On 23 January 2019, the EU Commission adopted a decision confirming the adequacy of Japanese data protection laws for the purpose of transferring personal data from the EU to Japan in compliance with the international data transfer restrictions set out in Chapter V of the GDPR.
International data transfer restrictions under the GDPR
Chapter V of the General Data Protection Regulation (“GDPR“) protects the personal data of individuals, including by restricting the transfer of personal data outside of the EEA unless certain protections are in place.
One of the circumstances where international transfers are permitted under the GDPR is where the EU Commission has passed an “adequacy decision” in relation to the country to which the personal data is to be transferred. Such an adequacy decision essentially confirms that the third country has laws in place which provide a level of protection for personal data essentially equivalent to that provided under the GDPR.
The Japan adequacy decision
As described in our previous blog post, available here, on 17 July 2018, the EU Commission (“Commission”) and Japan concluded the negotiations on the reciprocal finding of an adequate level of data protection by both sides. The adequacy decision, published on 23 January 2019, is the final step in this adequacy procedure and, together with the equivalent decision on the Japanese side, it will ensure the free flow of personal data between the EU and Japan.
In the time between the announcement in July 2018 and the adequacy decision published on 23 January 2019, Japan adopted certain additional measures in order to ensure an adequate level of protection for personal data transferred from the EU. For example, Japan put in place binding supplementary rules to bridge the differences between the GDPR and Japanese data protection law. It also provided assurances to the EU that Japanese public authorities would have access to personal data received from the EEA for criminal law enforcement and national security purposes only where it is “necessary, appropriate and subject to independent oversight and effective redress mechanisms“. Finally, Japan has also incorporated a mechanism administered by its independent data protection authority to investigate and resolve complaints regarding access to EEA personal data by Japanese public authorities.
The adequacy decision will be subject to periodic review. A joint review of all aspects of the adequacy decision including the additional measures adopted by Japan will take place after two years. Successive reviews will take place once every four years.
At the same time as the EU adequacy decision, the Personal Information Protection Commission (“PPC“) in Japan has also recognised the EU’s data protection regime as being equivalent to the Japanese system. This mutual recognition has resulted in what is reported to be the “world’s largest area of safe data flows”.