EU GDPR and Japanese Act on the Protection of Personal Information: a strategic partnership

European Union General Data Protection Regulation (GDPR) is a complex set of rules aiming to regulate how businesses must handle information of data subject guaranteeing the highest level of protection and security. It is considered one of the world’s strongest guidance in data protection law since it is built on pillars[1] considered the expression of the widest principle of legality and transparency. We are referring to lawfulness, fairness and transparency, limitation of purpose, data subject rights[2], provision of Supervisory Authorities[3], accountability and many other rules with a significant impact in data processing scheme and procedures.

In particular, GDPR, has the primary purpose to give more control to data subjects over their personal data, providing an effective protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures[4].

A specific chapter is also dedicated to Cooperation[5]  in order to contribute to the consistent application of this Regulation throughout the Union [6] since one of the main purposes of the Regulation, is certainly to implement and apply the rules in a consistent manner avoiding different approaches and/or practices. Strictly related to this mechanism[7] is the GDPR Recital n.133 dedicated to the Mutual Assistance and Provisional Measures, that responds to the essential need of mutual collaboration between the national Supervisory Authorities (DPAs) to ensure a harmonized regulation in the internal market.

The above scenario briefly describes a legislation that aims to provide strong data protection standards without sacrificing the consistency of the rule’s application in the European area; this objective is also particularly clear considering the adoption of the regulation act instead of directive[8]. Therefore, while directive becomes enforceable only when transposed into national law, the regulation has binding legal force throughout every Member State, and it is immediately applicable overruling national laws.

Thus, with reasonable confidence, we can say that European Union has pursued the uniformity objective from the very beginning when, with Reg. (EU) 2016/679, repealed and replaced the Directive 95/46/CE no longer compliant with new digital and communication landscape[9].

An additional important aspect is the relationship between the globalization landscape and the new Data Privacy regulation, since is now more than ever crucial, to identify and develop compliance strategies combining economic and business purposes with the best practice of data processing. Therefore, the commercial and trade partnership with countries outside EEA area (hereinafter referred to as ‘third country’), cannot be limited by the above rules, while at the same time is mandatory to guarantee the highest level of protection to EU citizens and residents data handled by “extra territorial” organizations[10]. It is also needful to highlight that GDPR doesn’t provide a definition of “international personal data transfer” notwithstanding a whole chapter of the Regulation is dedicated to this transfer. However, by virtue of the legislative processes and the current jurisprudence interpretation[11], the international data transfer “can be understood as an action that enables an authority in a third country to access personal data originated in the EU”[12].

GDPR provides different tools to regulate the data transfer to a third country and the most effective is undoubtedly the Adequacy Decisions of the European Commission[13]. Based on article 45 of Regulation (EU) 2016/679, the European Commission has the power to decide if a third country or an international organization can guarantee an adequate level of protection. In this case, the transfer of personal data shall not require any specific authorization[14]. This exemption finds its reason in the enhanced assessment established by the Commission in order to issue the decision as per article 45 paragraph 2, considering the following aspects: (i)respect for human rights and fundamental freedoms, relevant legislation, professional rules and security measures, data subject rights or any other relevant consideration consistently with EU legislation and principles; (ii) existence of Supervisory Authorities responsible to ensure the personal data protection compliance; (iii)international commitment or legally binding convention with particular reference to data protection.

If the Commission, as result of the above assessment, declares the third country adequate, the transfer will be considered comparable to an intra-EU transmission. The importance of such decision is strategically evident: “virtuous” countries can access the global market and any growth opportunity in the European area, just demonstrating to be compliant with the GDPR standards.

The absence of an Adequacy Decision does not necessary involve the inability of transferring data if further measures of lawfulness of the processing are adopted (e.g. standard contractual clauses) to ensure the high level of protection required by EU standards.

By virtue of Article 45 GDPR, at the time of writing, the European Commission has adopted adequacy decisions on 12 countries [15] and, more recently, on Japan. In particular, on 23 January 2019, has been published the first equivalence decision under the Japanese Act on the Protection of Personal Information (APPI)[16] and it was a major achievement considering the legal and social differences between the two countries.

While adequacy decision doesn’t mean that now Japan and EU are completely aligned from a data protection law perspective, indeed, data transfer regulations can act as tools to connect different systems, thus opening the door to deep cooperation and trust.

Moreover, I think it is well worth to highlight that on February 2019, entered into force EU-Japan trade agreement [17] as well, with the aim to enforce the Economic Partnership between Europe and Japan through a strong trading cooperation. Through this agreement was sent the ambitious and powerful signal that two of the world’s biggest economies can cooperate and share values in order to access the global market without barriers or obstacles.

In the above scenario, the Adequacy Decision complements the Economic Partnership Agreement (EPA), since allows data to flow safely between the countries, permitting to create trade and business without renouncing to safety, compliance, fairness, and transparency of data processing. It was possible, thanks to the fruitful sharing of values such as human rights, democracy, global economy and principles that, by virtue of their  indisputable strength, are able to align such different cultures.

Japan Protection of Personal Information Act (the Act itself, “APPI”) was developed in 2003 and after some revisions, came into full effect on 30 May 2017. On 25 May 2018, the GDPR entered into force as well and on 23 January 2019, Japan became the first country in Asia to be granted adequacy status by the European Commission. In 2020 Personal Information Protection Commission (“PPC”), on delegation of Japanese legislators, made an important Amendment to APPI, bringing the Act closer to the EU’s General Data Protection Regulation provisions[18]. The 2020 Amendment is expected to be effective in 2022 and, in the meantime, the PPC issued some guidelines and rules[19] in order to be compliant with the revised APPI when it takes into effect.

GDPR and APPI have substantial similarities in particular regarding the sensitive information rules, the personal data definition as information that can be used to identify the subject, the extraterritorial scope, transparency, purpose limitation, lawful basis for data processing, and key rights of data subject. Nevertheless, there are also some differences. APPI only refers to business operators, without providing a distinction between data processor and data controller as the GDPR does; GDPR contains rules related to children while APPI does not; GDPR excludes aggregate/anonymized data by its application while they are under the APPI scope, and GDPR has provisions on how to obtain the consent from data subjects while APPI doesn’t consider this aspect.

Before the 2020 Amendment, the two regulations diverged in many other ways[20] even though the standards guaranteed by Japanese legislation were assessed, in any case, as adequate by the European Commission. However, the global increasing need of balancing between the utilization of data and the highest level of protection, has led to a regulation with ever greater similarities to EU law. Therefore, with the Amendment, was strengthened the entire system of data subjects rights with the provisions of new obligations such as: (i) mandatory reports of data breach through a formal notification to PPC (not by email as before)[21]; (ii) pseudonymization concept has been introduced[22]; (iii) extraterritorial application and cross-border data transfer[23] were finally regulated [24]; (iv) limitation on “Opt-Out” exemption for third-party transfer[25]was introduced; (vi) extension of rights of data subjects [26]; (vii) penalties increasing from a maximum fine of JPY 300,000 to JPY 100 million (approximately US$1 million) plus the publication of the applied sanction by PPC.

It is clear that, based on the above revisions, the recognition of Japanese Data Protection Regulation as adequate is more than ever consistent  with EU legislation and pillars.

The lowly aim of this article, to compare the Japanese Protection of Personal Information Act and European Union General Data Protection Regulation, finds its reason in the indisputable assumption that privacy is today more than a right. The same Art.8 of EU Charter of Fundamental Rights, provides that “Everyone has the right to the protection of personal data concerning him or her”[27]. In Japan, as long ago as 1964, privacy was endorsed in the “After the Banquet case” when the Tokyo District Court held that the “the right to privacy is recognized as the legal or protection or the right so as not to be disclosed of private life”[28] by virtue of section 709 of the Japanese Civil Code. In the last years we have seen the development of a new generation of data privacy protection concept, that actually is the main security tool for subjects, with particular attention to the processing in the global market. As commented by Cecilia Malmström, Commissioner for Trade at EU-Japan Summit on 17 July 2018 “those benefits go hand in hand with a commitment on both sides to uphold the highest standards for our workers, consumers and the environment”[29].

Thus, it is evident, that data privacy aspects are complementary to the commercial landscape and the EU-Japan trade agreement is the perfect evidence of this connection: considering that Japan is a long-standing strategic Partner for Europe, this commercial agreement allowed to strength dialogue and business engagement between the two economic areas. However, without the negotiation of a reciprocal Adequacy Decision from a Data Privacy Law perspective, this ambitious purpose was doomed to fail. Consistently with this, EPA provides that “this Agreement contributes to enhancing consumer welfare through policies ensuring a high level of consumer protection and economic well-being”, so that the Adequacy Decision was absolutely crucial to ensure the success. As a result of this compliance with the EU standards, data can now safely flow between the two “dimensions” promoting business and creating the world’s largest area of data exchange under the bridge of a significant cooperation[30].

In conclusion and given the background as noted above, this EU-Japan strategic partnership is one of the most important legal and commercial alliance ever concluded, so that we don’t expect nothing less than a gold standard “relationship” in terms of data protection implementation, market access and economy growth based on significant common values and fundamental principles.

NOTES AND REFERENCES

[1] Chapter 2 GDPR

[2] Chapter 3 GDPR

[3] Chapter 6 GDPR

[4] Art.5 paragraph 1 (f) GDPR

[5] Chapter 7 GDPR

[6] Art. 63 GDPR

[7] Also known as Consistency mechanism as per Art. 63 GDPR

[8] The Regulation (EU) 2016/679 replaces and repeals the EU Data Protection Directive 95/46/CE

[9] Tikkinen-Piri,2018, EU General Data Protection Regulation: Changes and implications for personal data collecting companies

[10] Art. 3 GDPR is entirely related to the territorial scope of the law

[11] CJEU. See Case C‑362/14

[12] Laura Drechsler, Wanted: LED adequacy decisions How the absence of any LED adequacy decision is hurting the protection of fundamental rights in a law enforcement context, International Data Privacy Law, 2021;, ipaa019, https://doi.org/10.1093/idpl/ipaa019

[13] For further information: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en

[14] Art. 45 GDPR

[15] Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay while South Korea is still in adequacy talks with the Commission. Source: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en

[16] For further information: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32019D0419&from=EN

[17] For further information: https://ec.europa.eu/commission/presscorner/detail/en/IP_18_6749

[18] Noriya Ishikawa, Yujin Suga and Mitsuhiro Yoshimura, The 2020 Amendment to the Act on the Protection of Personal Information of Japan, Lexology.

[19] For further information: https://www.ppc.go.jp/en/

[20] For example: APPI didn’t address pseudonymization process, cross borders transfers or opt-in permissions.

[21] The Amendment Act will require businesses to report to the PPC and notify data subjects when there is a security breach that may materially interfere with an individual’s personal rights

[22] As per PPC guidelines, “Pseudonymously Processed Information” are Information which has been processed from personal information in a manner that the data subject can no longer be identified solely from the data.

[23] The Amendment now provides that also foreign companies may be subject to the entire APPI

[24] Must now provide reports concerning the processing of Japanese residents’ personal information Violation of the orders may lead to the imposition of fines

[25] Now if data has already been transferred on an opt-out basis, it cannot now be transferred to a third party without permission

[26] While as per current APPI data subjects have the right to request that businesses stop use of or delete personal data in limited cases, Amendment act expands the right under a wider scope. PPC will issue regulation to clarify these rights extension

[27] Art. 8 paragraph 1 EU Charter of Fundamental Rights

[28] Judgment of Tokyo District Court, 28 September 1964, Hanrei-jiho vol. 385, p. 12.

[29] For further information: https://ec.europa.eu/cyprus/news/20181212_2_en

[30] Pedro Silva Pereira,2019, The EU-Japan Economic Partnership Agreement from the European Parliament’s Perspective: A Landmark Agreement beyond Trade

The following two tabs change content below.

• Bio
• Latest Posts

Roberta Sole

Roberta Sole, with a Bachelor Degree in Law achieved with honors, and a Master Degree in Law , is a Legal Specialist specifically engaged in the Medical Device industry and clinical field. She focuses her activities on Clinical Legal & Compliance, International Data Privacy Regulations, Regulatory and Corporate liability. In addition to an extensive legal education, she improved her expertise obtaining professional Certifications and recognitions. She also achieved a Bachelor Degree in General Common Law System from the New South Wales University of Sydney. Languages: Italian, English and Spanish.

Latest posts by Roberta Sole (see all)

• Accuracy principle: AI act, GDPR and MDR interplay - 5 April 2024
• New China Personal Information Protection Law (PIPL) and international business challenges - 12 December 2021
• EU Medical Device Regulation and EU General Data Protection Regulation intersection - 29 September 2021