The declared intention of an EU-Japan mutual adequacy recognition still seems far away. Notwithstanding an agreement in principle, as demonstrated by a joint statement this July by the Personal Information Protection Commission of Japan and the European Commission, and almost two years of intensive discussions between the parties, the European Union is still deliberating whether to recognize Japan’s personal data protection systems as “essentially equivalent” with the EU General Data Protection Regulation. This would be the first adequacy finding for a non-EU country after the adoption of the GDPR.

Meanwhile, the EU’s negotiations with South Korea, which started the same time as with Japan, currently seems to face a stalemate-like situation

The road to the principal agreement with Japan in July has been long enough already. The Act on the Protection of Personal Information, at its time the big game changer as Japan’s first comprehensive data protection law, entered into force in 2005. This law covered most Japanese private businesses, requiring they adopt a privacy policy, handle personal information in a secure manner and respond to data subjects such as on requests for the disclosure, erasure or cease of use of their personal data. However, the APPI was not considered adequate protection by the EU. Not least for the purpose of addressing criticism from the EU, the APPI was then thoroughly modernized, and an amended law came into force on May 30, 2017. 

This amended APPI took into account the GDPR, which was still in draft form, and added new concepts to Japanese law such as “sensitive personal information” and “anonymized information.” It also addressed the most vigorous criticism against the 2005 APPI by creating the PPC as a central and independent supervisory authority and replaced the sectorial competence of various Japanese ministries. In a fashion similar to the GDPR, Article 24 of the amended APPI restricts trans-border data transfers to countries, unless the foreign country is whitelisted under the enforcement rules of the APPI or the third-party data recipient has established similarly adequate standards for privacy protection as specified in the enforcement rules of the APPI. As of today, no whitelisted countries have been designated; the current negotiation between the European Union and Japan aims to first put EU countries on such a whitelist.

Discussions between the European Union and Japan started in January 2017, which then reached a principal agreement in July 2017; not accidentally, the same time as top politicians reached consensus on a landmark Japan-EU Economic Partnership Agreement. On September 5, 2018, the European Commission released a draft adequacy decision which is now still under scrutiny.

The idea of the Commission’s draft adequacy decision is to address relevant differences between Japanese and EU data protection laws by the PPC’s issuance of a draft supplementary rules, which will bind Japanese companies with respect to their processing of personal data transferred from the EU.  

Delivering their opinions on the Commission’s draft adequacy decision this November and early December, the European Parliament’s LIBE Committee, the European Data Protection Board and MEPs at the European Parliament each welcomed the draft adequacy decision as it “would further facilitate commercial exchanges between Japan and the EU," however, each expressed sweeping concerns and demanded “further clarifications to ensure safe data transfers to Japan.”

Does this mean that the European Commission must renegotiate the “supplementary rules” with Japan, or even require further amendments in the APPI itself? This is yet to be seen, but certainly the Commission needs to do something to address these concerns from MEPs and the EDPB. No doubt, a finalization of the adequacy decision by the end of 2018 is rather unlikely.

Reading through the draft adequacy decision, the supplementary rules, and especially the EDPB’s demanding detailed requirements on the need of essential alignment of the Japanese data protection system with the GDPR, it seems clear that no matter whether the supplementary rules, or their potentially further complicated amended version will be adopted, the prescription is the same. Japanese companies remain best advised to continue managing personal data collected from EU residents separately, as well as maintaining records, conducting data protection impact assessments and attending to data subject requests regarding EU residents as required by the GDPR. 

And what does all this mean for Japanese companies doing their homework in complying with the GDPR? Actually, in practical terms, perhaps not that much. Even upon issuance of the adequacy decision, the only ease in data protection administrative practice will be that companies in Japan will not need to justify the transfer of personal data from the EU anymore. In practical terms, this means that entering into EU Model Clauses or BCRs will not be necessary – however, prudent Japanese companies already have these in place. 

Alternatively, Japanese companies may endeavor to adapt all their privacy management practices to the exact requirements of the GDPR, regardless of the location of the data subjects whose data they process. Practical implementation could be challenging though, taking into account the bewildering complexities and constant changes in data management legislation in other regions, such as China or the U.S.

photo credit: MaximeF Sajama via photopin (license)