On 17 July 2018, the European Union and Japan successfully concluded negotiations on the reciprocal finding of an adequate level of protection for personal data, thereby creating the world’s largest area of safe data transfers based on a high level of legal protection. This decision comes right after the signature of the biggest trade agreement ever negotiated by the European Union, the EU-Japan Economic Partnership Agreement. The adequacy decision ensures a higher level of protection to EU citizen’s whose personal data are transferred to Japanese companies, while at the same time facilitating the (intra-group) transfer of employee and consumer data to recipients in Japan.
Meanwhile, the reaching of an adequacy decision between the EU and South Korea is also only matter of time.
As Japan and South Korea are key commercial partners for the EU, these evolutions are intended to boost international trade, while simultaneously increasing the scope of EU privacy standards.
Background of the EU-Japan reciprocal adequacy decision
The discussions started in 2017, at a time when the European Commission published a communication on Exchanging and Protecting Personal Data in a Globalised World. This communication announced that the European Commission would prioritise discussions on adequacy decisions with key trading partners, starting with Japan and South-Korea, which had both recently modernised their data protection legislation. Negotiations with Japan were facilitated by the EU-Japan Economic Partnership Agreement and by amendments made to the Japanese Act on the Protection of Personal Information, which came into force on 30 May 2017.
To date, the European Union has only recognised 12 countries worldwide as providing an “adequate level of protection” for personal data. These include Switzerland and Israel, as well as special arrangements with Canadian private entities (falling in the scope of the Personal Information Protection and Electronic Documents Act) and US companies self-certifying under the Privacy Shield principles.
However, with the EU-Japan adequacy decision, it is the first time that a third country agrees on reciprocal recognition of an adequate level of protection. Personal data will be able to flow back and forth between the EU and Japan without any further authorisations being required or data transfer agreements to be implemented.
Key elements of the EU-Japan adequacy recognition
The adequacy decision covers personal data exchanged for commercial purposes and includes a mutual recognition of an “equivalent level” of data protection by both the European Union and Japan.
To meet the European standards, Japan has nevertheless committed to still implement additional safeguards to protect EU citizens’ personal data:
Strengthen the protection of sensitive data by expanding the definition hereof;
Facilitate data subjects’ right to access and rectify their personal data;
Stricter conditions under which EU data can be further transferred from Japan to a third country; and
Implement a complaint-handling mechanism to investigate and resolve complaints from European citizens regarding access to their data by Japanese authorities, supervised by the Japanese independent data protection authority.
These rules will be binding on Japanese companies importing data from the EU and enforceable by the Japanese independent data protection authority and courts.
South Korea expected to follow Japan’s example soon
Now that the negotiations with Japan have been concluded, adequacy talks are highly likely to lead to an EU adequacy decision for South Korea in the very near future. Both the EU and South Korean officials recently confirmed their willingness to organise a meeting later in 2018 in order to finalise the negotiations.
This rapid negotiation process between the EU and South Korea is not very surprising, as South Korea already submitted its request for partial adequacy earlier on, and taking into account that the South Korean Personal Information Protection Act shares many similarities with the GDPR. Both privacy regimes protect privacy rights from the perspective of the individual and apply to most organisations including government entities. Furthermore, South Korean data protection law contains lawfulness, fairness and transparency standards that are very similar to those enshrined in the GDPR.
Outlook
The European Commission is expected to launch the adoption process based of article 45 of the GDPR in order to have the EU-Japan adequacy decision formally adopted in the fall of 2018. The South Korean adequacy decision should follow shortly thereafter.
These adequacy decisions should greatly facilitate flows of personal data between the EU and Japan/South Korea, which is particularly relevant for the global automotive and technology manufacturers established in those countries.