The European Commission is gearing up to propose a so-called adequacy decision with Japan to allow the free flow of data between Japan and the EU — possibly as early as January or February 2018.
To assess how ready Tokyo is to meet the demands of the EU’s data protection regime, the European Parliament’s civil liberties, justice and home affairs (LIBE) committee sent a delegation to Japan from Oct. 30 to Nov. 3.
The group was led by Committee Chair Claude Moraes, who told The Privacy Advisor that he was impressed with the thoroughness of their hosts.
“It was very constructive. We don’t normally get to meet the government representatives. But they are particularly focused on this issue because it is the next building block for the trade agreement. The representatives really did understand the importance of the European Parliament and what we can do in terms of negotiations. It was particularly good that Jan [Albrecht, rapporteur for the General Data Protection Regulation] was there, because the Japanese wanted to know how EU companies are preparing for GDPR,” explained Moraes.
As well as Moraes and Albrecht, the delegation included MEPs Michal Boni, Barbara Kudrycka, Nathalie Griesbeck and Daniel Dalton.
The aim was to provide the MEPs with appropriate information on the current Japanese data protection legal framework and enforcement, and how it differs from the EU regime, so that Parliament is in a position to properly exercise its scrutiny powers over the Commission’s adequacy decision. Under EU rules, the Commission, assisted by a special committee representing the EU countries, assesses a data protection system of a third country and then, if all the conditions are met, declares its adequacy. The Parliament is officially informed and may check the decision in order to verify if the Commission did its work properly and did not exceed its mandate. If the Parliament finds the Commission acted wrongly, the decision must be reviewed.
During the visit, the MEPs held meetings with the Personal Information Protection Commissioners, including Haruhi Kumazawa, Mieko Tanno as well as the PCC Secretary General Mari Sonoda. They also spoke to members of the Japanese Parliament, members of industry and academics. Following the visit, The Privacy Advisor spoke with Moraes to hear a few more details about the trip.
The Privacy Advisor: Are Japan and the EU still on track to deliver a framework for personal data transfers “by early 2018”?
Moraes: We are aware of the discussions between the European Commission and the Japanese authorities and their public endeavour to establish a framework that would provide an adequate level of protection of personal data — or personal information as it is called in Japan. The European Parliament is not involved in these discussions, so is not in a position to say how advanced the discussions are and whether or not the deadline will be met. This is why the Parliament decided to send a delegation, in order to have a clear view of the data protection legal framework in Japan so as to have its own assessment on it.
We have gathered extremely useful first-hand information which will enable us to assess the state of play, and we will report back to the Parliament. I can say that we have been impressed by the profound commitment of Japanese authorities, how seriously they take their duties and tasks.
In my view, whether the level of protection afforded by the Japanese data protection framework is recognized early in 2018 or later is not an important issue. The important issue is to be sure that both sides are convinced that the data protection framework of their counterpart meets all the conditions and requirements set up in national law and to avoid potential problems caused by a hasty declaration. The experience with the U.S. Safe Harbor shows that all the matters need to be assessed carefully and in detail to avoid potential problems in the future.
The Privacy Advisor: So, is there still a chance that it something like the Privacy Shield between the EU and the US will be needed for Japan?
Moraes: As I said, the Parliament has gathered extremely useful information that will now allow it to assess the Japanese data protection framework in the light of European Union law. Whether this adequacy determination will take the form of the Privacy Shield or a different one is up to the Commission to decide. For the time being, the Commission has not provided the Parliament with any information on what the adequacy decision it would adopt would look like. I think it would depend on the assessment that the Commission would carry out.
The Privacy Advisor: Regardless of the framework, will Japan have to apply all rules of the GDPR in order for its trustworthiness to be ensured?
Moraes: The adequate level of protection declared by the European Commission does not mean that this third country has to apply and comply with all the provisions of the GDPR. Not at all. The European Court of Justice in its ruling on the Safe Harbor case has said that an "adequate level of protection" must be understood as requiring the third country in fact to ensure a level of protection of fundamental rights and freedoms that is "essentially equivalent" to that guaranteed within the European Union. In no case this implies that Japan must replicate the EU GDPR in its domestic law.