EU-Japan: The First Adequacy Decision under the GDPR & increased Freedom for Personal Data Transfers!
On 23 January 2019, the European Commission adopted an “adequacy decision” between the EU & Japan, resulting easier personal data transfers between the two territories!
The adoption of the adequacy decision by the European Commission on 23 January 2019 was reciprocated on the same day by the Japanese authorities, and the decision immediately entered into force. In doing so, Japan and the European Union have recognised that their respective personal data protection systems provide “adequate” protection of privacy rights.
This adequacy decisions marks not only a historical event between the EU and Japan in terms of strengthening a collaboration between these two territories, but also marks the first adequacy decision to have been adopted since the General Data Protection Regulations ("GDPR") came into force on 25 May 2018.
Background
The adequacy decision was not taken lightly, as the EU is a territory which takes personal data matters seriously. Discussions between the European Union and Japan formed part of an EU strategy in the field of the protection of personal data and international data flows, which was mentioned in the Communication of January 2017 entitled “Exchanging and Protecting Personal Data in a Globalised World”.
Discussions between the EU and Japan on the possibility of an adequacy decision were ultimately concluded on 17 July 2018, two months after the entry into force of the GDPR on which the adequacy principle is now based. The formal procedure was first launched in September 2018, and then the EDPB (European Data Protection Committee, formerly known as the “Article 29 Working Party”, or “G29”) adopted its opinion on the adequacy decision. The decision was then adopted by the European Parliament on the 13 December of 2018, and finally by the European Commission on the 23 January of 2019.
Following this adequacy decision, Věra Jourová, Commissioner for Justice, Consumers and Equality of People, stated that:
“This adequacy decision creates the world's largest area of safe data flows. Europeans' data will benefit from high privacy standards when their data is transferred to Japan. Our companies will also benefit from a privileged access to a 127 million consumers' market. Investing in privacy pays off; this arrangement will serve as an example for future partnerships in this key area and help setting global standards”
Therefore, the clearly intention is the establishment of robust data protection regimes in Japan as well as in the European Union, which allow for free data transfers between these two regions. As Japan is global innovator in new technologies and the EU is pushing forward with its commitment to the digital agenda - this adequacy decision comes at the perfect time!
Requirements for International Data Transfers
As a reminder, the GDPR requires that any transfer of personal data outside the European Union must comply with conditions that guarantee the rights and freedoms of the data subjects and the protection of their personal data.
Under the GDPR, there are then several mechanisms which are deemed to provide a sufficient level of protection during an international personal data transfer. The one of interest to us is set out at Article 45 of the GDPR. This provision states that a transfer of personal data to a third country (i.e., a non-EU territory) may take place “where the Commission has decided that the third country ensures an adequate level of protection.” The provision goes on to state that were adequate protection has been decided, “such transfers shall not require any specific authorisation.”
On a practical level, this therefore means that international transfers between the European Union and Japan are now possible without the need for a specific authorisation from the supervisory authority of the country concerned (in the UK, this would be the ICO).
However, this does not mean that companies can freely transfer personal data as they please between the EU and Japan. Indeed, the GDPR nevertheless requires the data controller to inform the relevant individuals that it “intends to transfer personal data to a third country or international organisation” and that “an adequacy decision by the European Commission” exists.
On a practical level, this means that organisations carrying out EU-Japan data transfers would need to update their privacy policy to advise that personal data is transferred to Japan pursuant to this new adequacy decision.
What are the safeguards which have been implemented by Japan?
During the discussion period, Japan implemented additional safeguards, in line with European standards, to ensure the protection of personal data when it is transferred from the European Union to Japan. The guarantees put in place by Japan are as follows:
A set of additional rules that will reduce some of the differences between the two data protection systems: in particular, there are significant differences in the protection of sensitive data (the latter are not identical in the two systems*). These rules will also strengthen “the exercise of individual rights and the conditions under which EU data may subsequently be transferred from Japan to a third country”.
The Japanese government has provided assurances to the European Commission regarding access to data by Japanese public authorities “for the purposes of criminal proceedings and national security”. It should be noted that these uses of data will obviously be limited by the necessary and proportionate nature of these uses.
Finally, there a complaints mechanism has been established, in particular to allow investigations into complaints from European citizens concerning “access and processing of their by Japanese public authorities”.
It is also important to note that the adequacy decisions adopted by the European Union and Japan complement the EU-Japan Economic Partnership Agreement. The latter entered into force on February 2019.
In two years' time, a first joint review will be carried out by the European Union and Japan to verify that adequacy decisions are respected, but above all that they ensure sufficient protection of personal data in both systems. Thereafter, this review shall be carried out at least once every four years.
If you have any queries about how the adequacy decision applies to your business’ personal data processing and deletion / retention requirements of you need further advice on international data transfers, then get in touch for your free 30 minute consultation.
Article by Lolita Huber-Froment and Charlotte Gerrish @ Gerrish Legal, March 2019.
Notes:
*PPC, Proposal for guidelines on the processing of EU data in the context of the adequacy decision, p. 4, 25 Apr. 2018.