On the 23rd of January the European Commission announced the formal approval of the EU-Japan Adequacy decision and its entry into force on the same day. Private and public organizations can therefore transfer personal data between the EEA and Japan without the need for additional safeguards or derogations specific to international transfers.
This decision was adopted in a relatively short time span, despite several concerns and clarification requests from the European Data Protection Board (EDPB) and the European Parliament. The cause for this speedy adoption were the trade talks between EU and Japan that materialized with the entering into force of the Economic Partnership Agreement on the 1st of February 2019. The free flow of personal data was a constitutive part of the negotiations and particularly important in the service sector.
To reach this agreement, Japan had to provide several safeguards and guarantees in order to ensure that its data protection framework lives up to EU standards. These safeguards were confirmed by the Japanese government in the two annexes to the decision; namely the Supplementary Rules and the Assurances.
The Supplementary Rules are meant to fill the regulatory gaps between the GDPR and Japan´s Act of Protection of Personal Information (APPI). These rules have full legal power and are meant to complement the APPI. Moreover, these are applicable exclusively to personal data transferred from the EU to Japan and for the private sector. These rules consist of five additional requirements for Japanese businesses, namely:
Complaints concerning these measures can be addressed directly to the Japanese controllers and, in case of dissatisfaction, the EU resident can file a complaint to one of the local or national consumer centers established in Japan.
In order to comply with these additional measures, Japanese businesses will most probably need to implement organization and technical measures to identify and track personal data transferred from the EU.
Complementary to the above-mentioned rules, specific Assurances have been given by the Japanese government concerning personal data processing practices. A thorough description of practices, safeguards and oversight measures is provided in Annex 2 of the decision, in order to guarantee that an adequate level of data protection of EU transferred personal data is ensured by the Japanese public authorities.
Furthermore, in order to guarantee enforcement of these assurances, EU residents can file complaints through a dedicated EU complaints mediation webpage of the Personal Information Protection Commission (Japan’s Data protection authority), that will undertake the necessary resolution steps with the national public authorities. The Personal Information Protection Commission will inform the concerned public authority about the complaint and investigate the potential infringement. Moreover, it will oversee that corrective measures are effectively applied and will inform the concerned data subject of the outcome of the investigation.
Besides the free flow of personal data, the first adequacy decision of the GDPR-era will also impose several new requirements for businesses located in Japan. Furthermore, the timing of the decision demonstrates again the strong connection between international data flows and trade, especially in ensuring effective implementation of free trade agreements. Finally, and more interestingly, the speedy adoption could represent a shift towards a more pro-active European Commission in negotiating adequacy decisions, notably with the current expansion of the national privacy laws around the globe.