Japan and the European Union recently announced an agreement to recognize each other's data protection regimes as adequate. Once implemented, the agreement will permit the free flow of personal data between the two jurisdictions.
On July 17, 2018, Japan and the EU agreed to recognize each other's data protection regimes as providing adequate protections for personal data. Once finalized, these "reciprocal adequacy" decisions will allow personal data to flow between Japan and the EU without being subject to additional safeguards. The mutual adequacy finding will enhance the benefits of the Japan-EU Economic Partnership Agreement (EPA), a free trade deal that was announced at the same time.
The European Commission is expected to formally adopt its adequacy decision on Japan in the fall of 2018. In connection with the decision, Japan agreed to implement additional safeguards to align with the EU's standards. Such additional safeguards have not yet been finalized, but will likely include stricter guidelines for the retransfer of personal data that originated from the European Economic Area (EEA) to a third country and additional limitations on the use of sensitive data. Japan also agreed to implement a new mechanism to allow European Economic Area residents to file complaints with Japan's data protection authority if public authorities in Japan unlawfully access their data.
While the discussions between Japan and the EU were ongoing, Japan's Personal Information Protection Commission (PPC) announced draft guidelines regarding the processing of personal data transferred from the EEA following the adequacy recognition.6 The draft guidelines were published for public comment in April 2018 and have not yet been finalized. According to the draft guidelines, five major substantive changes will be implemented with respect to the current Japanese regulations, as summarized in the chart below. The guidelines, once finalized, will apply only to personal data transferred from the EEA under the adequacy recognition.
Key Takeaways
Today, some companies that transfer personal data from the EEA to Japan do so pursuant to standard contractual clauses (SCC) published by the European Commission. Japanese companies using SCCs might assume they can readily terminate these agreements once the adequacy decision is formally adopted. However, companies should keep in mind that the adequacy decision only applies to EEA-Japan transfers, and SCCs between the EU and other jurisdictions will need to remain in place. Companies also should keep in mind that the EU is likely to issue an updated version of the SCC which complies with GDPR requirements, and which will need to replace current SCCs.
Footnotes
6 " Guidelines on the Law Concerning the Protection of Personal Information (Handling of Personal Data Transferred by Sufficiency Certification from within the EU)" can be found here. (Japanese only)
Privacy & Cybersecurity Update - August 2018
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
