Barriers to transfer of personal data between businesses in Japan and in the EU have come down: on 23 January 2019, the Framework for Mutual and Smooth Transfer of Personal Data between Japan and the EU (the ‘Framework’) was implemented.
With the implementation of the Framework, the European Commission has adopted an ‘adequacy decision’ under the EU’s data protection rules (the GDPR) accepting that the data protection regime in Japan offers equivalent protection to that available in the EU. As a result, all transfers of data from the EU to Japan will be protected by the same guarantees that apply under the GDPR.
In parallel, the Japanese data protection authority, the Personal Information Protection Commission (PPC), took a decision under the Act on the Protection of Personal Information (‘APPI’) regarding data protection standards in the EU. Under the APPI, transfers of personal information outside of Japan require the transferor of the information to obtain the consent of the data subject. This is subject to exceptions, one of which is that the jurisdiction of the party receiving the information is deemed by the PPC to have personal information protections equivalent to the APPI. On 23 January, the PPC designated the EU as a jurisdiction falling under this exception (the ‘EU Designation’).
This is the first time the PPC has made such a designation. It is also the first time the EU has taken an adequacy decision under the GDPR. According to the EU Justice Commissioner, Vera Jourova, ‘This creates the world’s largest area of safe data flows. Our companies will also benefit from a privileged access to a 127 million consumers’ market.’ For global business operators, this means that operational efficiency may be improved, costs reduced and new business models potentially created. All of these factors may also eventually benefit consumers.
In preparation for the decision, the European Commission and the PPC negotiated a set of Supplementary Rules designed to bridge differences between the two data protection regimes. Japan has adopted additional safeguards to guarantee equivalent standards. These safeguards facilitate individual data subjects’ exercise of their rights and offer higher standards of protection when data is transferred from Japan to a third country. The protection of ‘sensitive information’ (such as information on health, on race or on sexual orientation) is strengthened. The safeguards will be binding on Japanese companies importing data from the EU and enforceable by the PPC.
In addition, Japan has agreed to establish a system of complaint handling and resolution, supervised by the PPC. It will provide guarantees that any use of personal data for law enforcement and national security purposes will be limited to what is necessary and proportionate and that effective mechanisms will be put in place to ensure that there is recourse and redress if these principles are not respected.
In order to rely on the PPC’s EU Designation, the party receiving personal information from Japan must be located in one of the 31 member states of the EEA and must comply with the provisions of the GDPR.
The decision will be reviewed jointly by Japan and the EU two years after its entry into force and periodically after that. It may also be reviewed on an ad hoc basis at any time.