On 23 January, the European Commission announced that it had adopted an adequacy decision in relation to Japan, to enter into force immediately. The mutual agreement, which covers Japan’s 127m citizens as well as the whole of the EU, allows personal data to be transferred between Japan and the EU without the need for additional safeguards such as Standard Contractual Clauses, and creates the largest area of safe data transfers in the world.
Its implementation marks the end of a process which began in January 2017 when talks started with both Japan and Korea to facilitate data flows between the EU and those countries while guaranteeing the continued high level of protection of personal data. The talks concluded in July 2018, and the agreement then had to be approved by both parties before it could enter into force.
For the European Commission to grant an adequacy decision, a country’s data protection laws must provide adequate protection for personal data, which means an ‘essentially equivalent’ level as the EU’s GDPR. Countries are not, however, required to have exactly the same laws as the EU in place. To that end, Japan committed to implementing various measures to protect personal data transferred to the country, including a set of rules providing individuals in the EU whose personal data are transferred to Japan with additional safeguards around the processing of sensitive data, the conditions under which EU data can be further transferred from Japan to another third country and rights to access and rectification. A complaint-handling mechanism, administered by the Japanese Personal Information Protection Commission, will resolve complaints from Europeans regarding their access to data by Japanese organisations.
In accordance with EU law, before making its finding, the European Commission had to consider a report from the European Data Protection Board (EDPB) on the level of protection for personal data in Japan. The EDPB identified a number of concerns, including in relation to notice and consent, and the need for further clarification around restrictions on individuals rights and data ‘trustees’ in Japan (similar to processors under EU law). Despite the EDPB’s concerns and its recommendation that further steps were taken before adoption, the adequacy decision was adopted around a month later. This adequacy decision will be reviewed after two years, and then every four years thereafter.
An interesting element of the EDPB report is that they note the decision will be a precedent for future adequacy applications as well as for the review of adequacy decisions made under the original 1995 Data Protection Directive. The Commission decision and EDPB report are likely to become a useful resource in the context of Brexit, given that the UK is likely to make just such an adequacy application in the near future.
The timescale within which the decision related to Japan was made (just over two years) is promising for the adoption an adequacy decision within the two-year transition period of the Withdrawal Agreement. That would help to minimise disruption within the UK following Brexit. However, both the European Commission and the EDPB have been particularly concerned about government access to data, and the EDPB’s report on the adequacy of Japan’s laws noted concerns about whether the Japanese government’s procedures for the collection of personal data were genuinely necessary and proportionate. Given the recent Big Brother Watch decision in the ECtHR, it is likely that the UK’s investigatory powers regime will be very closely scrutinised by the EU before any decision is made to allow the UK to be part again of the newly created EU-Japan free movement of data area.