On 19 July 2023, the European Data Protection Board (EDPB) announced that it had adopted a statement on the European Commission’s first review of the functioning of the adequacy decision for Japan during its 82nd plenary meeting.

The context

In January 2019 the European Commission adopted an adequacy decision in relation to transfers of personal data from the EU to businesses in Japan. The adequacy decision means that EU standard contractual clauses are not required when transferring personal data from the EU to businesses in Japan, although some form of supplementation is still required (see Data Protection – Significant developments on adequacy findings between Japan and Europe – Connect On Tech). However, the European Commission envisaged the first review of this adequacy decision would take place within two years after its entry into force.

The European Commission review

In April 2023, the European Commission concluded its first review of the Japan adequacy decision. Overall, the European Commission noted an increased level of alignment between the data protection frameworks in the EU and Japan following adoption of the adequacy decision and welcomed the establishment of contact points for EU individuals regarding data processing in Japan, as well as the extension of safeguards to academic and the public sector. The European Commission also noted that future reviews of the adequacy decision should take place every four years as opposed to every two years in light of the positive nature of the first review. The EDPB agrees with the European Commission’s assessment in its statement, the key takeaways of which are summarised below.

Key takeaways from the EDPB review

In its statement, the EDPB focused on the commercial aspects of the Japan adequacy decision, noting the following in particular:

  • Increased convergence: The EDPB welcomed several recent amendments in Japanese data protection legislation that brought further convergence with the GDPR. For example,  legislative amendments to the Japanese Act on the Protection of Personal Information and its Supplementary Rules, including the revised definition of “personal data the business holds” so that it no longer excludes personal data that are “set to be deleted within a period of six months”, extending the right to object, a duty to notify the Personal Information Protection Commission (“PPC”) and data subjects of any personal data breach that is “likely to harm individual rights and interest”. The EDPB also appreciated changes in relation to enhanced requirements for informed consent when it is used as a legal ground for onward transfers to third countries.
  • Continued monitoring: Despite the EDPB’s agreement that the EU and Japanese data protection frameworks are increasingly aligned, the EDPB notes there are still areas that require close monitoring by the European Commission, such as the use of consent in situations of imbalance of power, and the new category of “pseudonymised personal information” under Japanese law which are exempted from certain obligations such as the duty to report a data breach. 
  • Review cycle: The EDPB agreed with European Commission’s proposal to reduce the review cycle to four years given the positive outcome of the European Commission’s first assessment.
  • Onward transfers: The EDPB recognises the “importance of clarifying in the PPC Guidelines on international transfers that where the business handling personal information in Japan and the third party-recipient intend to frame their onward transfers of EEA transferred personal data they have to put in place implementing measures providing a level of protection equivalent to the APPI, read together with the Supplementary Rules and that, to this end, the APEC Cross Border Privacy Rules (CBPR) certification scheme cannot be used”. The EDPB fully supported the recommendation for this to be clarified in the PPC Guideline on transfers. The EDPB also agreed with the European Commission’s view that development of model clauses could strengthen the safeguards for onward transfers of EEA transferred personal data. Therefore, the EDPB welcomed the idea of possible future cooperation between the European Commission and Japan to develop such clauses.

Why is this important?

This review of the Japan adequacy decision is an important reminder that adequacy decisions are subject to periodic review and changes in the legislation in the third jurisdiction are closely monitored and assessed by the European Commission. The period of review must be “at least every four years” under Article 45(3) of the GDPR, and the European Commission has decided to review the adequacy decision in a further four years. It is also a reminder that to achieve adequacy the data protection laws in the third jurisdiction do not need to be identical, but must ensure an “adequate level of protection”.

For more information on the EDPB’s statement, please click here.

Author

Ben advises clients in a wide range of industry sectors, focusing in particular on data protection compliance, including healthcare, financial services, adtech, video games, consumer and business-to-business organisations. Ben regularly assists clients with global data protection compliance projects and assessments as well as specific data protection challenges such as international transfers and data security breaches. Ben is also regularly involved in drafting and negotiating data protection clauses in agreements for various clients in a wide range of industry sectors. Ben also regularly advises clients on electronic direct marketing and cookies.

Author

Daisuke Tatsuno is a partner in the Firm’s Tokyo office, where he represents leading companies in various intellectual property and information technology matters. He was formerly with the San Francisco office of Baker McKenzie and worked at Warner Bros. Entertainment Inc. Mr. Tatsuno served as speaker on various seminars relating to his field and has authored various publications, including the PLC E-Commerce Practice Manual for the Practical Law Company.

Author

Kensaku Takase is a partner in Baker McKenzie’s Tokyo office and is the Group Leader of the office's IP/IT/EC Practice Group. Mr. Takase is bilingual (Japanese and English) and focuses on intellectual property law, media law, and information technology law since 1999. He has assisted many companies in various industries with cross-border transactions in the trademark, copyright and design fields.

Author

Marilyn is an associate in the Intellectual Property, Data and Technology team based in London. She joined Baker McKenzie as a Trainee Solicitor in September 2020 and was admitted as a solicitor in England and Wales in September 2022. During her training, Marilyn was seconded to Baker McKenzie's Dubai office for six months and later to Google's commercial legal team for six months.