On September 5, 2018, the European Commission (“EC”) published its draft decision on whether Japan’s 2003 Act on the Protection of Personal Information (“APPI”) provides protection equivalent to the protection of personal data guaranteed by the General Data Protection Regulation (“GDPR”). The EC found that the APPI ensures an adequate level of protection for personal data transferred to organizations falling within its scope, subject to certain conditions. Japan is going through a similar process to recognize the EU’s data protection framework.

Under the EU legal framework, companies may transfer personal data outside the European Economic Area (“EEA”), which includes the countries within the EU and a handful of other countries, including Norway and Iceland, only where specific safeguards are met to ensure that the EU’s levels of data protection travel with the data. GDPR offers various mechanisms to transfer data to countries outside the EEA (“third countries”) such as the U.S., including adequacy decisions, standard contractual clauses and binding corporate rules. In adopting an adequacy decision, the EC has the authority to determine whether a third country offers an adequate level of data protection by virtue of domestic regulation or agreement with international standards. The effect of such a decision means that personal data can flow from the EEA to that third country without any further safeguards in place such that personal data transferred out of the EEA will be subject to the same restrictions and conditions as intra-EU transmissions of data. The EC has so far recognized Canada, New Zealand and Switzerland (amongst other countries) as providing adequate protection and has agreed that data transfers can take place to the U.S. under the ambit of the Privacy Shield framework.

The EC’s draft adequacy decision describes the EC’s finding that Japan ensures an adequate level of protection for personal data transferred from the EU to businesses that are subject to the APPI, so long as Japan meets the conditions laid out in the Supplementary Rules (Annex I) adopted by Japan’s independent data protection authority, the Personal Information Protection Commission (“PPC”). Further, the official representations, assurances and commitments contained in Annex II, which the Japanese government made to the EC, must also be met as conditions. The EC considers that the APPI, as complemented by the Supplementary Rules contained in Annex I, together with the official representations, assurances and commitments contained in Annex II, ensure a level of protection of personal data that is essentially equivalent to that guaranteed by GDPR.

Japan has committed to implementing these additional safeguards to protect personal data transferred to Japan before the EC formally adopts its adequacy decision. These safeguards will strengthen the protection of sensitive data, the conditions under which EU data can be subsequently transferred from Japan to another country and the exercise of individual rights of access and rectification. The Supplementary Rules and Japan’s commitments will be binding on Japanese companies importing data from the EU and enforceable by Japan’s PPC and Japanese courts.

The draft adequacy decision is now subject to an opinion from the European Data Protection Board (“EDPB”), which represents EU national data protection authorities, and must then be approved by a committee composed of representatives of EU Member States. The EC expects this process to be completed by the end of the year.

When the adequacy decision is finally adopted, it will be legal for businesses subject to GDPR to transfer personal data from the EU to Japan without putting additional legal safeguards in place.