On April 4, 2023, the European Commission announced that the EU and Japan had successfully completed the first periodic review of the Japan-EU mutual adequacy arrangement, adopted in 2019. The mutual adequacy recognition – whereby Japan and the EU each have recognized the other’s data protection regime as adequate to protect personal data – complements the regions’ other bilateral partnerships, such as the EU-Japan Economic Partnership Agreement, the Strategic Partnership Agreement, and the recently launched EU-Japan Digital Partnership (see our previous blogpost here).
The review process led to the adoption of two reports by the Commission and the Personal Information Protection Commission of Japan (“PPC”), each discussing the functioning of their respective adequacy decisions. According to the Commission’s report, the convergence between the EU and Japan’s data protection frameworks has further increased in recent years, and the mutual adequacy arrangement appears to be functioning well. We provide below a brief overview of the Commission’s main findings.
Developments in the Japanese framework. The Commission notes that, since the adoption of its adequacy decision in 2019, the Japanese Act on the Protection of Personal Information (“APPI”), and its Supplementary Rules, have been amended twice. The amendments include, among other things, strengthened data security obligations (e.g., a requirement to notify data breaches) and data subject rights, additional safeguards for data transfers (such as information and monitoring requirements), and new rules on the creation and use of “pseudonymized personal information”.
The Commission considers that Japan has established a comprehensive data protection framework covering both the private and public sector.
Powers of the PPC. The Commission welcomes the PPC’s release of updated guidelines, particularly on data transfers, and encourages the release of further clarifications. Additionally, it supports the PPC’s initiative to conduct random checks to verify and ensure compliance with the Supplementary Rules.
Contact points for EU individuals. The Commission welcomes the establishment of dedicated contact points for EU individuals who have questions or concerns about the processing of their personal data in Japan, by either commercial operators (“Inquiry Line”), or public authorities (“Complaint Mediation Line”). However, it recommends that Japanese authorities clarify the availability of assistance in English for foreigners.
Further cooperation. The Commission is interested in cooperating with Japan to develop model data protection clauses, given their growing importance and potential as global data transfer tools. Moreover, it intends to explore the possibility of extending the adequacy decision’s scope beyond just commercial transfers, to include, for instance, transfers in the area of regulatory cooperation and research.
Review frequency. In light of the first review’s positive outcome, the Commission finds that future reviews may take place every four years, instead of the originally agreed two-year periodicity of the reviews.
Covington regularly advises companies on all aspects of their international transfers. Our Privacy & Cyber regulatory team is happy to assist with any inquiries relating to the Japan-EU mutual adequacy arrangement and other international transfer mechanisms.