Good news : Free flow of personal data from EU to Japan soon possible (LegalNews.be)

Author: LegalNews.be

Date of publication: 25/07/2018

LegalNews.be talked to Patrick Van Eecke (Partner at DLA Piper; Global Co-Chair Data Protection).

On 17 July 2018 the European Union and Japan agreed to recognise each other’s data protection systems as ‘equivalent’ and to adopt reciprocal adequacy decisions. This will allow companies to freely exchange personal data of their employees and customers without having to engage in burdensome paper work.

What is an adequacy decision?

An adequacy decision is a decision establishing that a third country provides a comparable level of protection of personal data to that in the European Union. As a result, personal data can flow from the European Economic Area (EEA) (the 28 EU Member States as well Norway, Liechtenstein and Iceland) to that third country without being subject to any further safeguards or authorisations.

Adequacy decisions are one of the tools provided for under the General Data Protection Regulation (GDPR) to transfer personal data from the EU to third countries.

What does it mean for business?

When the EU declares that a third country offers an adequate level of protection, businesses can transfer data to another company in that third country without the data exporter being required to provide further safeguards or being subject to additional conditions. That means that the requirements of Article 46 of GDPR imposing additional measures to be taken providing a legal ground and appropriate safeguards for such data transfer (such as the use of a Data Transfer Agreement, the conclusion of Binding Corporate Rules or the use of the European Commission’s standard data protection clauses) will cease to apply to data transfers between the EU and Japanese companies. The transfer of data between EU and Japan will be comparable to a transmission of data within the EU.

However, please note that such an adequacy decision will only apply to the transfer of data between the EU and Japan, which means that global companies might still need to implement an Intra-Group Data Transfer Agreement (IGDTA) in order to cover the transfer of data to countries other than EU Member States and Japan. Moreover, it does not remove the obligation for a company to conclude a data processing agreement with its processor(s) as prescribed by Article 28 of GDPR.

What will be the scope of the future adequacy decisions?

The future adequacy decisions will cover personal data exchanged for commercial purposes as well as personal data exchanged for law enforcement purposes between EU and Japanese authorities. In particular, the EU’s adequacy decision will concern the protections provided under the Japanese Act on the Protection of Personal Information (APPI) and will thus apply to all transfers of personal data to business operators in Japan.

To align with European standards, Japan has committed to implementing the following additional safeguards to protect EU citizens’ personal data, before the Commission formally adopts its adequacy decision:

– A set of rules providing individuals in the EU whose personal data are transferred to Japan, with additional safeguards that will bridge several differences between the two data protection systems. These additional safeguards will strengthen, for example, the protection of sensitive data; the conditions under which EU data can be further transferred from Japan to another third country; and the exercise of individual rights to access and rectification. These rules will be binding for Japanese companies importing data from the EU, and enforceable by the Japanese independent data protection authority (PPC) and courts.

– A complaint-handling mechanism to investigate and resolve complaints from Europeans regarding access to their data by Japanese public authorities. This new mechanism will be administered and supervised by the Japanese independent data protection authority (PPC).

When will the adequacy decision become applicable?

The European Commission will shortly launch the process leading to the adoption of the adequacy decision under the General Data Protection Regulation. This includes obtaining an opinion from the European Data Protection Board, which brings together all of the national data protection authorities, and the green light from a committee comprised of representatives of the EU Member States. Once this procedure has been completed, the Commission will adopt the adequacy decision. The adequacy decision is therefore expected to be adopted in the last quarter of 2018 and should be applicable shortly after its adoption.

Japan will also launch its relevant internal procedure for the adoption of its adequacy decision.