On 23 January 2019, the European Commission (the Commission) adopted its adequacy decision on Japan, allowing for the free flow of personal data between the European Union (EU) and Japan. It is the last step in a procedure following a number of discussions and the recognition of each other's data protection systems.

As a result of this decision, the EU and Japan will now enjoy equivalent protection of their personal data when transferred, allowing individuals and companies to benefit from safe data flows. According to EU sources, the adequacy decision has created the world's largest area of safe data flows.

Background to the Decision

The commitment to safe data flows between the two economies came in July 2017, where in a joint statement the President of the Commission, Jean-Claude Juncker, and Prime Minister of Japan, Shinzo Abe, recognised "the importance of ensuring a high level of privacy and security of personal data as a fundamental right and as a central factor of consumer trust in the digital economy."

The development also takes its place as part of the wider EU strategy to promote international data protection standards following the reform of EU data protection legislation that came into effect in May 2018 in the form of the General Data Protection Regulation (GDPR).

Rights of Individuals

The GDPR provides a range of rights for individuals:

  • The right to be informed about the collection and use of their personal data, as well as the purpose of its collection, the retention periods and how it will be shared.
  • The right of access to their personal data by request verbally or in writing.
  • The right to rectification to any incorrect or incomplete data by request.
  • The right to erasure which allows individuals to request erasure of their personal data, also known as the right to be forgotten.
  • The right to restrict processing of personal data so that, while allowing the storage of the data, it prevents the use of it.
  • The right to data portability, allowing individuals to move, copy or transfer their personal data across services without any effect on its function.
  • The right to object to the processing of personal data allowing individuals to stop the processing of their personal data.
  • Rights in relation to automated decision making and profiling that apply to any automated individual decision-making (without human involvement) or profiling (automated processing and evaluation of an individual's data.

International Transfers under the GDPR

The GDPR places restrictions on transfers of personal data outside of the European Economic Area (EEA) unless the rights in respect of personal data are protected in another way.

Where the transfer is to a country outside the EEA but an adequacy decision is in place, then personal data is free to be transferred between the two countries.

If the transfer is not covered by an adequacy decision then it will need to be covered by appropriate safeguards as outlined at Article 46 of the GDPR.

Key Aspects of the Adequacy Decision

The EU-Japan adequacy decision essentially bridges differences between the two data protection systems:

  • The treatment of data – Whenever the data travels from the EU to Japan, the same guarantees as those under EU law will apply. This includes the guarantee that:
    • The processing of data is limited to the purpose for which it was legally transferred, unless EU citizens give their consent for another purpose, and the processing must be completed under appropriate security and protection measures;
    • Data is kept accurate and up to date with additional safeguards for particularly sensitive data and is kept no longer than is necessary for the purpose for which it was transferred; and
    • Data is never further transferred to individuals or entities which do not guarantee an adequate level of protection, unless the consent of EU citizens is obtained
  • The provision of 'Supplementary Rules' – The rules will be additional safeguards to bridge several differences between the two data protection systems. They will serve to strengthen the protection of sensitive data; facilitate the exercise of individual rights relating to protection of personal data; and govern the conditions under which EU data can be further transferred from Japan to another third country.
  • Enforcement and national security – The Japanese Government has given assurances to the Commission ensuring that the use of data for criminal law enforcement and national security purposes would be limited to what is necessary and proportionate subject to independent oversight and effective redress mechanisms.

Enforcement and redress

Just as data is protected by various enforcement mechanisms and complaints procedures in the EU, the adequacy decision provides for the safeguarding of personal data and the enforcement of rights relating to it.

In Japan, the body responsible for the protection of data is an independent data protection authority, the Personal Information Protection Commission (PPC). The PPC was established to ensure the smooth transfer of data between the EU and Japan.

As part of the Decision, the PPC will administer and supervise a complaint-handling mechanism to investigate and resolve complaints from European regarding access to their data by Japanese public authorities.

The PPC also has the ability to investigate into the processing of data by Japanese businesses and can issue binding decisions on the handling of data wherever it finds irregularities.

Effect of the Decision on Businesses

One of the most significant outcomes of the EU-Japan adequacy decision is facilitation of the transfer of personal data between the two economies with high privacy standards.

This arrangement to establish a mutual data privacy framework complements the EU-Japan Economic Partnership Agreement which entered into force on 1 February 2019 allowing European companies to benefit from data flows with a "key commercial partner" as well as access to 127 million Japanese consumers.

This development highlights the importance for businesses and countries to establish robust data privacy and security systems not only to maintain consumer trust but to be able to establish strategic commercial partnerships in an increasingly data driven economy.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.