Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By Brian Yap
The European Union and Japan are close to finalizing a data privacy pact that will tear down legal barriers and ease the flow of personal data between the EU and the Asian nation.
Japan will formally recognize that the EU’s data protection regime, the General Data Protection Regulation provides equivalent privacy protections to its law after the EU makes a comparable finding that Japan’s privacy law is equivalent to the GDPR, Satoru Hamaguchi, director of Japan’s independent Personal Information Protection Commission (PPC), told Bloomberg Law.
The European Commission has said it plans to recognize Japan’s law by the end of 2018.
The pact will mark the first time the EU has found an Asian country’s data protection laws adequately safeguard EU data. It will greatly simplify data transfers for Japanese companies doing business in the European Economic Area (EEA). It also is the first mutual data protection adequacy agreement the EU will enter into.
The deal will open up “the world’s largest area of safe transfers of data based on a high level of protection for personal data,” according to a European Commission statement.
The pact will mean new obligations for Japanese companies but could also be a boon to corporations, including Mitsubishi Corp, Mitsui Corp, Sumitomo Corp, Itochu and Marubeni Corp.
The deal will complement the Economic Partnership Agreement, an EU-Japan free trade agreement that will take effect after the European Parliament and the Japanese Diet ratify it.
The European Commission is now in talks with South Korea on a comparable data protection adequacy deal.
Japanese companies have had to rely on less efficient ways to transfer data from the EU, such as negotiating standard contractual clauses or binding corporate rules, which can take years to finalize.
Major Japanese companies with EU operations stand to benefit, “mainly because they do not have to execute Standard Contractual Clauses and establish Binding Corporate Rules, which had been putting a lot of burden on companies,” Yakura said.
The EU Directorate-General for Justice and Consumers has created a draft Commission Implementing Decision on Japan’s adequate protection of personal data, and distributed it to each of the EU member countries for review.
The European Commission Sept. 5 published a draft adequacy decision, which started the formal EU process to finalize the agreement with Japan.
To close the deal, Japan must adopt five supplementary safeguards to close gaps between its data protection, the Act on the Protection of Personal Information (APPI), and the GDPR. Japan also must set up a complaint procedure for EU citizens who want access to data held by Japanese public authorities, including police and security agencies, Hamaguchi said.
“These five remaining items must be followed by Japanese multinationals post-adequacy recognition if they want to transfer personal information or data from their EU subsidiaries back to the Japanese headquarters,” Yakura said.
The rules are legally binding, and corporations must follow them when dealing with data transferred from the EU. The PPC may, according to guidelines to the supplementary rules, issue a recommendation or order against companies that breach the rules. The PPC issued the rules, which only apply to private companies.
The PPC will oversee the safeguards and the complaint handling system, which will take effect once the EU completes its adequacy recognition, Hamaguchi said.
Japan must adjust its definition of sensitive data, change the length of time individuals can access their retained personal data, and alter how individuals must be informed of the purpose for which their data was obtained, Yakura said. Japan also must heighten its standard for anonymizing EU data and increase the level of protection required for for transfers of EU data from Japan to another country.
For example, Japan must classify information on an individual’s sexual orientation, sex life, or labor union status as sensitive, which will trigger a higher level of data protection. The European Union deems such information as sensitive under the GDPR.
Under Japan’s APPI, a data subject loses the right to delete or modify his or her personal data if it is meant to be retained for less than six months. Under the GDPR, the data subject is entitled to request the deletion or modification of such information even if it is retained for more than six months. Japan must conform to the EU standard under the prospective pact.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)