On Tuesday 17 July, the European Commission announced the conclusion of negotiations between the EU and Japan on personal data transfers (see EUROPE 12063). The announcement was made just before the signing of the strategic partnership and economic partnership agreements in Tokyo (see other article).
The agreement concluded includes mutual recognition of an equivalent level of data protection in the EU and Japan. Once it is adopted, it will allow for personal data exchanged for trade and law enforcement purposes, to flow freely from one territory to another without being subject to guarantees or additional approvals.
The Commission explained that modernisation of Japanese legislation had “increased a convergence between the two systems” and recognised data protection as a fundamental freedom.
The EU also obtained a range of additional guarantees from Japan to apply to European data transferred in the country. The Japanese definition of “sensitive data” will therefore be expanded and subsequent transfers of Europeans' data from Japan to other countries will be subject to a higher level of protection.
Japan also agreed to establish a system for processing and resolving complaints from Europeans, under the supervision of the Japanese data protection authority.
The world’s largest area of safe data flows
In Tokyo, the President of the European Commission, Jean-Claude Juncker, welcomed this agreement which he said on Twitter would create “the world’s largest area of safe data flows”. The Commission explained “Even though the EU already has unilateral adequacy decisions with several other countries, this is the first time the EU and a third country agreed on a reciprocal recognition of the adequate level of data protection”.
The EU has effectively adopted adequacy decisions for several territories such as Andorra, Guernsey, Jersey, the Faroe Islands, the Isle of Man, Israel, Switzerland, Argentina, Uruguay, New Zealand and Canada and the US.
The decisions for Canada and the US are only “partial” adequacy decisions. For Canada, the decision will only apply to private undertakings covered by national law on personal intelligence protection, while for the US, only businesses that make a commitment to respecting the principles of the Privacy Shield, will benefit from easier data transfers. With the revelations about the Cambridge Analytica scandal, the US has somewhat suffered in this area over for several months (see EUROPE 12056).
Thomas Boué, the director general of The Business Software Alliance, explained that “With current uncertainties related to data transfers and ongoing litigations in Europe, the adequacy determination for Japan is a breath of fresh air. The flexibility evident in the mutual recognition contributes to appease tensions on data flows and could serve as a model for future adequacy determinations”.
Next steps. The two parties are committed to completing the necessary internal procedures for adopting an adequacy observation by autumn 2018.
The Commission will now launch the adoption process planned for the General Data Protection Regulation (GDPR), which is seeking to obtain an opinion from the European Data Protection Board (EDPB) and the green light from EU member states ahead of the Commission's formal adoption.
The Commission will proceed to an initial re-examination of the mechanism two years after its adoption, then every four years. (Original version in French by Marion Fontana)