Japan, EU Move to Close Deal on Easing Cross-Border Data Transfers

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Brian Yap

The European Union and Japan are close to finalizing a data privacy pact that will tear down legal barriers and ease the flow of personal data between the EU and the Asian nation.

Japan will formally recognize that the EU’s data protection regime, the General Data Protection Regulation provides equivalent privacy protections to its law after the EU makes a comparable finding that Japan’s privacy law is equivalent to the GDPR, Satoru Hamaguchi, director of Japan’s independent Personal Information Protection Commission (PPC), told Bloomberg Law.

The European Commission has said it plans to recognize Japan’s law by the end of 2018.

The pact will mark the first time the EU has found an Asian country’s data protection laws adequately safeguard EU data. It will greatly simplify data transfers for Japanese companies doing business in the European Economic Area (EEA). It also is the first mutual data protection adequacy agreement the EU will enter into.

The deal will open up “the world’s largest area of safe transfers of data based on a high level of protection for personal data,” according to a European Commission statement.

The pact will mean new obligations for Japanese companies but could also be a boon to corporations, including Mitsubishi Corp, Mitsui Corp, Sumitomo Corp, Itochu and Marubeni Corp.

“Japanese multinationals now need to reevaluate and restructure their internal privacy policy in order to be in full compliance with” the GDPR, Shinsuke Yakura, dispute resolution and managing partner of Orrick, Herrington and Sutcliffe LLP’s Tokyo office, told Bloomberg Law.

The deal will complement the Economic Partnership Agreement, an EU-Japan free trade agreement that will take effect after the European Parliament and the Japanese Diet ratify it.

The European Commission is now in talks with South Korea on a comparable data protection adequacy deal.

Japanese Companies to Benefit

Japanese companies have had to rely on less efficient ways to transfer data from the EU, such as negotiating standard contractual clauses or binding corporate rules, which can take years to finalize.

Major Japanese companies with EU operations stand to benefit, “mainly because they do not have to execute Standard Contractual Clauses and establish Binding Corporate Rules, which had been putting a lot of burden on companies,” Yakura said.

The EU Directorate-General for Justice and Consumers has created a draft Commission Implementing Decision on Japan’s adequate protection of personal data, and distributed it to each of the EU member countries for review.

The European Commission Sept. 5 published a draft adequacy decision, which started the formal EU process to finalize the agreement with Japan.

To close the deal, Japan must adopt five supplementary safeguards to close gaps between its data protection, the Act on the Protection of Personal Information (APPI), and the GDPR. Japan also must set up a complaint procedure for EU citizens who want access to data held by Japanese public authorities, including police and security agencies, Hamaguchi said.

Supplementary Rules

“These five remaining items must be followed by Japanese multinationals post-adequacy recognition if they want to transfer personal information or data from their EU subsidiaries back to the Japanese headquarters,” Yakura said.

The rules are legally binding, and corporations must follow them when dealing with data transferred from the EU. The PPC may, according to guidelines to the supplementary rules, issue a recommendation or order against companies that breach the rules. The PPC issued the rules, which only apply to private companies.

The PPC will oversee the safeguards and the complaint handling system, which will take effect once the EU completes its adequacy recognition, Hamaguchi said.

Japan must adjust its definition of sensitive data, change the length of time individuals can access their retained personal data, and alter how individuals must be informed of the purpose for which their data was obtained, Yakura said. Japan also must heighten its standard for anonymizing EU data and increase the level of protection required for for transfers of EU data from Japan to another country.

For example, Japan must classify information on an individual’s sexual orientation, sex life, or labor union status as sensitive, which will trigger a higher level of data protection. The European Union deems such information as sensitive under the GDPR.

Under Japan’s APPI, a data subject loses the right to delete or modify his or her personal data if it is meant to be retained for less than six months. Under the GDPR, the data subject is entitled to request the deletion or modification of such information even if it is retained for more than six months. Japan must conform to the EU standard under the prospective pact.

Request Bloomberg Law: Privacy & Data Security