The European Union and Japan have concluded their talks on mutual data privacy adequacy and have agreed to recognize each other's data protection systems as 'equivalent', a recognition that once implemented will allow personal data to be transferred between the EU and Japan without the need for additional safeguards.
The General Data Protection Regulation (GDPR)
Under the GDPR, transfer of personal data outside the EU on the basis of an adequacy decision taken by the European Commission is the simplest way to make certain that the flow of personal data is done securely. Such a decision confirms that a third country provides a comparable level of protection of personal data to that in the EU, either through its national legislation or as a result of binding international commitments.
In the absence of such a decision, a company may only transfer personal data transfer outside the EU if it has provided other safeguards listed in the GDPR, such as obtaining data subjects consent or conclusion of standard contractual clauses.
This is the first time that the EU has agreed on a reciprocal recognition of the adequate level of data protection. The European Commission has so far recognized unilaterally 11 other countries including Switzerland, Canada (limited to companies that have joined PIPEDA) as territories that provide adequate data protection.
The impact of the adequacy decision
After the procedure for the adoption of the adequacy finding for Japan has been finalized this autumn, Japan will join the list of countries of which personal data can flow to and from the EU (and Norway, Liechtenstein and Iceland) without any further safeguards being necessary. In other words, data transfers to Japan will be assimilated to intra-EU transmissions of data.
It is important to note that this decision does will leave intact all other obligations of the GDPR for processing personal data and is in no way a license to process personal data without obeying these obligations.
New binding rules
To that end, Japan has agreed to implement a set of rules providing Europeans whose personal data are transferred to Japan with additional safeguards aimed at minimizing the differences between the two data protection systems.
These additional safeguards will be implemented in order to strengthen the protection of sensitive personal data, in order to determine the conditions under which personal data pertaining to EU persons may be transferred from Japan to another third country, and in order to strengthen the exercise of individual rights to access and rectification of personal data. These rules will be binding on Japanese companies that import personal data from the EU and will be enforced by the Japanese independent data protection authority (PPC) and the Japanese courts.
Next to the abovementioned safeguards, Japan has also agreed to put a complaint-handling mechanism in place that will be tasked with investigating and resolving complaints from Europeans regarding access to their data by Japanese public authorities. This mechanism will also be monitored by the PPC.
Because of the new Japanese regime, when transferring personal data from the EU to Japan, contractual obligations that address the specific requirements of the new regime will still need to be imposed upon the recipients of the personal data in Japan.
The expected changes
Once the adequacy finding becomes applicable, European companies will benefit from the transfer of personal data from outside the EU to Japan without the need to conclude standard contractual clauses or obtain consent of the data subject. In this way, the mutual adequacy finding is set to enhance data transfers and commercial exchanges between the EU and Japan.
This blog is written by Saya Lourens and Eliëtte Vaal (AKD). For more information, please contact Eliëtte Vaal by phone +31 88 253 5908 or by e-mail evaal@akd.nl
The European Union and Japan have concluded their talks on mutual data privacy adequacy and have agreed to recognize each other's data protection systems as 'equivalent', a recognition that once implemented will allow personal data to be transferred between the EU and Japan without the need for additional safeguards.
The General Data Protection Regulation (GDPR)
Under the GDPR, transfer of personal data outside the EU on the basis of an adequacy decision taken by the European Commission is the simplest way to make certain that the flow of personal data is done securely. Such a decision confirms that a third country provides a comparable level of protection of personal data to that in the EU, either through its national legislation or as a result of binding international commitments.
In the absence of such a decision, a company may only transfer personal data transfer outside the EU if it has provided other safeguards listed in the GDPR, such as obtaining data subjects consent or conclusion of standard contractual clauses.
This is the first time that the EU has agreed on a reciprocal recognition of the adequate level of data protection. The European Commission has so far recognized unilaterally 11 other countries including Switzerland, Canada (limited to companies that have joined PIPEDA) as territories that provide adequate data protection.
The impact of the adequacy decision
After the procedure for the adoption of the adequacy finding for Japan has been finalized this autumn, Japan will join the list of countries of which personal data can flow to and from the EU (and Norway, Liechtenstein and Iceland) without any further safeguards being necessary. In other words, data transfers to Japan will be assimilated to intra-EU transmissions of data.
It is important to note that this decision does will leave intact all other obligations of the GDPR for processing personal data and is in no way a license to process personal data without obeying these obligations.
New binding rules
To that end, Japan has agreed to implement a set of rules providing Europeans whose personal data are transferred to Japan with additional safeguards aimed at minimizing the differences between the two data protection systems.
These additional safeguards will be implemented in order to strengthen the protection of sensitive personal data, in order to determine the conditions under which personal data pertaining to EU persons may be transferred from Japan to another third country, and in order to strengthen the exercise of individual rights to access and rectification of personal data. These rules will be binding on Japanese companies that import personal data from the EU and will be enforced by the Japanese independent data protection authority (PPC) and the Japanese courts.
Next to the abovementioned safeguards, Japan has also agreed to put a complaint-handling mechanism in place that will be tasked with investigating and resolving complaints from Europeans regarding access to their data by Japanese public authorities. This mechanism will also be monitored by the PPC.
Because of the new Japanese regime, when transferring personal data from the EU to Japan, contractual obligations that address the specific requirements of the new regime will still need to be imposed upon the recipients of the personal data in Japan.
The expected changes
Once the adequacy finding becomes applicable, European companies will benefit from the transfer of personal data from outside the EU to Japan without the need to conclude standard contractual clauses or obtain consent of the data subject. In this way, the mutual adequacy finding is set to enhance data transfers and commercial exchanges between the EU and Japan.
This blog is written by Saya Lourens and Eliëtte Vaal (AKD). For more information, please contact Eliëtte Vaal by phone +31 88 253 5908 or by e-mail evaal@akd.nl