On 5 September, the European Commission published a draft 'adequacy decision' which, if finalised, would confirm Japan as one of a small number of countries and territories deemed by the Commission to have data protection safeguards essentially equivalent to those in place in the EU.
Japan is also in the process of formalising a reciprocal finding. Together, the measures promise to facilitate the free flow of personal data by organisations trading in both the EU and Japan and give those businesses comfort that their data transfer arrangements comply with both EU and Japanese law.
However, there remain further steps to be taken before the deal on data protection that was first agreed in July takes effect.
The purpose of an 'adequacy decision'
EU data protection law puts restrictions on the transfer of personal data outside of the European Economic Area (EEA). One way in which organisations can transfer personal data outside of the trading bloc is where they do so to a country that benefits from a so-called 'adequacy decision' of the European Commission.
Countries that benefit from an adequacy decision are considered to have laws essentially equivalent to those that safeguard personal data inside the EEA. Where an adequacy decision has been issued, data transfers between the EU and those third countries are said to be compliant with EU data protection laws. For example, Canada, Switzerland and New Zealand are among the countries that benefit from a Commission adequacy decision.
Establishing a mutual adequacy arrangement with Japan will "create the world's largest area of safe transfers of data based on a high level of protection for personal data", the Commission previously said.
The 5 September developments
Earlier this month, the Commission took the important step of commencing the procedure for the adoption of its adequacy decision for Japan.
At the time, EU justice commissioner Věra Jourová announced the publication of the Commission's draft adequacy decision in addition to related documents which highlight additional safeguards that Japan will apply to EU personal data transferred to Japan, as well as commitments regarding access to personal data by Japanese public authorities for law enforcement and national security purposes.
The measures are aimed at guaranteeing that Japan's level of data protection is equivalent to that of the EU's. Japan is also going through a similar process to recognise the EU's data protection framework.
In a statement, Jourová said: "We are creating the world's largest area of safe data flows. Personal data will be able to travel safely between the EU and Japan to the benefit of both our citizens and our economies. Our partnership will promote global standards for data protection and set an example for future partnerships in this key area."
Each side is now going through its internal procedures towards the final adoption of its reciprocal adequacy finding.
For the EU, this includes obtaining an opinion from the European Data Protection Board (EDPB) and the green light from a committee composed of representatives of the EU member states.
Once all the procedures have been completed, the Commission will be able to formally adopt the adequacy decision on Japan.
The main elements of the adequacy decision
To guarantee a level essentially equivalent to European standards, Japan has committed to implementing the following additional safeguards to protect personal data transferred to Japan, before the Commission formally adopts its adequacy decision:
- A set of rules providing individuals in the EU whose personal data are transferred to Japan, with additional safeguards that will bridge several differences between the two data protection systems. These additional safeguards will strengthen, for example, the protection of sensitive data, the conditions under which EU data can be further transferred from Japan to another third country, the exercise of individual rights to access and rectification. These rules will be binding on Japanese companies importing data from the EU and enforceable by the Japanese independent data protection authority (PPC) and courts.
- The Japanese government also gave assurances to the Commission regarding safeguards concerning the access of Japanese public authorities for criminal law enforcement and national security purposes, ensuring that any such use of personal data would be limited to what is necessary and proportionate and subject to independent oversight and effective redress mechanisms.
- A complaint-handling mechanism to investigate and resolve complaints from Europeans regarding access to their data by Japanese public authorities. This new mechanism will be administered and supervised by the Japanese independent data protection authority.
- Europeans will benefit from strong protection of their personal data in line with EU privacy standards when their data is transferred to Japan. This arrangement will also complement the EU-Japan Economic Partnership Agreement as European companies will benefit from free data flows with a major commercial partner, as well as from privileged access to the 127 million Japanese consumers. The EU and Japan affirm that, in the digital era, promoting high privacy and personal data protection standards and facilitating international trade must and can go hand in hand.
Paloma Bru, Paula Fernández-Longoria and Teresa Castro Levya are Madrid-based data protection law experts at Pinsent Masons, the law firm behind Out-Law.com.