Last month, European Justice Commissioner Vera Jourová went on an official visit to Asia, with stops in Japan and the Republic of Korea. Her aim? To make concrete progress on data flows as the European bloc looks at how to incorporate data protection into trade deals.
The EU is currently finalising a trade agreement with Japan — a process that began in March 2015. Since then, data protection concerns have gained currency in the EU and efforts are now made to ensure that future trade deals will go hand-in-hand with sufficient protection. For example: Japan’s new data protection law came into effect last June 1. Is it is fully in line with GDPR? Ideally, the European Commission wants to reach an adequacy decision with both countries as soon as possible in 2018. To date, the EU has adequacy agreements with 11 regions, including Argentina, Canada, Israel, New Zealand, Switzerland, and Uruguay.
In this case, however, Japan’s law requires Japan to also find the EU’s data protection regime “adequate.”
From an EU perspective, an adequacy decision means that the EU finds data protection laws in the third country to be essentially equivalent to those in the EU, so personal data can flow between the two without any further safeguard being necessary. Officially: “In others words, transfers to the country in question will be assimilated to intra-EU transmissions of data.” If no adequacy is found, more focused arrangements, like the EU-U.S. Privacy Shield, may still be created.
Commission officials told IAPP that “the negotiations are going at full speed” after Jourová’s visit to both countries where she spoke with Japan’s Justice Minister, Yōko Kamikawa, and Commissioner of the Personal Information Protection, Haruhi Kumazawa, along with Korean Chairman of the Communications Commission Lee Hyo-seong.
However, despite this, a Reuters poll, published on June 20 found Japan, specifically, “woefully unprepared” for GDPR. Do stories like this undermine negotiations?
In a joint statement, Jourová and Kumazawa said that in recent months significant strides had been made in reaching mutual adequacy decisions, including “an agreement on solutions to bridging relevant differences between the two systems such as the Supplementary Rules, to be adopted by the Personal Information Protection Commission (PPC) coupled with the Basic Policy on the Protection of Personal Information (Cabinet decision).”
They added that “the Personal Information Protection Commission and the European Commission will continue to consult each other with a view to finding mutually acceptable solutions whenever there is a need for cooperation with respect to personal data based on the framework for mutual and smooth transfer of personal data between Japan and the EU.”
But according to Reuters, only around a quarter of Japanese businesses have made any progress on meeting “some of the easier” GDPR requirements. A further 20 percent plan to do so.
Last November, European Parliament’s civil liberties, justice and home affairs (LIBE) committee sent a delegation to Japan led by committee chair Claude Moraes, and including Jan Albrecht, GDPR rapporteur. Shortly after that visit Moraes told IAPP that “it was very constructive and particularly good that Jan was there, because the Japanese wanted to know how EU companies are preparing for GDPR.”
Fast forward six months, and it appears lessons have not been taken to heart. The survey, conducted for Reuters by Nikkei Research in June, polled more than 500 large and medium sized firms.
Many of the respondents said they do not believe the rules will apply to them as they do not do business in Europe. Data breach notification within 72 hours seemed to be the biggest difficulty, closely followed by providing customers with access to all the data held on them.
According to another survey carried out in January by PwC, Japanese firms trailed both U.S. and U.K. businesses. Just 19 percent of Japanese firms in Europe had begun GDPR compliance, compared to 39 percent of U.S. companies and 43 percent of British businesses.
Although South Korea’s Personal Information Protection Act has many similarities with the GDPR and the trade deal is already done, Jourová nonetheless also travelled to Seoul, to meet not only Commissioner Hyo-seong, but also Lee Nak-yeon, Prime Minister of South Korea, Foreign Affairs Minister Kang Kyung-wha, Justice Minister Park Sang-ki, Science and ICT Minister Yanghee Choi, and Kim Seok-hwan, President of Korea Internet & Security Agency.
Where do things stand? “They took note of the significant progress made since Korea submitted its request for partial adequacy and agreed that the two parties share very similar values with respect to human rights, with both sides recognising personal data protection as a fundamental right.”
Further meetings are planned in Brussels later in the year to “finalize the adequacy talks.”
Photo credit: Sieboldianus Animated Map of geotagged Flickr photos (Europe), 2007-2017 via photopin (license)