On 25 April 2018, Japan’s data protection authority published draft guidelines relating to adequacy findings for international personal data transfers from Europe to Japan (Guidelines).
If the Guidelines come into force in their current form, subject to the EU’s adequacy decision, they will allow for personal data to be transferred from the EEA (which includes the EU, Iceland, Liechtenstein and Norway) to Japan without measures such as specific data subject consent or standard contractual clauses. These Guidelines form part of a broader effort to recognize “mutual adequacy” between the EU and Japan respectively under the incoming EU General Data Protection Regulation (GDPR) and Japan’s Act on the Protection of Personal Information (APPI).
Like the EU, Japan only allows data exports to third countries under strict conditions. The APPI provides that personal data may be transferred to a foreign country only when (a) specific consent of the data subject is obtained, (b) the country has a legal system that is deemed equivalent to the Japanese personal data protection system or (c) the data exports are made to a third party which undertakes adequate precautionary measures for the protection of personal data.
While Japan’s data protection authority has yet to publish a list of the countries that are deemed to have an equivalent legal system for now, the EEA will be listed when mutual adequacy findings are confirmed between Japan and the EU.
The Guidelines will be open for public comment until 25 May 2018 and are expected to take effect within this year.
While the data protection regime under Japan’s APPI has a number of similarities with the GDPR, there are many differences. The Guidelines are intended to ensure personal information transferred from the EU receives a higher level of protection than is required under the APPI. To ensure such higher level of protection, the Guidelines provide a number of supplementary requirements to the APPI for data transferred from Europe, such as:
The Guidelines require a business operator to recognize a data subject’s sex life, sexual orientation and trade union membership as special categories of personal data.
Confirmation and Record Keeping
Under the APPI, a business operator needs to confirm and record certain particulars relating to personal data that is received from, or provided to, third parties including how the personal data was obtained and how it is retained. The Guidelines state that, in relation to transferred data, the business operator must also confirm and record the purpose of use of the personal data.
Cross-border Transfer of Personal Data
Where a business operator intends to transfer personal data received from the EU to a third party located outside Japan (and outside the EU) on the basis of the data subject’s consent, it must inform the data subject sufficiently about the ultimate data recipient so that the data subject can make an informed decision as to whether or not to consent.
The Guidelines require data which is to be treated as “anonymized personal data” be in a format that no one can restore the original personal information.
Although the EU standard clause contracts may not be required under this new adequacy regime (with its additional requirements), some form of contractual obligations will still need to be imposed upon the recipients of the personal data in Japan relying upon the regime. Companies will consequently need to create bespoke agreements or contractual provisions that can address the specific requirements in the Guidelines. In practice, companies will no longer need to worry about the EU standard clause contracts and so will have flexibility as to how the provisions in the Guidelines are incorporated. However, it will still leave companies with a burden to ensure that their agreements meet the specific requirements of the Guidelines, or be at risk that their data transfers from the EU to Japan be considered non-compliant with the adequacy requirements, and be in breach of the GDPR.
Contributor: Yuki Kondo