Almost two years to the day after discussions commenced, on 23rd January, the EU Commission confirmed that an adequacy agreement had been reached with Japan, confirming that Japan’s data protection rules are ‘essentially equivalent’ to the General Data Protection Regulation (GDPR).
The announcement follows the adoption of a set of Supplementary Rules by the Japanese government to bridge final gaps identified in late 2018 by the European Parliament and EDPB. It has been described as creating the ‘world’s largest area of safe data flows’. But, cutting through the hyperbole, what does the decision mean for companies moving data between these and other jurisdictions?
Well, first things first, this is not ‘access all areas’. Adequacy findings, like the other compliance models, come with strings attached for organizations relying on them. Just because data is held within the geographical sphere of the adequacy agreement does not mean that it can be automatically sent hither and thither between the two jurisdictions.
As with any processing of data, even within the EU/European Economic Area (EEA), the parties are still required to comply with all of the data protection principles laid down in Article 5 of the GDPR. Given that transfers of data to Japan will constitute new processing, at the very least businesses will need to undertake a basic assessment against the those principles, updating privacy notices and, depending on the types of processing being undertaken, carry out a Data Protection Impact Assessment (DPIA), if the processing is defined as ‘high risk’. This is not necessarily related to the transfer of the data; but it would be a change to the processing activity, so a review is the minimum that regulators would expect.
In applying those principles, Article 25 will quickly come into play – Data Protection by Design (or Privacy by Design) on its own quickly dismantles the idea of unlimited access in either direction, bringing with it the concepts of minimization, pseudonymization and anonymization. Any processing activity should be tested against these minimum standards – indeed, even if it were solely within the geography of the EEA; processing cannot be lawful if it fails to meet these standards, regardless of adequacy.
Integrity and confidentiality must also be maintained – both in respect of securing the method of the transfer, and ensuring that access by the recipient is limited to meeting the lawful purpose. This is particularly important in the context of the EDPB Opinion of December 2018, which notes that the Supplementary Rules exclude onward transfers under Japan’s other international agreement in this area: the Asia-Pacific Economic Cooperation (APEC) Cross-border Privacy Rules (CBPRs). This is on the basis that the arrangement could see the onward transfer of personal data from Japan to a country which, while covered by the CBPRs, is not adequate under EU rules. Additionally, it notes that further adequacy decisions taken by Japan in relation to other third countries will also need to be monitored for their impact on the EU’s adequacy decision.
This is interesting for a number of reasons – initially because it indicates that the EU is some way away from recognising the CBPRs as an equivalent framework, and one that has been talked of in some privacy circles as operating in an equivalent way to Binding Corporate Rules (BCR).
But it also shows that this will continue to be a complex area to navigate. In order to maintain its adequacy finding, Japan will need to show caution in agreeing common transfer rules with other jurisdictions – including the CBPRs, China, in terms of cooperation between Japanese and Chinese firms (leaving aside geopolitical questions), and the UK, post-Brexit. Bear in mind also that APEC includes the United States. So there is going to be some meshing to be done here – global companies will find themselves in a position of transfer being regulated under GDPR rules as applied separately via both Japanese domestic law, as required by the adequacy decision, and CBPRs, with a little bit of Privacy Shield tacked on the side – leaving aside US domestic developments.
So, in terms of what it means for businesses practically – firstly, it means an organization’s Data Processing Agreements (DPA) between EU and Japanese companies will get slightly slimmer; there won’t necessarily be a need to integrate the EU Model Clauses. As with any DPA, businesses will need to include other normal DP clauses, and include clauses around what would happen if the adequacy agreement was withdrawn for any reason. They will also need to consider limitation of onwards transfers to other jurisdictions that Japan may consider adequate, but the EU may not, and vice versa. But the process does become easier, particularly for single-entity to single-entity transfers.
And the key message? The adequacy decision creates a bloc of in excess of 600 million individuals whose data will be handled in broadly the same way, subject to equivalent safeguards and protections. That is some achievement. Companies wanting to take advantage of this will need act within the rules, and, importantly, partner with organizations that know how to operate under those different regimes.