On April 4, 2023, the European Commission announced that the EU and Japan had successfully completed the first periodic review of the Japan-EU mutual adequacy arrangement, adopted in 2019.  The mutual adequacy recognition – whereby Japan and the EU each have recognized the other’s data protection regime as adequate to protect personal data – complements the regions’ other bilateral partnerships, such as the EU-Japan Economic Partnership Agreement, the Strategic Partnership Agreement, and the recently launched EU-Japan Digital Partnership (see our previous blogpost here).

The review process led to the adoption of two reports by the Commission and the Personal Information Protection Commission of Japan (“PPC”), each discussing the functioning of their respective adequacy decisions.  According to the Commission’s report, the convergence between the EU and Japan’s data protection frameworks has further increased in recent years, and the mutual adequacy arrangement appears to be functioning well.  We provide below a brief overview of the Commission’s main findings.

Developments in the Japanese framework.  The Commission notes that, since the adoption of its adequacy decision in 2019, the Japanese Act on the Protection of Personal Information (“APPI”), and its Supplementary Rules, have been amended twice.  The amendments include, among other things, strengthened data security obligations (e.g., a requirement to notify data breaches) and data subject rights, additional safeguards for data transfers (such as information and monitoring requirements), and new rules on the creation and use of “pseudonymized personal information”. 

The Commission considers that Japan has established a comprehensive data protection framework covering both the private and public sector.

Powers of the PPC.  The Commission welcomes the PPC’s release of updated guidelines, particularly on data transfers, and encourages the release of further clarifications.  Additionally, it supports the PPC’s initiative to conduct random checks to verify and ensure compliance with the Supplementary Rules.

Contact points for EU individuals.  The Commission welcomes the establishment of dedicated contact points for EU individuals who have questions or concerns about the processing of their personal data in Japan, by either commercial operators (“Inquiry Line”), or public authorities (“Complaint Mediation Line”).  However, it recommends that Japanese authorities clarify the availability of assistance in English for foreigners.

Further cooperation.  The Commission is interested in cooperating with Japan to develop model data protection clauses, given their growing importance and potential as global data transfer tools.  Moreover, it intends to explore the possibility of extending the adequacy decision’s scope beyond just commercial transfers, to include, for instance, transfers in the area of regulatory cooperation and research.

Review frequency.  In light of the first review’s positive outcome, the Commission finds that future reviews may take place every four years, instead of the originally agreed two-year periodicity of the reviews.

***

Covington regularly advises companies on all aspects of their international transfers.  Our Privacy & Cyber regulatory team is happy to assist with any inquiries relating to the Japan-EU mutual adequacy arrangement and other international transfer mechanisms.

Photo of Dan Cooper Dan Cooper

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing…

Daniel Cooper is co-chair of Covington’s Data Privacy and Cyber Security Practice, and advises clients on information technology regulatory and policy issues, particularly data protection, consumer protection, AI, and data security matters. He has over 20 years of experience in the field, representing clients in regulatory proceedings before privacy authorities in Europe and counseling them on their global compliance and government affairs strategies. Dan regularly lectures on the topic, and was instrumental in drafting the privacy standards applied in professional sport.

According to Chambers UK, his “level of expertise is second to none, but it’s also equally paired with a keen understanding of our business and direction.” It was noted that “he is very good at calibrating and helping to gauge risk.”

Dan is qualified to practice law in the United States, the United Kingdom, Ireland and Belgium. He has also been appointed to the advisory and expert boards of privacy NGOs and agencies, such as Privacy International and the European security agency, ENISA.

Photo of Laura Somaini Laura Somaini

Laura Somaini is an associate in the Data Privacy and Cybersecurity Practice Group.

Laura advises clients on EU data protection, e-privacy and technology law, including on Italian requirements. She regularly assists clients in relation to GDPR compliance, international data transfers, direct marketing rules…

Laura Somaini is an associate in the Data Privacy and Cybersecurity Practice Group.

Laura advises clients on EU data protection, e-privacy and technology law, including on Italian requirements. She regularly assists clients in relation to GDPR compliance, international data transfers, direct marketing rules as well as data protection contracts and policies.