International Data Transfers: EU and Japan Sign Reciprocal Agreement for Free Flow of Personal Data

The advent of the European Union’s General Data Protection Regulation (GDPR) has prompted other countries and regions to work to enhance their privacy regulations to meet the GDPR standards. On July 17, Japan became the latest major economy to align with the EU, when both parties signed the EU-Japan Economic Partnership Agreement (EPA). The EPA will remove many of the trade barriers between the EU and Japan and open up new markets for each side’s businesses, beginning early 2019.

On the same day, the EU and Japan concluded negotiations for a reciprocal adequacy agreement, pursuant to which they agreed to recognize each other's data protection systems as “equivalent.” This will complement the EPA by facilitating data flows between businesses and simplifying intra-group data transfers.

The reciprocal adequacy agreement follows both territories’ reform of data protection legislation. The Japanese Act on the Protection of Personal Information (APPI) came into force on May 30, 2017, and the EU General Data Protection Regulation (GDPR) came into force on May 25, 2018. The reforms increased the convergence between the two systems; for example, both territories independently identified data protection as a fundamental right, developed a common set of safeguards and individual rights, and appointed an independent data protection authority to supervise and enforce the protection of those safeguards and rights.

International Data Transfer Mechanisms

The GDPR prohibits the export of personal data outside of the European Economic Area (EEA) (the 28 EU Member States as well as Norway, Liechtenstein and Iceland), unless appropriate safeguards are implemented. A relatively small number of companies globally have implemented Binding Corporate Rules (agreements governing transfers made between members of a corporate group and approved by national regulators). Other organizations will generally need to rely on data transfer agreements which incorporate standard contractual clauses mandated by the European Commission, which are often cumbersome to implement and administer.

Adequacy Decisions

However, if the EU has issued an adequacy decision regarding a country to which personal data is exported, then that country is deemed to provide a level of protection for personal data that is essentially equivalent to EU standards. Therefore, no further safeguards are necessary when personal data is transferred to that country. This is only of limited practical use, given the small number of countries which the European Commission has so far recognized: Andorra, Argentina, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. Canada is also recognized (although this is limited to commercial organisations only) together with participants in the EU-U.S. Privacy Shield framework (currently around 3,500 organizations). Additionally, the European Commission is in adequacy discussions with South Korea. Relatively few of the countries which have, to date, been deemed to be adequate are leading economies with large populations. Leaving aside the U.S., Japan’s population and GDP are both greater than those of the other countries combined.

Reciprocal Recognition

The EU’s adequacy decision in respect of Japan is not only the first adequacy decision under the GDPR, but is significant in many respects. It is the first time that the EU has agreed to a reciprocal adequacy arrangement, meaning that Japanese and EU businesses can freely and mutually exchange personal data. As the European Commission notes, this will create the world's largest area for data transfers covering over 600 million people. This also reflects the priorities announced by the European Commission in 2017 recognizing Japan and South-Korea to be the key trading partners of the EU.

Japanese Act on the Protection of Personal Information (APPI)

In a similar way to the GDPR, the APPI only permits export of personal data outside of Japan if (i) the individual has specifically consented, (ii) the Japanese data protection authority (the Personal Information Protection Commission, PPC) has deemed that the data protection system of the recipient country as ‘equivalent’, or (iii) the third party recipient undertakes adequate precautionary measures for the protection of personal data as designated by the PPC. No country has, until now, been deemed by Japan to have an equivalent legal system. Whilst the adequacy decision has been agreed in principle, some differences between the GDPR and the APPI remain. The European Commission’s decision is still conditional on Japan implementing additional safeguards bridge the remaining differences. These include:

• Expanding the definition of sensitive data: to recognize the EU’s treatment of sex life, sexual orientation and trade union membership as sensitive data.
• Facilitating the exercise of individuals’ rights of access to, and rectification of, their personal data: under the current APPI, the right of access only applies to personal data with a retention period that exceeds 6 months. This will need to be expanded to permit access to personal data which is subject to any retention period.
• Increasing the level of protection for onward transfers of EU data from Japan to a third country: if personal data originating from the EU is being further transferred out of Japan to a third (non EU) country (i) on the basis of the data subject’s consent, the data subject must be given sufficient details of the ultimate recipient and third country so that the data subject can make an informed decision as to whether or not to consent, or (ii) businesses must ensure that adequate precautionary measures are in place, for example, by entering into agreements that comply with the APPI and relevant guidelines (equivalent to the standard contract clauses).
• Establishing a complaint-handling mechanism to investigate and effectively resolve complaints from EU citizens and residents regarding access to their data by Japanese public authorities, under the supervision of the PPC.

These rules will be implemented as special guidelines (“Guidelines”), which will have binding effect on Japanese businesses importing personal data from the EU and will be enforceable by the PPC and Japanese courts.

Next Steps

The EU and Japan will now launch their respective internal procedures for the adoption of the adequacy decision, which they have committed to completing by the autumn of 2018.

The European Commission will go through its usual procedure for adoption of EU adequacy decisions, which includes further approval by the College of EU Commissioner, an opinion from the European Data Protection Board (EDPB, composed of the heads of each national data protection authority as well as the European Data Protection Supervisor), and various consultative processes.

At the same time, Japan will finalize its own adequacy findings in order to recognize that an adequate level of data protection is given by the EU (for the transfer of personal data from Japan to the EU) and implement the Guidelines. It is unclear, as yet, whether Japan will be producing standard contract clauses equivalent to those that already exist in the EU for the onward transfers of EU data from Japan to a third country.

Implications for Businesses

After adoption, EU and Japanese businesses will be able to transfer personal data between the EEA and Japan, without implementing further safeguards (such as entering into data transfer agreements incorporating standard contractual clauses). This will simplify some commercial agreements and intra-group transfers, although many companies have, in practice, chosen to implement global data transfer agreements which implement EU standards in respect of their global operations. However, businesses should be aware that the adequacy decision does not remove their existing obligations. Under the GDPR, in particular, EU data controllers will still have to enter into data processing agreements with all their data processors (including those based in Japan). Japanese businesses with establishments in the EU will still have to comply with the GDPR. Similarly, Japanese businesses based outside of the EU, but which fall within the extra-territorial scope of the GDPR (by offering goods or services to, or monitoring the behaviour of, individuals inside the EU), will need to comply with the GDPR, as well as those obligations applicable to any processing of personal data inside Japan as provided for under the APPI and the Guidelines.

The convergence in substantive legal obligations will ultimately make compliance simpler in the longer term. This reflects the emerging global trend, witnessed in the U.S. with the California Consumer Protection Act, in increasing privacy protection to GDPR standards.