The European Commission announced on 23 January 2019 that it has adopted an adequacy decision on Japan (its press release can be found here).1 This is a result of the assessment process which began on 5 September 2018, the background of which can be found in our previous blog here.
Japan's data protection authority, the Personal Information Protection Commission (PPC), has also adopted its equivalent decision on Japanese personal data flows to the EU. This mutual recognition allows the safe free flow of personal data between the two territories, creating the world's largest arena of secure data flows.
New rules for Japanese Business Operators
The European Commission has found that Japan's data protection legislation and practice constitutes an "adequate framework". This is based on analysis of the Japanese Act on the Protection of Personal Information (APPI) already in place, together with the newly agreed Supplementary Rules (see below).
The adequacy decision is limited to the protection of personal information by "Personal Information Handling Business Operators" (Business Operators) within the meaning of the APPI. Some data importers in Japan conducting certain types of data processing are excluded from this adequacy decision. These can be found in Article 76 if the APPI, for example, broadcasting institutions processing personal information for press purposes. If EU personal data are exported to those excluded data importers, a different legal ground will be required.
Japan's improvements to the APPI, applicable to all personal data in Japan, has assisted the European Commission's decision by evidencing commonalities between the two regimes. Japan has introduced extra crucial safeguards for EU personal data. Some of these are:
The Supplementary Rules
The Supplementary Rules under the APPI for the Handling of Personal Data Transferred from the EU based on an Adequacy Decision (Rules), are a set of rules which tie the two economies together to ensure the same guarantees provided by EU law for EU personal data will be applicable in Japan. As on the adequacy decision date, the Rules are in force. The Rules are legally binding on Japanese Business Operators handling EU personal data and are enforceable by the PPC. Some of the key features of the Rules are as follows:
When a Japanese Business Operator processes EU personal data, it must provide equivalent rights of access, rectification and deletion for the EU individual as found in the EU...