TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Japan's long road for adequacy under the GDPR Related reading: EDPB releases opinion on EC's draft for Japan's adequacy





The declared intention of an EU-Japan mutual adequacy recognition still seems far away. Notwithstanding an agreement in principle, as demonstrated by a joint statement this July by the Personal Information Protection Commission of Japan and the European Commission, and almost two years of intensive discussions between the parties, the European Union is still deliberating whether to recognize Japan’s personal data protection systems as “essentially equivalent” with the EU General Data Protection Regulation. This would be the first adequacy finding for a non-EU country after the adoption of the GDPR.

Meanwhile, the EU’s negotiations with South Korea, which started the same time as with Japan, currently seems to face a stalemate-like situation

The road to the principal agreement with Japan in July has been long enough already. The Act on the Protection of Personal Information, at its time the big game changer as Japan’s first comprehensive data protection law, entered into force in 2005. This law covered most Japanese private businesses, requiring they adopt a privacy policy, handle personal information in a secure manner and respond to data subjects such as on requests for the disclosure, erasure or cease of use of their personal data. However, the APPI was not considered adequate protection by the EU. Not least for the purpose of addressing criticism from the EU, the APPI was then thoroughly modernized, and an amended law came into force on May 30, 2017. 

This amended APPI took into account the GDPR, which was still in draft form, and added new concepts to Japanese law such as “sensitive personal information” and “anonymized information.” It also addressed the most vigorous criticism against the 2005 APPI by creating the PPC as a central and independent supervisory authority and replaced the sectorial competence of various Japanese ministries. In a fashion similar to the GDPR, Article 24 of the amended APPI restricts trans-border data transfers to countries, unless the foreign country is whitelisted under the enforcement rules of the APPI or the third-party data recipient has established similarly adequate standards for privacy protection as specified in the enforcement rules of the APPI. As of today, no whitelisted countries have been designated; the current negotiation between the European Union and Japan aims to first put EU countries on such a whitelist.

Discussions between the European Union and Japan started in January 2017, which then reached a principal agreement in July 2017; not accidentally, the same time as top politicians reached consensus on a landmark Japan-EU Economic Partnership Agreement. On September 5, 2018, the European Commission released a draft adequacy decision which is now still under scrutiny.

The idea of the Commission’s draft adequacy decision is to address relevant differences between Japanese and EU data protection laws by the PPC’s issuance of a draft supplementary rules, which will bind Japanese companies with respect to their processing of personal data transferred from the EU.  

Delivering their opinions on the Commission’s draft adequacy decision this November and early December, the European Parliament’s LIBE Committee, the European Data Protection Board and MEPs at the European Parliament each welcomed the draft adequacy decision as it “would further facilitate commercial exchanges between Japan and the EU," however, each expressed sweeping concerns and demanded “further clarifications to ensure safe data transfers to Japan.”

Does this mean that the European Commission must renegotiate the “supplementary rules” with Japan, or even require further amendments in the APPI itself? This is yet to be seen, but certainly the Commission needs to do something to address these concerns from MEPs and the EDPB. No doubt, a finalization of the adequacy decision by the end of 2018 is rather unlikely.

Reading through the draft adequacy decision, the supplementary rules, and especially the EDPB’s demanding detailed requirements on the need of essential alignment of the Japanese data protection system with the GDPR, it seems clear that no matter whether the supplementary rules, or their potentially further complicated amended version will be adopted, the prescription is the same. Japanese companies remain best advised to continue managing personal data collected from EU residents separately, as well as maintaining records, conducting data protection impact assessments and attending to data subject requests regarding EU residents as required by the GDPR. 

And what does all this mean for Japanese companies doing their homework in complying with the GDPR? Actually, in practical terms, perhaps not that much. Even upon issuance of the adequacy decision, the only ease in data protection administrative practice will be that companies in Japan will not need to justify the transfer of personal data from the EU anymore. In practical terms, this means that entering into EU Model Clauses or BCRs will not be necessary – however, prudent Japanese companies already have these in place. 

Alternatively, Japanese companies may endeavor to adapt all their privacy management practices to the exact requirements of the GDPR, regardless of the location of the data subjects whose data they process. Practical implementation could be challenging though, taking into account the bewildering complexities and constant changes in data management legislation in other regions, such as China or the U.S.

photo credit: MaximeF Sajama via photopin (license)


If you want to comment on this post, you need to login.

  • comment John Kropf • Dec 21, 2018
    Great update.  One of the questions I've struggled with is the description of this as a "mutual adequacy recognition'.  This seems as if it is the first time an adequacy review has been described as "mutual".  International concepts of adequacy and mutual recognition/reciprocity seem antithetical to each other.  Adequacy determinations function on a unilateral basis with the EU deciding yes or no and a country's data protection framework.  Mutual recognition is a two-way, interdependent process: "we'll recognize you if you recognize us."  Based on your report above, it still appears to be a unilateral process.   Any insights on how the Japanese will determine the EU's adequacy?
  • comment Gabor Gerencser • Dec 25, 2018
    Hi John, thank you for the comment! Indeed, you are correct, strictly in terms of international law (and under both the GDPR and the APPI), the European Union and Japan each decides unilaterally, that is, on their sovereign judgment and pursuant to their own standards, whether to recognize the other as a jurisdiction with ‘adequate’ protection.  Nevertheless, "mutual adequacy recognition” is a convenient and well established journalistic description of the facts on the ground.  I believe what is meant with it is that, undeniably, this is also a political process.  In the current era when data localization laws are enacted for various reasons in one country after the other (Russia, China, Vietnam, Brazil …), there is a clear political intention, at least between the Government of Japan and the European Commission, to create an area where personal data can circulate freely based on shared legal and political values, as well as on economic interests; to this end it is not by chance that the respective ‘adequacy’ decisions are discussed and planned to be finalized in parallel. 
    And, on how the Japanese decide about adequacy? Procedurally, pursuant to the APPI, the PPC may establish a white list of countries; meanwhile, as of today, and unlike in the EU, no official guideline has been published in Japan about the material criteria of such an adequacy decision yet.