Japan’s data protection framework is not yet adequate, say EU legislators
Two key European Union bodies have told the European Commission that they will not approve its draft adequacy decision on the protection of personal data afforded by Japan until their concerns are addressed.
In an opinion adopted on 5 December 2018 and released on 14 December, the European Data Protection Board (“EDPB”) — the group composed of EU national data protection regulators — stated that “a number of concerns, coupled with the need for further clarifications, remain” with regard to the draft adequacy decision and Japan’s data protection framework. The European Parliament also called for clarifications in a resolution adopted by members of parliament (“MEPs”) on 12 December, by 516 votes to 26.
The Commission’s proposed adequacy decision, first tabled in January 2017, would create the world’s largest area of free data flows. It is being developed in parallel with a wide-ranging trade agreement between the EU and Japan, which will enter into force on 1 February 2019.
An adequacy finding is a decision taken by the Commission establishing that a third (i.e., non-EU) country provides a comparable level of protection of personal data to that in the EU. The result of such a decision is that personal data can flow from the EU to that third country without further safeguards being necessary. To date, the Commission has recognised 12 countries — including the U.S. for transfers made under the EU-U.S. Privacy Shield Framework — as providing adequate protection. The adoption procedure for Japan’s adequacy decision was launched on 5 September 2018; adequacy talks are also ongoing with South Korea, albeit at a less advanced stage.
EDPB clarifications and concerns
The EDPB welcomed the efforts made by the Commission and the Japanese independent supervisory authority, the Personal Information Protection Commission (“PPC”), to align key areas between the EU General Data Protection Regulation (“GDPR”) and the Japanese data protection framework on core provisions such as data accuracy and minimisation, storage and purpose limitation, data security and the activities of the PPC. It also praised the PPC for adopting Supplementary Rules to fill the gaps between the GDPR and the Japanese framework to ensure it offers a comparable level of protection to that provided by EU law. Nevertheless, the EDPB highlighted several aspects of the draft decision that require further clarification, or for which concerns still remain.
- The lack of clarity around the status of the “trustee” — a term which is similar to the “data processor” concept under the GDPR but whose ability to determine and change the purposes and means of processing (i.e., akin to a data controller) remains ambiguous.
- The fact that Japanese law allows retention of information relating to the origin of the data for a maximum of three years. According to the EDPB, the Commission should monitor the protection of personal data transferred from the EU to Japan throughout the life cycle of the processing.
- The need for assurances on whether restrictions to the rights of individuals (in particular, rights of access, rectification and objection) are necessary and proportionate in a democratic society and respect the essence of fundamental rights.
- Onward transfers of personal data may occur to third countries that later become subject to a Japanese adequacy decision — but those countries may not have been the subject of a previous assessment or adequacy finding by the Commission.
- The use of consent for data processing and transfers plays a central role in the Japanese legal system — but unlike the GDPR, consent is not defined in a way to include the right to withdraw.
- The Japanese redress system may not be accessible for EU-based individuals, given that the PPC offers support via a helpline and in Japanese only.
The EDPB recommended that the Commission address its concerns and requests for clarification and provide further evidence and explanations of the issued raised in its Opinion. In addition, it advised that the Commission conduct a review of its adequacy finding at least every two years rather than every four years, as is proposed under the draft decision.
MEP clarifications and concerns
MEPs stated that the Japanese and EU data protection systems “share a high degree of convergence”, particularly around safeguards, individual rights, and oversight and enforcement mechanisms. However, they also highlighted several aspects of the draft decision that require further clarification, or for which concerns remain.
- Regarding the fact that the Japanese law definition of “personal data” (i) includes a harm threshold, and (ii) excludes the situation where personal data can be used to single out an individual.
- Given the lack of specific provisions in Japanese law, in-depth clarifications are required in relation to direct marketing in order to demonstrate an equivalent level of personal data protection for such processing.
- Japanese law and PPC guidance do not contain provisions on automated decision-making and profiling, whilst the applicable sectoral rules do not provide a comprehensive framework offering strong protections against such processing.
- The use of indiscriminate mass surveillance by the Japanese Directorate for Signals Intelligence, to which the draft decision does not refer and which may not satisfy the criteria established by the European Court of Justice in Schrems (in which it invalidated the Safe Harbor framework due to concerns over the National Security Agency’s mass surveillance activities).
The fact that the EDPB and MEPs are flagging areas of concern during the final stages of a lengthy process demonstrates that EU adequacy decisions are not taken lightly — and rightly so, given that the protection of millions of individuals’ personal data is potentially at stake. Moreover, the EDPB’s opinion specifically refers to the fact that, as the first post-GDPR adequacy decision, the Japanese text and approach will represent a precedent for future adequacy applications, as well as for the review of existing decisions.