On 19 July 2023, the European Data Protection Board (EDPB) announced that it had adopted a statement on the European Commission’s first review of the functioning of the adequacy decision for Japan during its 82nd plenary meeting.

The context

In January 2019 the European Commission adopted an adequacy decision in relation to transfers of personal data from the EU to businesses in Japan. The adequacy decision means that EU standard contractual clauses are not required when transferring personal data from the EU to businesses in Japan, although some form of supplementation is still required (see Data Protection – Significant developments on adequacy findings between Japan and Europe – Connect On Tech). However, the European Commission envisaged the first review of this adequacy decision would take place within two years after its entry into force.

The European Commission review

In April 2023, the European Commission concluded its first review of the Japan adequacy decision. Overall, the European Commission noted an increased level of alignment between the data protection frameworks in the EU and Japan following adoption of the adequacy decision and welcomed the establishment of contact points for EU individuals regarding data processing in Japan, as well as the extension of safeguards to academic and the public sector. The European Commission also noted that future reviews of the adequacy decision should take place every four years as opposed to every two years in light of the positive nature of the first review. The EDPB agrees with the European Commission’s assessment in its statement, the key takeaways of which are summarised below.

Key takeaways from the EDPB review

In its statement, the EDPB focused on the commercial aspects of the Japan adequacy decision, noting the following in particular:

  • Increased convergence: The EDPB welcomed several recent amendments in Japanese data protection legislation that brought further convergence with the GDPR. For example,  legislative amendments to the Japanese Act on the Protection of Personal Information and its Supplementary Rules, including the revised definition of “personal data the business holds” so that it no longer excludes personal data that are “set to be deleted within a period of six months”, extending the right to object, a duty to notify the Personal Information Protection Commission (“PPC”) and data subjects of any personal data breach that is “likely to harm individual rights and interest”. The EDPB also appreciated changes in relation to enhanced requirements for informed consent when it is used as a legal ground for onward transfers to third countries.
  • Continued monitoring: Despite the EDPB’s agreement that the EU and Japanese data protection frameworks are increasingly aligned, the EDPB notes there are still areas that require close monitoring by the European Commission, such as the use of consent in situations of imbalance of power, and the new category of “pseudonymised personal information” under Japanese law which are exempted from certain obligations such as the duty to report a data breach. 
  • Review cycle: The EDPB agreed with European Commission’s proposal to reduce the review cycle to four years given the positive outcome of the European Commission’s first assessment.
  • Onward transfers: The EDPB recognises the “importance of clarifying in the PPC Guidelines on international transfers that where the business handling personal information in Japan and the third party-recipient intend to frame their onward transfers of EEA transferred personal data they have to put in place implementing measures providing a level of protection equivalent to the APPI, read together with the Supplementary Rules and that, to this end, the APEC Cross Border Privacy Rules (CBPR) certification scheme cannot be used”. The EDPB fully supported the recommendation for this to be clarified in the PPC Guideline on transfers. The EDPB also agreed with the European Commission’s view that development of model clauses could strengthen the safeguards for onward transfers of EEA transferred personal data. Therefore, the EDPB welcomed the idea of possible future cooperation between the European Commission and Japan to develop such clauses.

Why is this important?

This review of the Japan adequacy decision is an important reminder that adequacy decisions are subject to periodic review and changes in the legislation in the third jurisdiction are closely monitored and assessed by the European Commission. The period of review must be “at least every four years” under Article 45(3) of the GDPR, and the European Commission has decided to review the adequacy decision in a further four years. It is also a reminder that to achieve adequacy the data protection laws in the third jurisdiction do not need to be identical, but must ensure an “adequate level of protection”.

For more information on the EDPB’s statement, please click here.