1. The draft adequacy decision
The mutual adequacy agreement between Japan and the EU promises to create, in the words of European Commissioner Věra Jourová, “the world’s largest area of safe data flows”. Currently pending implementation, the agreement aims to enable free data flows between the two territories, without the need for the additional legal safeguards which organisations are presently required to put in place.
a. The adequacy framework
Under long-standing EU rules, retained and reinforced by the GDPR, transfers of personal data to “third countries” outside the European Economic Area are prohibited unless certain conditions are met. One of these is that the country where the recipient is located is recognized by the Commission as providing an “adequate level of protection” of personal data.
Beside Japan, only 10 countries benefit from full adequacy rulings (Andorra, Argentina, Faroe Isles, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay), while the United States and Canada are subject to partial adequacy decisions covering US companies adhering to the “Privacy Shield” scheme and private sector actors in Canada.
b. The Japan-EU decision : Calendar and contents
Japan and the EU announced that they had reached a “reciprocal” agreement, under which each side recognised the adequacy of the other’s data protection regime, on 17 of July 2018. That decision is now subject to adoption procedures in both the EU and Japan. On the EU side, this involves a review by the European Data Protection Board (EDPB), the EU’s data protection supervisory body (previously known as the Article 29 Working Party). On 26 September 2018, the EDPB announced in a press release that it would “thoroughly review” the draft decision before providing an opinion. Prior to definitive adoption by the Commission, the adequacy decision will also require approval by a committee composed of representatives of EU Member States.
The draft adequacy decision, published on the European Commission’s website, stresses that the data protection regimes in the two territories are not required to be “identical” in order to ensure the required high level of protection. Instead, it concludes that Japan’s legal data protection framework under its Act on the Protection of Personal Information (“APPI”), broadly ensures an adequate level of protection of personal data transferred to organisations falling within its scope. Nevertheless, the draft decision does identify certain points of divergence between the GDPR and the APPI, on which the EU requires additional data protection assurances.
The draft decision further recognises that these divergences have been addressed by Japan in “Supplementary Rules” which will apply specifically to the processing of personal data transferred from the EU.
The affected areas include, in particular :
– Onward transfer to third countries: The Supplementary Rules raise the levels of protection required for onward transfers of EU personal data from Japan to other non-EU “third countries”.
– “Sensitive” personal data: The Supplementary Rules extend the categories of “sensitive” personal data requiring additional safeguards in Japanese law to include additional types of information mentioned in the GDPR (sex life, sexual orientation and trade-union membership).
– Purpose limitation: The GDPR principle of “purpose limitation” requires that personal data collected for a specified purpose should not subsequently be used for a reason incompatible with that purpose. Under the Supplementary Rules, this principle will apply in Japan to personal data originating in the EU.
– Data subjects’ right to access their personal data: Under the APPI, personal information which organisations intend to hold for less than six months is exempt from certain individual rights, including the right to require access to that data. There is no such exemption under the GDPR and accordingly the Supplementary Rules remove the exemption as regards personal data transferred from the EU.
– Anonymity: The APPI and GDPR definitions of “anonymous” processing differ in that the GDPR requires anonymity to be irreversible, whereas the APPI allows business operators the possibility of reversing the anonymisation process. To address this, the Supplementary Rules require businesses wishing to handle EU personal data anonymously to “destroy the key” permitting re-identification.
Japanese companies which rely on the adequacy decision to import personal data from the EU must therefore be vigilant in complying with these Supplementary Rules when they process such data. In a sense, then, certain principles of the GDPR can be said to have been transposed into Japanese domestic law.
c. Pre-existing data transfer measures
Many businesses will already have legal safeguards in place to frame their existing data transfers from the EU to Japan. These measures, required where there is no adequacy decision, may in particular include contractual agreements on data protection standards based on the European Commission’s model clauses, or “binding corporate rules” (BCRs) enabling personal data transfers between entities of the same multinational group.
Although the planned adequacy decision effectively removes the need for such safeguards for future transfers, existing measures of this kind still have contractual force. Companies could therefore consider terminating any legacy model clause agreements which become redundant as a result of the adequacy decision. Meanwhile, BCRs remain a useful legal vehicle for onward transfers of personal data originating in the EU.
2. Japanese businesses operating in the EU
Despite the adequacy decision, Japanese businesses which process the personal data of EU residents need to be aware of their specific GDPR compliance obligations.
a. Territoriality rules
The GDPR’s territoriality rules under Article 3(2) state that the regulation applies to “the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union”, where the processing relates to an offer of goods of services (free or paid for) to such data subjects, or to the monitoring of their behaviour.
As a result, where Japanese companies carry out such data processing, they must comply with GDPR, irrespective of the existence of the adequacy decision. For example, a Japan-based e-commerce website with an offer directed at customers based in Europe (say, a French language site with the option of shipping to addresses in France) must comply with GDPR as regards its processing of the personal data of the France-based users of its site.
b. Requirement for a representative
Where data processing by a non-EU business falls within the scope of Article 3(2), the business in question is required to appoint a “representative” in the EU (exceptions apply where the processing is only occasional and does not include large-scale processing of sensitive personal data or create a risk to individual rights and freedoms).
The representative needs to be established in a member state where impacted data subjects are located and must be mandated “to be addressed in addition to or instead of” the foreign entity it represents, on issues relating to GDPR compliance (see GDPR Article 27). Data controllers and processors are both impacted by this obligation and that the appointment of a representative does not absolve the entity in question of its own legal responsibility in the event of a breach of the GDPR.
Thus, our notional Japanese e-commerce business, assuming it has no European establishment, should appoint a third-party representative in the EU in order to comply with its Article 27 obligations.
For information about naming Altij as your European representative for the purposes of the GDPR, the creation of an EU-based establishment, or for all other GDPR compliance questions, please get in touch with us via our contact page. You can also visit our dedicated GDPR website https://www.conformite-rgpd.expert for an overview of our data protection offer, including a video introduction to our GDPR chatbot.