On 23 January 2019, the European Commission adopted its decision finding that the level of data protection in the EU and Japan are equivalent. In parallel, Japan adopted its equivalent decision. It is the first time ever that such reciprocal adequacy decisions are adopted. These adequacy decisions create the world’s largest data area of safe data flows and will boost commercial opportunities for European and Japanese companies by facilitating the transfer of their data. Both decisions are applicable as of 23 January 2019.
Before the Commission adopted its adequacy decision, Japan put in place additional safeguards to guarantee that data transferred from the EU enjoy protection guarantees in line with European standards. These safeguards include:
- On 15 June 2018, Japan adopted a set of rules (Supplementary Rules) that enhance the protection of personal information transferred from the EU to Japan. The Supplementary Rules bridge several differences between the two data protection systems and provide with additional safeguards. In particular, Japan agreed to extend the Japanese definition of sensitive data; to facilitate the exercise of individual rights; further transfers of Europeans’ data from Japan to another third country (onward transfers) are subject to a higher level of protection. These Supplementary Rules are binding on Japanese companies importing data from the EU and enforceable by the Japanese independent data protection authority (PPC) and courts.
- The Japanese government also gave assurances to the Commission regarding safeguards concerning the access of Japanese public authorities for criminal law enforcement and national security purposes, ensuring that any such use of personal data would be limited to what is necessary and proportionate and subject to independent oversight and effective redress mechanisms.
- Japan also agreed to establish a system of handling and resolution of complaints, under the supervision of the Japanese data protection authority (the Personal Information Protection Commission), to ensure that potential complaints from Europeans as regards access to their data by Japanese law enforcement and national security authorities will be effectively investigated and resolved.
In practice, with the adoption of the adequacy decisions, EU and Japanese businesses are now able to transfer data between them without being required to provide further safeguards or being subject to additional conditions. That means that the requirements of Article 46 of GDPR imposing additional measures to be taken providing appropriate safeguards for international data transfer ceases to apply to data transfer between the EU and Japanese companies. Transfer of data between EU and Japan are assimilated to intra-EEA transfer of data. The reciprocal adequacy decisions therefore allow companies to freely exchange personal data of their employees and customers without having to engage in burdensome paper work.
Please note though:
- The adequacy decisions only apply to the transfer of data between EU and Japan, which means that global companies might still need to implement an Intra-Group Data Transfer Agreement (IGDTA) in order to cover the transfer of data to countries other than EEA countries and Japan. Moreover, the obligation for a company to conclude a data processing agreement with its processor(s) as prescribed by Article 28 of GDPR is not removed.
- The scope of the EU adequacy decision is limited to business operators in Japan subject to the Act on the Protection of Personal Information as completed by the Supplementary Rules. This means that transfers of personal data between public authorities and bodies are excluded from the scope of the adequacy decision.
The EU adequacy decision constitutes the first adequacy decision since the entering into force of the GDPR. It will therefore constitute a precedent for future adequacy applications and for the review of the adequacy decisions rendered under Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
For further information, please contact Patrick van Eecke (Partner, Belgium) or Anne-Gabrielle Haie (Lawyer, Belgium).