EUROPEAN COMMISSION

Brussels, 3.4.2023

COM(2023) 275 final

REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

on the first review of the functioning of the adequacy decision for Japan

{SWD(2023) 75 final}

REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

on the first review of the functioning of the adequacy decision for Japan

1.THE FIRST REVIEW – BACKGROUND, PREPARATION AND PROCESS

On 23 January 2019, the European Commission adopted a decision pursuant to Article 45 of Regulation (EU) 2016/679 (GDPR) 1  in which it found that Japan ensures an adequate level of protection for personal data transferred from the European Union to businesses handling personal information 2 in Japan 3 . As a result, data transfers from the EU to private operators in Japan can take place without additional requirements 4 . 

The Commission’s adequacy decision covers the Japanese Act on the Protection of Personal Information (APPI), as complemented by Supplementary Rules that were put in place to bridge certain relevant differences between the APPI and the GDPR 5 . These additional safeguards strengthen, for example, the protection of sensitive data (by enlarging the categories of personal information considered sensitive data), the exercise of individual rights (by clarifying that individual rights may also be exercised for personal data held for a shorter period than six months, which at the time was not the case under the APPI) 6  and the conditions under which EU data can be further (‘onward’) transferred from Japan to another third country 7 . The Supplementary Rules are binding on Japanese operators and can be enforced by the independent data protection authority – the Personal Information Protection Commission (PPC) or, directly by EU individuals, in the Japanese courts 8 .

The Japanese government furthermore provided official representations, assurances and commitments to the Commission regarding the limitations and safeguards as regards access to, and use of, personal data by Japanese public authorities for criminal law enforcement and national security purposes, clarifying that any such processing is limited to what is necessary and proportionate and subject to independent oversight and effective redress mechanisms 9 . The redress mechanisms in this area include a specific dispute resolution procedure administered and supervised by the PPC that was created for EU individuals whose personal data is transferred based on the adequacy decision 10 . 

At the time of the adoption of the Commission’s adequacy decision, Japan adopted an equivalent decision for data transfers to the EU, which created the world’s largest area of free data flows based on a high level of data protection 11 . These mutual adequacy decisions complement and amplify the benefits of the EU-Japan Economic Partnership Agreement (EPA), that entered into force in February 2019 12 , and the Strategic Partnership Agreement 13 that was negotiated alongside the EPA. Companies on both sides benefit from the synergy between the mutual adequacy decisions and the EPA, since the possibility for data to flow freely between the EU and Japan further facilitates commercial exchanges and creates sizeable business opportunities through privileged access to each other’s market. It also sets an important precedent by clearly showing that, in the digital era, promoting high privacy standards and facilitating international trade can and must go hand in hand.

Since the adoption of the adequacy decisions, the EU and Japan have, as like-minded partners, further intensified their cooperation on digital matters, in general, and data flows, in particular. At bilateral level, this is reflected notably in the conclusion of the Digital Partnership in May 2022 14 and the launch in October 2022 of negotiations to include disciplines on cross-border data flows in the EPA 15 , which will further enhance the synergy with the mutual adequacy arrangement. At multilateral level, the EU and Japan have joined efforts to promote, strengthen and operationalise the concept of “Data Free Flow with Trust” – launched by late Prime Minister Shinzo Abe – including through close collaboration in the framework of the G7, the World Trade Organisation (in the context of the Joint Statement Initiative on e-commerce) and the Organisation for Economic Co-operation and Development (OECD). At the OECD, the intense cooperation between the EU and Japan on these matters was, in particular, instrumental to the adoption, for the first time ever at international level, of common principles on government access to personal data held by the private sector 16 . These different workstreams all relied, to a larger or lesser extent, on the shared values and requirements underpinning the EU-Japan mutual adequacy arrangement.

To regularly verify that the findings in the adequacy decision continue to be factually and legally justified, the Commission is required to carry out a periodic review and report on the outcome to the European Parliament and the Council 17 . This report, which covers all aspects of the functioning of the decision, concludes the first periodic review. On the Japanese side, representatives of the PPC, the Ministry of Internal Affairs and Communications, the Ministry of Justice, the Ministry of Defence and the National Police Agency participated in the review. The EU delegation included three representatives designated by the EDPB, alongside members of the European Commission. 

A review meeting between the two delegations took place on 26 October 2021, that was preceded and followed-up by numerous exchanges. In particular, to prepare the review, the Commission gathered information from the Japanese authorities on the functioning of the decision, in particular the implementation of the Supplementary Rules. The Commission also sought information from public sources and local experts on the functioning of the decision and relevant developments in Japanese law and practice, both as regards the data protection rules applicable to private operators and with respect to government access. Further to the review meeting, the Commission and the PPC had several exchanges to follow-up on points that were discussed at such meeting and, in particular, address the questions raised by the introduction in the APPI of rules on pseudonymized personal information.

2.MAIN FINDINGS

The detailed findings concerning the functioning of all aspects of the adequacy decision are presented in the Commission Staff Working Document (SWD(2023) 75) which accompanies the present report.

In particular, the first review has demonstrated that the EU and Japanese data protection frameworks have further converged since the adoption of the mutual adequacy decisions. The APPI was amended on two occasions: on 5 June 2020, through the Amendment Act of the Act on the Protection of Personal Information of 2020 (2020 APPI amendment) that entered into force on 1 April 2022 18 ; and on 12 May 2021, through the Act on the Arrangement of Related Acts for the Formation of a Digital Society (2021 APPI amendment) 19 . The Supplementary Rules were adapted to reflect these amendments, in consultation with the Commission.

These amendments have brought the EU and Japanese systems even closer, in particular by strengthening data security obligations (through the introduction of a duty to notify data breaches), data subject rights (in particular the right of access and the right to object) and the protections afforded in case of data transfers (in the form of additional information and monitoring requirements, including information about possible risks relating to government access in the country of destination). In this context, it is particularly noteworthy that some of the additional safeguards provided under the Supplementary Rules for personal data coming from the EU, i.e. as regards data retention and the conditions for informed consent for cross-border transfers, have been incorporated into the APPI, thereby making them generally applicable to all personal data, irrespective of their origin or point of collection 20 .

Another key development that the Commission welcomes is the transformation of the APPI into a comprehensive data protection framework covering both the private and public sector, subject to the exclusive supervision of the PPC 21 . This further strengthening of the Japanese data protection framework and of the powers of the PPC may pave the way for an extension of the adequacy decision beyond commercial exchanges, to cover transfers currently excluded from its scope, such as in the area of regulatory cooperation and research.

The first review also focused on new rules on the creation and use of “pseudonymized personal information”, which were introduced by the 2020 APPI amendment 22 . The aim of these new rules is essentially to facilitate the (internal) use of personal information by businesses handling personal information essentially for statistical purposes (e.g. to identify trends and patterns with a view to benefit further activities, including research). The review meeting and subsequent exchanges between the Commission and the PPC allowed to clarify the interpretation and application of these new provisions. As a result of these discussions, with a view to more clearly reflect the intended application of these new provisions and thus to ensure legal certainty and transparency, the Supplementary Rules were amended on 15 March 2023 in two ways 23 . First, the Supplementary Rules stipulate that such information may only be used for statistical purposes – defined as processing for statistical surveys or the production of statistical results – to produce aggregate data, and that the result of the processing will not be used in support of measures or decisions regarding any particular individual. Second, they make clear that pseudonymized personal information originally received from the EU will always be considered as “personal information” under the APPI, to ensure that the continuity of protection of data considered as personal data under the GDPR is not undermined when transferred on the basis of the adequacy decision 24 . 

With respect to the implementation of data protection safeguards in practice, the Commission welcomes different steps taken by the PPC. This includes the adoption of updated guidelines, including on international data transfers. The Commission notes that these guidelines could be clarified to also address the specific requirements applying under the Supplementary Rules to onward transfers from Japan of personal data received from the Union, including – as follows from Supplementary Rule (4) and explained in the adequacy decision 25 – the exclusion of onward transfers based on the APEC Cross Border Privacy Rules (CBPR) certification scheme. In addition, although the PPC has explained that PHIBOs frame their onward transfers of data originally received from the EU “by concluding a contract that binds the recipient to measures ensuring the continuity of protection”, the PPC currently does not provide guidance on the recommended content (in terms of safeguards) of ‘equivalent measures’ used for international data transfers, be it in the form of guidelines or model data protection contracts. These further clarifications, that could notably be based on the exchange of information and best practices between the PPC and the Commission, could be particularly useful as they concern aspects that are particularly relevant to companies operating in both jurisdictions.

As regards oversight and enforcement, the Commission notes that the PPC has made more use of its non-coercive powers of guidance and advise (Article 147 APPI) than of its coercive powers (e.g. to impose binding orders, Article 148 APPI) in the period following the adoption of the adequacy decision. The PPC also reported that to date, no complaints concerning compliance with the Supplementary Rules have been received, and no investigations into such issues have been conducted on the PPC’s own initiative. During the review meeting, however, the PPC announced that it is considering conducting, on its own initiative, random checks to ensure compliance with the Supplementary Rules. The Commission welcomes this announcement, as it considers that such random checks would be very important to ensure that (possible) violations of the Supplementary Rules are prevented, detected and addressed, thereby ensuring effective compliance with these rules. As the 2020 and 2021 amendments of the APPI have strengthened the PPC’s oversight powers, these random checks could be part of an overall effort to increase the use of such powers.

Finally, the Commission very much welcomes the establishment of dedicated contact points for EU individuals who have questions or concerns about the processing of their personal data in Japan, be it by commercial operators (Inquiry Line) or public authorities (Complaint Mediation Line). At the same time, it notes that the webpage on the Inquiry Line states that it is available in “Japanese only”, which is likely to dissuade EU individuals from making use of this facility, even though it was explained by the PPC that English language assistance is in principle available. The Commission understands that the PPC will consider ways to facilitate the accessibility of such contacts points for Europeans, including by clarifying that point.

3.CONCLUSION

Based on the overall findings made as part of this first review, the Commission concludes that Japan continues to ensure an adequate level of protection for personal data from the European Union to personal information handling business operators in Japan subject to the APPI as complemented by the Supplementary Rules, together with the official representations, assurances and commitments contained in Annex II of the decision. In this context, the Commission services recognise and very much value the excellent cooperation, in the conduct of the review, with the Japanese authorities and, in particular, the PPC.

In the light of this outcome of the review and in line with recital 181 of the adequacy decision, the Commission considers that there is no need to maintain the two years-cycle for future reviews and therefore considers that it is appropriate to move to a four years-cycle pursuant to Article 45(3) of the GDPR. It will accordingly consult on this point the Committee established under Article 93(1) of the GDPR 26 .

At the same time, the strengthening of certain aspects of the Japanese framework could contribute to further enhancing the safeguards set out in the APPI and the Supplementary Rules. To this end, the Commission makes the following recommendations:

1.The Commission welcomes and further encourages the envisaged use by the PPC of random checks to ensure compliance with the Supplementary Rules. It considers that such random checks would be very important to ensure that (potential) violations of the Supplementary Rules are detected and addressed, thereby ensuring effective compliance with these rules.

2.The Commission welcomes the fact that the PPC has published updated guidelines on international transfers, as they will increase the accessibility of the APPI rules on this topic and make these rules more user-friendly. These guidelines (or other guidance material) should also, where relevant, explain the specific requirements following from the Supplementary Rules, including as regards the exclusion of the APEC CBPR System certification scheme for onward transfers of personal data originally received from the EU.

3.During the review it was discussed how the PPC’s Inquiry/Mediation Line for questions and complaints from individuals could be made more accessible to foreigners. In this context it would be important to clarify on the dedicated website that English language assistance is in principle available.

The review also allowed to identify areas for possible future cooperation. As indicated, the PPC currently does not provide guidance on the recommended content (in terms of safeguards) of ‘equivalent measures’ used for international data transfers, be it in the form of guidelines or model data protection contracts. Given the growing importance of model clauses and their potential as a global tool for data transfers, as recognised for instance by the G7 27 and the OECD 28 , the Commission has indicated its interest in future cooperation with Japan in the development of such clauses. The extension of the scope of the adequacy decision beyond transfers between commercial operators is another area that the Commission intends to explore with the PPC.

The Commission will continue to closely monitor the Japanese data protection framework and actual practice. In this regard, it looks forward to future exchanges with the Japanese authorities on developments relevant to the decision 29 , as well as to further strengthening cooperation at international level at a time where there is an increasing demand for global standards on privacy and data flows.

(1)      OJ L 119, 4.5.2016, p. 1 (GDPR).

(2)    In the version of the APPI that applied at the time of the adoption of the adequacy decision, this notion was referred to as “personal information handling business operator” (PIHBO). A business handling personal information is defined in Article 16(2) of the amended APPI as “a person that uses a personal information database or the equivalent for business”, with the exclusion of the government and administrative agencies at both central and local level. The notion of “business” under the APPI is very broad and includes not only for-profit but also not-for-profit activities by all kinds of organisations and individuals. Moreover, “use for business” also covers personal information that is not used in the operator’s (external) commercial relationships, but internally, for instance the processing of employee data. See recitals 32-34 of the decision.

(3)      Commission Implementing Decision (EU) 2019/419 of 23 January 2019 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by Japan under the Act on the Protection of Personal Information, OJ L 76, 19.3.2019, p. 1.

(4)      See Article 45 GDPR and recital 5 of the decision.

(5)    See Annex I of the decision

(6)

     In the meantime, the 2020 APPI amendment has revised the definition of “personal data the business holds” so that it no longer excludes those personal data that are “set to be deleted” within a period of six months (Article 16(4) of the amended APPI). In the version of the APPI that applied at the time of the adoption of the adequacy decision, this notion was referred to as “retained personal data”.

(7)      Recitals 26, 31, 43, 49-51, 63, 68, 71, 76-79, 101 of the decision.

(8)      Recital 15 of the decision.

(9)      Recitals 113-170 and Annex II of the decision.

(10)      Recitals 141-144, 149, 169 of the decision.

(11)  See the press release issued after the conclusion of these talks, available at: https://ec.europa.eu/commission/presscorner/detail/en/IP_18_4501

(12)      Council Decision (EU) 2018/1907 of 20 December 2018 on the conclusion of the Agreement between the European Union and Japan for an Economic Partnership, OJ L 330, 27.12.2018, p. 1–2. The EPA reduces trade barriers that European firms face when exporting to Japan and helps them to better compete in this market.

(13)      Strategic Partnership Agreement between the European Union and its Member States, of the one part, and Japan, of the other part, OJ L 216, 24.8.2018, p. 4–22 (SPA). The SPA provides the legal framework to further develop the already longstanding and strong partnership between the Union, its Member States and Japan in a broad range of areas, including political dialogue, energy, transport, human rights, education, science and technology, justice, asylum, and migration.

(14)      Available at: https://www.consilium.europa.eu/media/56091/%E6%9C%80%E7%B5%82%E7%89%88-jp-eu-digital-partnership-clean-final-docx.pdf . The Digital Partnership creates a forum that will give political steer and impetus for joint work on digital technologies in areas such as secure 5G, “Beyond 5G”/6G technologies, safe and ethical applications of artificial intelligence, or the resilience of global supply chains in the semiconductor industry.

(15)      See e.g. https://policy.trade.ec.europa.eu/news/eu-and-japan-start-negotiations-include-rules-cross-border-data-flows-their-economic-partnership-2022-10-07_en .

(16)      OECD Declaration on Government Access to Personal Data Held by Private Sector Entities of 14 December 2022.

(17)      Recitals 180-183 and Article 3(4) of the decision.

(18)      An English translation is available at: https://www.ppc.go.jp/files/pdf/APPI_english.pdf  

(19)      An English translation is available at:  https://www.japaneselawtranslation.go.jp/ja/laws/view/4241 .

(20)       Article 16(4) and 28(2) of the amended APPI.

(21)      In particular, the 2021 APPI amendment consolidates the APPI, the Act on the Protection of Personal Information Held by Administrative Organs, and the Act on the Protection of Personal Information Held by incorporated Administrative Agencies, etc. into one single data protection law that applies both to private entities and public authorities, while expanding the jurisdiction of the PPC accordingly. This amendment entered into force on 1 April 2023, after parts of it entered into force on 1 September 2021 and 1 April 2022.

(22)      Pseudonymized personal information is defined in the amended APPI as information relating to an individual that can be “prepared in a way that makes it not possible to identify a specific individual unless collated with other information” through measures set out in the Act and specified in the Enforcement Rules. See Article 16(5) and 41 of the amended APPI.

(23)

     The revised Supplementary Rules were adopted by the PPC on 15 March 2023 and entered into force on 1 April 2023.

(24)      This excludes the application of Article 42 of the amended APPI which only preserves a limited number of safeguards for pseudonymized personal information not considered as personal information. 

(25)

See Recital 79 of the decision.

(26)      See Recital 181 of the decision.

(27)      See the Ministerial Declaration of the G7 Digital Ministers' meeting on 11 May 2022, Annex 1 (G7 Action Plan Promoting Data Free Flow with Trust) which, under the heading of “Building on commonalities in order to foster future interoperability” refers to the “increasingly common practices such as standard contractual clauses”.

(28)      See OECD Going Digital Toolkit, “Interoperability of privacy and data protection frameworks” (available at: https://goingdigital.oecd.org/data/notes/No21_ToolkitNote_PrivacyDataInteroperability.pdf ), p. 18.

(29)      See Recital 177 of the decision, according to which the Japanese authorities are expected to inform the Commission of material developments relevant to this decision, both as regards the processing of personal data by business operators and the limitations and safeguards applicable to access to personal data by public authorities.