Data Protection – Significant developments on adequacy findings between Japan and Europe
On 25 April 2018, Japan’s authority responsible for privacy issues published draft guidelines relating to adequacy for international personal data transfers from Japan (“Guidelines”).
If the Guidelines come into force in their current form, they will allow for personal data to be transferred from Japan to the EEA (which includes the EU, Iceland, Liechtenstein and Norway) without measures such as specific data subject consent or special contractual clauses. These Guidelines are a result of mutual adequacy findings between the EU and Japan that are recognized under the EU General Data Protection Rules (“GDPR”) and Japan’s Act on the Protection of Personal Information (“APPI”).
The Guidelines will be subject to public comment until 25 May 2018 and are expected to take effect into within the first half of this year.
While the data protection regime under Japan’s APPI has a number of similarities with the GDPR, there are many inconsistencies. The Guidelines are drafted to ensure protection of personal information transferred from the EU receives a higher level of protection than is required under the APPI. For example:
1. Sensitive Data
The Guidelines require a business operator to recognize a data subject’s sex life, sexual orientation and trade union membership as special categories of personal data.
2. Confirmation and Record Keeping
Under the APPI, a business operator needs to confirm and record certain particulars relating to personal data that is received from, or provided to, third parties including how the personal data was obtained and how it is retained. The Guidelines state that the business operator must also confirm and record the purpose of use of the personal data.
3. Cross-border Transfer of Personal Data
Where a business operator transfers personal data transferred from the EU to a third party located outside Japan, the business operator is generally required to obtain data subjects’ consent with information about the ultimate data recipient so that the EU data subjects can determine whether or not they should consent (unless any of exceptions to the general consent rules apply).
4. Anonymized Data
The Guidelines require data which is to be treated as “anonymized personal data” be in a format that no one can restore the original personal information.
What is interesting, is that with such additional requirements for transfer of personal data from the EU to Japan under this new adequacy regime, although the EU standard clause contracts may not be required, that still some form of contractual obligations will need to be imposed upon the recipients of the personal data in Japan relying upon the regime.