As of 17 July 2018, Japan and the EU have reached a preliminary [Adequacy] agreement regarding future free-flow of personal data between the two countries. This situation represents a significant practical test with regard to country-to-country data sharing agreements in light of the Regulation (EU) 2016/679 (the ‘General Data Protection Regulation’ [hereafter « GDPR »]) applicable since 25 May 2018, and could thus be seen as an active barometer with regard to the ‘vetting’ process of other states’ protection mechanisms.
Overall, the news could be seen as both a relief and somewhat anti-climactic for those interested – and if you own or operate a business outside the EU with dealings inside the EU, you most likely at least have a cursory interest – as Japan’s domestic protections were largely seen to have parallel, equivalent or, in the terms of the finding – ‘adequate’ protections. This thus leaves the future of decision’s formal adoption (expected later this year) in the hands of Japan; as such, they are expected to implement some relatively minor, additional safeguards necessary to meet EU data protection standards during this period.
The Foundations of the GDPR Adequacy Decisions
The decision, however, does reveal some of the criteria the European Commission (hereafter ‘The Commission’) will use in determining a third country’s ability to comply. Under Article 45 GDPR, the Commission has the power to determine […] whether a country outside the EU offers an adequate level of data protection, whether by its domestic legislation or of the international commitments it has entered into. The process attached to Article 45 – perhaps simply due to the sheer importance/immensity of the regulation itself with regard to its effect on other states’ adaptation of legislation to correspond to EU rules – is not ‘one size fits all’. In general, however, the procedure runs on the following lines:
- a proposal from the European Commission
- an opinion of the of the European Data Protection Board
- an approval from representatives of EU countries
- the adoption of the decision by the European Commissioners
The Commission has the right to amend, withdraw and maintain any decision on the grounds that it doesn’t exceed the implementing powers provided for in the regulation – mostly relevant to periods of review, identification of domestic advancements, supervising authorities and other minutiae. In any case, we can see The EU’s agreement with Japan is currently in between steps three and four.
How This Fits with the Japan Decision
This is where the importance of the current agreement with Japan comes in. The EU already has reciprocal agreements with a number of countries (Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework) as providing adequate protection); however, these were underwritten as part of the preceding regulation (i.e. Directive 95/46/EC) and – while being seen as desirous of maintenance by both the EU and foreign governments – have been seen as being at risk of either revision or revocation under GDPR. In 2015, the European Court of Justice ruled the EU ‘safe harbour’ deal with the United States to be illegal. The agreement with Japan could therefore be seen as the first under the auspices of the current, ‘more certain’ rules (As stated by Bruno Gencarelli, the head of a unit on data protection at the Commission’s justice department, via https://www.euractiv.com/section/data-protection/news/commission-conducting-review-of-all-foreign-data-transfer-deals/).
This timely review is not by coincidence; the same day, the two countries signed the complementary EU-Japan Economic Partnership Agreement. The raft of new legislation has resulted in the relatively pressing need for robust (and therefore complex) oversight to ensure well over half a billion consumers have standardised protection of their private data. Further, the uptake of the agreement represents the world’s largest area of ‘safe’ data transfer based on GDPR rules, as well as the first time the EU and a third country have agreed on a reciprocal recognition of the necessary criteria for an ‘adequate level’ of data protection.
Key Elements of the Japan Agreement
Data protection in Japan is largely governed by three Acts: The Act on the Protection of Personal Information (« APPI »); The Act on the Protection of Personal Information Held by Administrative Organs (« APPIHAO »); and the Act on the Protection of Personal Information Held by Incorporated Administrative Agencies, etc. (« APPI-IAA »). The APPI is of primary interest to the current agreement, which by itself is limited to the protection of personal information by ‘Personal Information Handling Business Operators’. In any case, contemporary reforms have resulted in legislation which operates at relative parity, this with some small (yet noteworthy) differences (e.g. what constitutes personal data as part of a ‘personal information database’, rules regarding retention periods and methods of data transmission). Under the agreement, however, GDPR rules will apply whenever processing the data of EU citizens, this rather that the domestic APPI counterpart.
In addition, The Japanese government has adopted the following extra safeguards under the Adequacy Agreement:
- Applied GDPR conditions under which EU data can be further transferred from Japan to another third country, access to individual rights and complaints/access to rectification. These rules will be binding on Japanese companies importing data from the EU and enforceable by both the Japanese courts and independent data protection authority (« PPC »)
- A complaint-handling mechanism to investigate and resolve complaints from Europeans regarding access to their data by Japanese public authorities. This new mechanism will be administered and supervised by the PPC
- Enhanced safeguards concerning the access of Japanese public authorities for criminal law enforcement and national security purposes, ensuring that any such use of personal data would be limited to what is necessary, proportionate and subject to independent oversight and effective redress mechanisms
What this Means for Other Regional Arrangements (and Their Businesses)
Obviously the agreement is meant to support international trade, this while promoting the high standards demanded by both EU and Japanese citizens. It, further, represents a successful foray into the application of complex, enhanced GDPR rules with another country’s legislative milieu in mind. This is probably where foreign businesses should probably start taking notice.
Even in comparison to Japanese legislation, GDPR rules comprise the most restrictive data protection mechanisms to date. Where EU citizens’ data is concerned, the Japanese government – representing what already constitutes a sizable piece of the global trade pie – has agreed to apply GDPR rules within its borders to ensure this partnership will not be compromised. It would therefore follow that other countries – including those who had previous arrangements under the previous Directive – will most likely follow suit rather than risk their access to the European market. This could result in the formation of oversight mechanisms (such as Japan’s PPC) to ensure GDPR rules are applied, as well as enforcement within respective, domestic court systems.
This also means that other Asian countries – particularly at the state/administrative level – should expect protracted engagements with the EU in order to apprehend how their respective systems align with GDPR interests. The next step is, most likely, to see how Korea’s application for Partial Adequacy arrangements in correlation to that country’s Personal information Protection Act – which arguably already shares many similarities with the GDPR – will play out later this year.
And China?
These agreements will most likely reflect some of the difficulties China may expect in teasing out its own partnership with the European bloc. China’s progress in data protection has already mirrored the advent of the GDPR in some fashions, with the nation’s Cybersecurity Law (« CSL ») seeing passage of November 2016, the same year as the GDPR’s passage in Europe. Indeed, some facets of the legislation are nearly verbatim – such as the definition of personal data (e.g. Any information Relating to An identified or identifiable Natural person, Applied via Article 76.5 of the CSL), this as well as significant sanctions in response to a breach. That being said, there are substantial – and perhaps inherently problematic – differences between the EU and Chinese legislative umbrella with regard to data protection.
The GDPR, of course, makes its extraterritoriality an explicit aspect of the regulatory function; China’s focus on integrating the cybersecurity and data protection functions naturally allows that the focus of protection is strictly limited to the PRC. Chinese businesses would therefore need to apply both the GDPR and CSL standards in cases where data is being transferred between the two entities.
There may, however, be some instances wherein compliance between the two would be not reasonably forthcoming, particularly in light of Chinese understanding of data deletion and the right to be forgotten – which would only be available if the data controller has breached the law or an agreement with the data subject. There are also enduring concerns as to how privacy would interact with the state’s much-maligned Social Credit system – which would naturally hold data at the national level, this for purposes obviously not appreciated in the GDPR – not to mention how exemptions provided to corporations with regard to data processing and consent may be adaptable, if at all.
In addition, there is real concern that businesses may again be largely unprepared for the inevitable, and that this intransigence could be endemic – relative to the lack of understanding of how the CSL will be implemented/enforced in light of other elements of their legislative umbrella. There are still significant portions of the system have difficulty connecting implementation with the ambition of Chinese data protection regulations, and as such Chinese companies are currently lagging behind peers from most Western nations, and in particular the US.
Conclusions
While the GDPR looms large with regard to Western businesses’ data protection frameworks, prior to the probable uptake of Japan’s adequacy arrangements, New Zealand represented the only Asia-Pacific country able to share data freely between its companies and EU counterparts. Many regional players – such as Thailand and Indonesia – have seen efforts at modernising data protection efforts largely unrealised to this point; indeed, even nations with leveraged interests in EU businesses – such as Singapore, who won’t even table proposed revisions to its parliament until 2019 – may be falling behind at the state level.
This will leave Asian, EU-partnered businesses unable to rely on domestic legislative guidance on how to proceed with regard to the GDPR, and distressingly unprepared for the well-publicised, hefty fines that result from a breach. Japan’s success in meeting the GDPR will hopefully global enforcement on data protection.