechtenstein and Norway) are also bound by the adequacy decision. This follows from the Joint Committee Decision (JCD) adopted on 6 July 2018 which incorporates the GDPR into Annex XI of the European Economic Area Agreement.
Once the formal procedures are completed on both sides, personal data will be able to flow safely and freely between the EEA and Japan, without being subject to any further safeguards or derogations. Until then, any transfer of personal data between the EU and Japan will remain subject to the requirements of Articles 46 and following of the GDPR, such as through the adoption of binding corporate rules or by executing the standard contractual clauses adopted by the EU Commission.
Next steps on the EU side
The adequacy procedure requires the review by a committee composed of representatives of the EU Member States. It must issue its opinion by a qualified majority (Article 16(4) of the Treaty on the European Union), i.e. at least 55% of the committee members, comprising of at least 15 of them and representing EU Member States comprising at least 65 % of the EU population. Where the committee delivers a positive opinion, the College of the EU Commission is allowed to adopt the draft adequacy decision with the majority of its members (i.e. 15 out of 28).
Beforehand, the European Data Protection Board (“EDPB”), that is the independent EU body created by the GDPR composed of the supervisory authorities of all Member States and the European Data Protection Supervisor, must provide its opinion on the assessment done by the EU Commission of the adequacy of Japan (Recital 105 GDPR). The European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE), responsible for the vast majority of the legislation and democratic oversight of Justice and Home Affairs policies, will also provide an update on the Japanese data protection framework and its enforcement. The LIBE committee was already involved in adequacy discussions with country officials in Japan last year.
The EU Commission should finalise the adoption procedure this year.
Next steps on the Japanese side
Before the adequacy decision may be adopted by the EU Commission, Japan must implement a number of additional safeguards.
In addition to the revised Japanese Act on the Protection of Personal Information (“APPI”), the Japanese independent data protection authority (“PPC”) published on 7 September 2018 "Supplementary Rules under the Act on the Protection of Personal Information for the Handling of Personal Data Transferred from the EU based on an Adequacy Decision", which will become effective when the EU Commission’s adequacy decision becomes effective. These rules introduce additional safeguards when EU data is sent to Japan which should overcome the differences which still exist between both legal systems. This includes enhanced rules on the definition of ‘sensitive data’, the exercise of individual rights and onward transfers. The Supplementary Rules say that these additional safeguards are binding on Japanese companies importing data from the EEA and will be enforceable by the PPC.
A complaint-handling mechanism was initially foreseen to be included in the Supplementary Rules upon request of the EU, but this was eventually not retained by Japan. However, according to the official press release of the EU Commission, a commitment was made by Japan to implement such mechanism in the future.
Japan also made further commitments to take steps on the access to personal data by Japanese public authorities for criminal law enforcement and national security purposes.
In parallel, Japan will finalise the adequacy finding on its side. The PPC will need to adopt a decision designating the EEA as offering equivalent protection within the meaning of the APPI, thereby recognising the EU data protection framework.
Adequacy part of a larger cooperation between EU and Japan
The secure free flow of personal data between the EU and Japan is part of a bigger effort made to stimulate trade between the two regions and will strengthen the benefits of the Economic Partnership Agreement (“EPA”), a large bilateral free trade agreement between the EU and Japan which removes trade barriers between both economies (mostly in the services and food sector) and strengthens the cooperation between each other. The EPA is currently awaiting ratification by the European Parliament and the Japanese Diet. Once the Council receives the Parliament's consent, it may proceed with the conclusion of the agreement. The entry into force is expected in January 2019.