` EU Issues Opinions on Adequacy of Japanese Data Protections; Separately, Possible US-EU-Japan Data Accord Discussed - Clarip Privacy Blog
ENTERPRISE    |    CONSUMER PRIVACY TIPS    |    DATA BREACHES & ALERTS    |    WHITEPAPERS

EU Issues Opinions on Adequacy of Japanese Data Protections; Separately, Possible US-EU-Japan Data Accord Discussed

The European Union is going through the process of its first adequacy decision since the General Data Protection Regulation (GDPR) with Japan. The announcement of the agreement occurred as part of the trade agreement between the EU and Japan negotiated earlier this year, and now the EU is going through the process of formally approving those terms. It is also the first mutual adequacy decision, as Japan will also be recognizing the protections offered by the EU for transfers of Japanese data as well.

As part of the process, the European Data Protection Board (EDPB) gives an opinion to the European Commission on the level of protection for data privacy provided under Japanese law. The law needs to be aligned to the fundamental principles of GDPR in order to be considered as having an adequate level of protection for the data of European citizens under Article 45 and the case law developed by the CJEU. This standard is one where the level of protection is considered “essentially equivalent”, although the means of recourse need not mirror those created by the European Union.

The EDPB in its review noted some core provisions of the Japanese law that are in alignment with GDPR, including principles of data accuracy, data minimization, storage limitation, data security and oversight by an independent supervisory authority. The EDPB also noted efforts to fill in the gaps between GDPR and Japanese law through adoption of supplemental rules applicable to transfers of data from Europe to Japan.

New-Senate-Privacy-Bill-Own-Your-Own

However, the EDPB noted a number of challenge in data protection that had not been addressed by the Japanese system as well as a few areas where additional clarification is needed in their opinion. These included:

1. The development of a method of monitoring the combination of Japanese law and the supplemental rules negotiated.

2. Clarification of the binding and enforceable nature of the Supplementary Rules notwithstanding the reassurances of the European Commission and the Japanese authorities regarding their binding nature.

3. Clarification of the application of the Supplemental Rules to onward transfers of data to a third country on the basis of their adequate level of protection. The EDPB noted that the Supplemental Rules do not clearly continue to apply to such transfers once the information has reached the third country where the adequacy decision predated the agreement between the EU and Japan.

4. The EC will need to monitor whether EU residents have adequate access to the Japanese redress system given that some materials are published in Japanese only.

5. Additional areas for clarification to provide assurances on the protection of data include clarity around the concept of a trustee (which is similar to a data controller under GDPR), restrictions on individual rights due to a lack of relevant documents, and whether effective protection will be offered to data throughout its entire life rather than stop at the three year recordkeeping obligation on the origin of data under Japanese law.

As part of its review, the EDPB recommended that the noted concerns and areas for clarification be addressed. It also recommended that the European Commission conduct a review of its adequacy finding every two years rather than every four years as specified in its draft decision.

The EDPB opinion is located here (PDF).

Shortly after the EDPB released its Opinion on the European Commission Draft Implementing Decision on the adequate protection of personal data in Japan, the European Parliament also issued a resolution on the adequacy of the protection of personal data afforded by Japan.

The EP asked the Commission to address the issues that it identified in the resolution as well as those that were made by the European Data Protection Board (which we discussed in part above). The areas of concern from the EP included:

1. The additional protections will only cover transfer under the adequacy decisions and some transfers may occur under other mechanisms.

2. The “very limited” situations in which data is excluded from the definition of personal information due to little possibility of harming an individual’s rights under Japanese law.

3. There is no overall framework within Japanese data protection law with regards to automated decision-making and profiling.

4. The level of possible administrative fines appears insufficient to ensure effective compliance, although this may be counteracted if Japan has in the past issued criminal sanctions such as imprisonment (which it has the authority to impose).

5. The supplemental rules are not legally binding on data collection and usage by Japanese authorities for criminal law enforcement and national security purposes. There was also concern that mass surveillance by the Japanese Directorate for Signals Intelligence would not meet the standards set by the European Court of Justice.

The EP resolution is located here.

The Nikkei Asian Review also reported this week that Japan is going to be adopting new standards next year as part of the creation of a new data transfer accord between Japan, the US and the EU. Other nations will be able to join the common standards to the extent that they institute sufficient safeguards. The regulations will restrict the transfer of personal data to countries that do not have adequate privacy protections.

The discussion of the importance of creating privacy standards for the movement of data between countries as well as enabling international business has been among the reasoning set forth for the creation of a comprehensive federal privacy law in the United States. It appears too early to say what standards would be included in the US-EU-Japan discussions as this is the only report that we have seen – but it will be interesting to watch the progress in 2019 as the US separately considers a federal privacy law.

More Blog Posts from Clarip:

Prep for a GDPR Split via a No Deal Brexit
First Fines of 100 Data Controllers Over UK Data Protection Fee
EU and Japan Recognize Reciprocal Adequacy of Data Protection Laws
The UK’s Brexit White Paper on Data Protection

Improve Data Privacy for GDPR or CCPA with Clarip

The Clarip team and enterprise privacy management software are ready to meet your compliance automation challenges. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.

If compliance with the California Consumer Privacy Act is your focus until 2020, ask us about our CCPA software. Handle automation of data subject access requests with our DSAR Portal, or provide the right to opt out of the sale of personal information with the consent management software.

Need to improve your GDPR compliance solution? Clarip offers modular GDPR software that can fill in gaps in your privacy program. Choose from the data mapping software for an automated solution to understanding your data collection and sharing, conduct privacy risk assessments with DPIA software, or choose the cookie consent manager for ePrivacy.

Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.

Contact

  • 1521, Concord Pike, Suite #301,
    Wilmington, DE 19803 USA
  • 20 Montchanin Road, Suite 20,
    Greenville, DE 19807 USA
  • Contact Online

888-252-5653

About

Consumers

Businesses

The pixel
Show Buttons
Hide Buttons