News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Japan's long road for adequacy under the GDPR Related reading: EDPB releases opinion on EC's draft for Japan's adequacy

rss_feed

""

The declared intention of an EU-Japan mutual adequacy recognition still seems far away. Notwithstanding an agreement in principle, as demonstrated by a joint statement this July by the Personal Information Protection Commission of Japan and the European Commission, and almost two years of intensive discussions between the parties, the European Union is still deliberating whether to recognize Japan’s personal data protection systems as “essentially equivalent” with the EU General Data Protection Regulation. This would be the first adequacy finding for a non-EU country after the adoption of the GDPR.

Meanwhile, the EU’s negotiations with South Korea, which started the same time as with Japan, currently seems to face a stalemate-like situation

The road to the principal agreement with Japan in July has been long enough already. The Act on the Protection of Personal Information, at its time the big game changer as Japan’s first comprehensive data protection law, entered into force in 2005. This law covered most Japanese private businesses, requiring they adopt a privacy policy, handle personal information in a secure manner and respond to data subjects such as on requests for the disclosure, erasure or cease of use of their personal data. However, the APPI was not considered adequate protection by the EU. Not least for the purpose of addressing criticism from the EU, the APPI was then thoroughly modernized, and an amended law came into force on May 30, 2017. 

This amended APPI took into account the GDPR, which was still in draft form, and added new concepts to Japanese law such as “sensitive personal information” and “anonymized information.” It also addressed the most vigorous criticism against the 2005 APPI by creating the PPC as a central and independent supervisory authority and replaced the sectorial competence of various Japanese ministries. In a fashion similar to the GDPR, Article 24 of the amended APPI restricts trans-border data transfers to countries, unless the foreign country is whitelisted under the enforcement rules of the APPI or the third-party data recipient has established similarly adequate standards for privacy protection as specified in the enforcement rules of the APPI. As of today, no whitelisted countries have been designated; the current negotiation between the European Union and Japan aims to first put EU countries on such a whitelist.

Discussions between the European Union and Japan started in January 2017, which then reached a principal agreement in July 2017; not accidentally, the same time as top politicians reached consensus on a landmark Japan-EU Economic Partnership Agreement. On September 5, 2018, the European Commission released a draft adequacy decision which is now still under scrutiny.

The idea of the Commission’s draft adequacy decision is to address relevant differences between Japanese and EU data protection laws by the PPC’s issuance of a draft supplementary rules, which will bind Japanese companies with respect to their processing of personal data transferred from the EU.  

Delivering their opinions on the Commission’s draft adequacy decision this November and early December, the European Parliament’s LIBE Committee, the European Data Protection Board and MEPs at the European Parliament each welcomed the draft adequacy decision as it “would further facilitate commercial exchanges between Japan and the EU," however, each expressed sweeping concerns and demanded “further clarifications to ensure safe data transfers to Japan.”

Does this mean that the European Commission must renegotiate the “supplementary rules” with Japan, or even require further amendments in the APPI itself? This is yet to be seen, but certainly the Commission needs to do something to address these concerns from MEPs and the EDPB. No doubt, a finalization of the adequacy decision by the end of 2018 is rather unlikely.

Reading through the draft adequacy decision, the supplementary rules, and especially the EDPB’s demanding detailed requirements on the need of essential alignment of the Japanese data protection system with the GDPR, it seems clear that no matter whether the supplementary rules, or their potentially further complicated amended version will be adopted, the prescription is the same. Japanese companies remain best advised to continue managing personal data collected from EU residents separately, as well as maintaining records, conducting data protection impact assessments and attending to data subject requests regarding EU residents as required by the GDPR. 

And what does all this mean for Japanese companies doing their homework in complying with the GDPR? Actually, in practical terms, perhaps not that much. Even upon issuance of the adequacy decision, the only ease in data protection administrative practice will be that companies in Japan will not need to justify the transfer of personal data from the EU anymore. In practical terms, this means that entering into EU Model Clauses or BCRs will not be necessary – however, prudent Japanese companies already have these in place. 

Alternatively, Japanese companies may endeavor to adapt all their privacy management practices to the exact requirements of the GDPR, regardless of the location of the data subjects whose data they process. Practical implementation could be challenging though, taking into account the bewildering complexities and constant changes in data management legislation in other regions, such as China or the U.S.

photo credit: MaximeF Sajama via photopin (license)

Author
Headshot Gabor Gerencser Nonmember Contributor
Tags
Asia-Pacific
Europe
Privacy Law
Transborder Data Flow
2 Comments

If you want to comment on this post, you need to login.

  • comment John Kropf • Dec 21, 2018 
    Great update.  One of the questions I've struggled with is the description of this as a "mutual adequacy recognition'.  This seems as if it is the first time an adequacy review has been described as "mutual".  International concepts of adequacy and mutual recognition/reciprocity seem antithetical to each other.  Adequacy determinations function on a unilateral basis with the EU deciding yes or no and a country's data protection framework.  Mutual recognition is a two-way, interdependent process: "we'll recognize you if you recognize us."  Based on your report above, it still appears to be a unilateral process.   Any insights on how the Japanese will determine the EU's adequacy?
  • comment Gabor Gerencser • Dec 25, 2018 
    Hi John, thank you for the comment! Indeed, you are correct, strictly in terms of international law (and under both the GDPR and the APPI), the European Union and Japan each decides unilaterally, that is, on their sovereign judgment and pursuant to their own standards, whether to recognize the other as a jurisdiction with ‘adequate’ protection.  Nevertheless, "mutual adequacy recognition” is a convenient and well established journalistic description of the facts on the ground.  I believe what is meant with it is that, undeniably, this is also a political process.  In the current era when data localization laws are enacted for various reasons in one country after the other (Russia, China, Vietnam, Brazil …), there is a clear political intention, at least between the Government of Japan and the European Commission, to create an area where personal data can circulate freely based on shared legal and political values, as well as on economic interests; to this end it is not by chance that the respective ‘adequacy’ decisions are discussed and planned to be finalized in parallel. 

And, on how the Japanese decide about adequacy? Procedurally, pursuant to the APPI, the PPC may establish a white list of countries; meanwhile, as of today, and unlike in the EU, no official guideline has been published in Japan about the material criteria of such an adequacy decision yet.
Related Stories
EU and Japan agree to 'reciprocal adequacy'
In what it is describing as "the world's largest area of safe data flows," the European Commission announced it has reached a "reciprocal adequacy" agreement with Japan. Both sides have "agreed to recognise each other's data protection systems as 'equivalent,' which will allow data to flow safely be...
Read More queue Save This
Adequacy approaches for Japan, South Korea
While the EU General Data Protection Regulation has been getting all the headlines, privacy professionals working globally know that two of the world's most stringent privacy laws reside in Asia, with Japan's new Personal Information Protection Commission and South Korea's Communications Commission ...
Read More queue Save This
Israel, Japan, Canada talk keeping up with the GDPR
It's true. There are privacy laws around the world that emanate from other than the European Union. Yesterday, those Global Privacy Summit attendees who took in "The World Beyond: Global Privacy Priorities Outside the GDPR," heard from regulators from Israel, Japan and Canada as they outlined the nu...
Read More queue Save This
FISA Section 702's Reauthorization Era
For the past several months, news of the reauthorization of and potential amendments to Section 702 of the U.S. Foreign Intelligence Surveillance Act has had policy and privacy professioals on their toes. FISA Section 702, which authorizes limited warrantless surveillance of certain communications, ...
Read More queue Save This
Related Stories
Tags
Asia-Pacific
Europe
Privacy Law
Transborder Data Flow
Recent Comments