(Some) personal data can flow freely from the EU to Japan on the Japan-EU adequacy decision
On 23 January 2019 the European Commission adopted its implementing decision declaring that Japan’s Act on the Protection of Personal Information (APPI) provides adequate protection of personal data in the sense of Article 45 of the GDPR (hereafter the Japan Adequacy Decision). This decision became immediately applicable.
The Japan Adequacy Decision complements the EU-Japan Economic Partnership Agreement and the EU-Japan Strategic Partnership Agreement (coming into force in February 2019), which aim at creating an open trading zone covering 635 million people and almost one third of the world’s total GDP. These agreements are expected to boost the transfer of data between the EU and Japan, while ensuring the protection of individuals whose personal data are transferred between the EU and Japan.
As a matter of principle, entities to which the GDPR is applicable are not allowed to transfer the personal data under their care outside the European Economic Area (EEA), unless additional guarantees are given that the data subjects are adequately protected. Prior to the Japan Adequacy Decision, the European Commission has already declared the data protection adequate in countries such as Argentina, Canada (commercial organisations), Israel, Switzerland, Uruguay and the USA (subject to the Privacy Shield framework). Japan is the latest addition to this list.
Controllers or processors subject to the GDPR can now freely transfer personal data to Japan, within the limits of the Japan Adequacy Decision, without having to provide additional contractual guarantees (such as the standard contractual clauses).
The protection of Personal information has a basis in the Japanese constitution, in the 2003 Act on the Protection of Personal Information (the Act) and several enforcement rules, including the supplementary rules adopted by Japan’s independent supervisory authority, PPC, for handling personal data transferred from the EU and the PPC’s guidelines.
The Japanese data protection rules apply to the « handling » of « personal information » of a « principal », notions sufficiently large to relate to the « processing » of « personal data » of a « data subject ». By contrast the Japanese Act on the Protection of Personal Information (or APPI) is only applicable to « business operators » (i.e. persons providing a personal information database etc. for use in business, in the sense of a socially recognised enterprise, whether or not for profit). The Act and consequently the Japan Adequacy Decision does not apply to government or administrative agencies.
Moreover, the Act provides for certain sectorial exclusions, based on the type of business operator and the purpose of the processing :
- broadcasting institutions, newspaper publishers, communication agencies or other press organisations (including any individuals carrying out press activities as their business) to the extent they process personal information for press purposes;
- persons engaged in professional writing, to the extent this involves personal information;
- universities and any other organisations or groups aimed at academic studies, or any person belonging to such an organisation, to the extent they process personal information for the purpose of academic studies;
- religious bodies to the extent they process personal information for purposes of religious activity (including all related activities); and
- political bodies to the extent they process personal information for the purposes of their political activity (including all related activities).
Considering that these actors are not bound by the provisions of the Act, the Japan Adequacy Decision does not apply to these entities either (art. 1(2) of the Decision). This means that data transfers to such entities cannot be done on the basis of the Japan Adequacy Decision and need to be covered by additional guarantees.
As in the GDPR, the protection of personal information is based on a principle of purpose limitation, lawfulness and fairness. Coming from the EU, the data processing should be based on one of the legal grounds permitted in the GDPR, which are binding upon the Japanese business operator (who should only extend the processing with the data subject’s consent). The Japanese data information protection rules are furthermore found to be compliant with the GDPR’s requirements of data processing principles.
Importantly, the onward transfer of personal data originating in the EU to recipients outside of Japan is restricted. Such international transfers from Japan to a third country can only take place if the data subject consents, if the Japanese supervisory authority has taken some sort of adequacy decision or if additional safeguards are given (e.g. through standard contractual clauses or corporate binding rules).
Like the GDPR, the Act grants individuals enforceable rights, such as the right to disclosure (access), rectification, erasure and utilisation cease (object), correction, discontinuation of the use and deletion of the data – subject to certain restrictions. The Act does not provide for general rules on profiling or automated decision making, but such can be found in sector-specific regulations (e.g. on the financial sector).
Enforcement of the data protection rules is ensured by an independent supervisory authority, the PPC, which can request documents or perform (on-site) inspections, it may give guidance to business owners, issue recommendations and impose orders (non-compliance with such orders can be punished by fines or even imprisonment). In addition, an individual can seek administrative or judicial redress under Japanese law.
The Commission also examined whether the potential interference by the Japanese authorities for purposes of public interest (criminal law enforcement, national security) were proportionate and it concluded that sufficient legal protection against such inference exists.
On this basis, the European Commission decided that the level of protection of personal data (originating in the EU) organised in the Japanese Act, complemented by the supplementary rules issued by the Japanese supervisory authority PPC, is essentially equivalent to the protection of the GDPR (exception made for the exclusions in the material scope).
Following the CJEU decision in Schrems, the Commission will monitor the evolution of the legislation in Japan and will proceed to periodical checks on whether the adequacy decision is still « factually and legally justified ». Should this not be the case, the Commission will inform the Japanese authorities and, if necessary, suspend, amend or repeal its Japan Adequacy Decision.
What can we do for you?
DALDEWOLF’s IP/IT team assists international and local clients with their GDPR compliance with European data protection requirements, whether by a general compliance programme, by ad hoc assistance or representation in administrative or judicial proceedings.