Japan / EU Data Flows – draft adequacy decision published

The European Union has moved one step closer to adopting a formal adequacy decision in respect of Japan. The Commission published its draft decision on 5 September 2018 after the EU and Japan agreed to recognise the equivalence of each other’s data protection regimes in July of this year. This is the first time the EU has moved forward with the reciprocal recognition of data protection standards with another jurisdiction. Once the decision is finalised it will enable free flow of personal data between the two jurisdictions without the need for separate authorisation from any regulator. See our previous blog post on the agreement HERE.

The draft decision explains that in order to secure the favourable decision by the Commission, Japan adopted a set of Supplementary Rules[1] in June 2018 applicable to personal data transferred from the EU to Japan. These Supplementary Rules are binding on Japanese businesses and enforceable by the Japanese Personal Information Protection Commission (PPC) and the courts. These Rules will apply in addition to the general protections under the Act on the Protection of Personal Information (2003) (APPI), which was most recently amended in 2017.

The Supplementary Rules

The Supplementary Rules provide the following enhanced protections for European data subjects:

1. True anonymisation (not pseudonymisation) of EU personal data: The Supplementary Rules provide that EU personal data will only be considered to have been anonymised if all information that could identify an individual has been irreversibly removed. This is a higher standard than the standard permitted under Japanese law, which allows for pseudonymisation.
2. All EU personal data to be subject to the same individual rights: Under the APPI, certain rights including rights of access, rectification and objection to processing do not apply to data that is “set to be deleted” within the next 6 months. Under the Supplementary Rules, all EU personal data will now be subject to the full suite of rights under the APPI regardless of how long the data will be retained for.
3. Consent required for a transferee to change the purpose for which EU personal data is processed: When personal data is transferred outside the organisation that collected it there is uncertainty under the APPI as to whether the recipient is bound by the original purpose limitations or if it is free to process the data for other purposes without the data subject’s consent. The Supplementary Rules ensure that any entity receiving EU personal data in Japan may only process that data for the original purpose specified. Any change in purpose will require the data subject’s consent.
4. Enhanced protection for all sensitive personal data: The Supplementary Rules expand the category of personal data that benefits from enhanced protection under the APPI that are intended to prevent discrimination and prejudice to the data subject. This enhanced protection will now be available to all ‘sensitive personal data’ under the GDPR, including information concerning an individual’s personal life, sexual orientation or trade-union membership.
5. Onward Transfers of EU personal data only permitted where binding protections in place: The Supplementary Rules limit onward transfers of EU personal data from Japan to a third country. Such transfers may only be made (without consent) where (i) the PPC has recognised the third country as providing an equivalent level of protection to that guaranteed under the APPI in Japan, and (ii) where the transferor and the third party recipient have entered into an enforceable contract (or have binding corporate rules in place) that provide for an equivalent level of protection for the transferred data to the protection under both the APPI and the Supplementary Rules together. (For clarity, it is not necessary that the law of the third country directly provides the enhanced protections of the Supplementary Rules.)
6. Direct Marketing only permitted if also permitted in the EU: The APPI does not explicitly deal with direct marketing. To address this discrepancy with the GDPR, the Supplementary Rules provide that if the original purpose for which the data was collected did not encompass direct marketing, direct marketing will not be permitted in or from Japan either. Under the GDPR, direct marketing must be explicitly and separately brought to the attention of the data subject before the data is collected, along with the right to opt-out. More generally, the Supplementary Rules provide that all purpose limitations will continue to attach to personal data exported from the EU to Japan.
7. Increased enforcement powers: The Supplementary Rules strengthen the PPC’s enforcement powers. Any company issued with a recommendation to rectify a violation of the APPI in relation to the processing of EU personal data must take action to remedy the violation. If no action is taken, this will be considered a serious infringement subject to a binding order. The leeway the PPC has under Japanese law to allow organisations to derogate from the APPI on “legitimate grounds” will not apply to the transferred data of EU data subjects.

Public Authorities

In addition to the Supplementary Rules, Japan has agreed to implement safeguards in relation to processing of personal data by Japanese public authorities, including police and security agencies. The Japanese government also gave assurances to the Commission that it will implement safeguards against the access of Japanese public authorities for criminal law enforcement and national security purposes, ensuring that any such use of personal data would be limited to what is necessary and proportionate and subject to independent oversight and effective redress mechanisms. In addition, a separate complaints handling process will be available (administered and supervised by the PPC) for any complaints raised by EU data subjects in relation to processing of their data by Japanese public authorities.

Adoption Steps

The draft adequacy decision will now be subject to the following process of adoption:

• Opinion issued by the European Data Protection Board;
• Completion of the comitology procedure – approval by a committee of representatives of the EU Member States;
• Update made to the European Parliament Committee on Civil Liberties, Justice and Home Affairs; and
• Adoption by the College of Commissioners.

This process is expected to be completed before the end of 2019. Japan’s equivalent internal procedure to recognise the EU’s data protection framework is also underway.

After Brexit, the GDPR will cease to be directly applicable in the UK and the UK will not benefit from this adequacy decision. The UK is in the process of seeking its own adequacy decision from the Commission to facilitate data transfers once it has left the European Union. However, this will not apply to transfers between the UK and Japan.

Adequacy Decision: Korea

The Commission is also in the process of agreeing an adequacy decision in respect of Korea. In a joint press release in June, the EU Commissioner for Justice, Consumers and Gender Equality and the Chairman of the Korea Communications Commission confirmed a meeting is intended to take place later in 2018 to finalise the adequacy talks.

Commission’s Draft Adequacy Decision in relation to Japan, available HERE.

Commission press release in relation to Draft Adequacy Decision, available HERE.

[1]Supplementary Rules under the Act on the Protection of Personal Information for the Handling of Personal Data transferred from the EU based on an Adequacy Decision” – These Rules will appear in Annex 1 of the adequacy decision but currently remain subject to linguistic revision and will be available shortly.

“