Japan’s data protection framework is not yet adequate, say EU legislators
Two key European Union bodies have told the European Commission that they will not approve its draft adequacy decision on the protection of personal data afforded by Japan until their concerns are addressed.
In an opinion adopted on 5 December 2018 and released on 14 December, the European Data Protection Board (“EDPB”) — the group composed of EU national data protection regulators — stated that “a number of concerns, coupled with the need for further clarifications, remain” with regard to the draft adequacy decision and Japan’s data protection framework. The European Parliament also called for clarifications in a resolution adopted by members of parliament (“MEPs”) on 12 December, by 516 votes to 26.
The Commission’s proposed adequacy decision, first tabled in January 2017, would create the world’s largest area of free data flows. It is being developed in parallel with a wide-ranging trade agreement between the EU and Japan, which will enter into force on 1 February 2019.
An adequacy finding is a decision taken by the Commission establishing that a third (i.e., non-EU) country provides a comparable level of protection of personal data to that in the EU. The result of such a decision is that personal data can flow from the EU to that third country without further safeguards being necessary. To date, the Commission has recognised 12 countries — including the U.S. for transfers made under the EU-U.S. Privacy Shield Framework — as providing adequate protection. The adoption procedure for Japan’s adequacy decision was launched on 5 September 2018; adequacy talks are also ongoing with South Korea, albeit at a less advanced stage.