EU Decision Introduces New Protection Framework on EU–Japan Data Transfers

Motonori Araki, Dr. Axel Spies
Morgan Lewis
Contact
LinkedIn
Facebook
X
Send
Embed

Morgan Lewis

The European Union (EU) has adopted an adequacy framework for the transfer of personal data between Japan and the European Union. This framework is a mutual arrangement that applies to both sides as of January 23, 2019.

Below is a brief summary of the new framework:

  • Whenever personal data is transferred from the EU to Japan, the same guarantees as those under EU law (e.g., an individual’s right to request access to his/her personal data) will continue to apply.
  • Note that the framework contains specific rules on the transfer of sensitive data (Art. 9 of the European General Data Protection Regulation, or GDPR. This includes health data). Under Japanese data protection law, these data sets are called “special care-required personal information" as defined in Article 2(3) of the APPI. That provision refers to "personal information comprising a principal's race, creed, social status, medical history, criminal record, fact of having suffered damage by a crime, or other descriptions etc. prescribed by Cabinet Order as those of which the handling requires special care so as not to cause unfair discrimination, prejudice or other disadvantages to the principal." For any of these data sets, including a trade-union membership (Art. 9, GDPR), specific consent requirements and exceptions apply.
  • This framework will only impact direct data flows from the EU to Japan. For EU personal data transferred to the United States first under the Privacy Shield and then passed on to Japan, an onward transfer agreement may be needed.
  • In Japan, the independent data protection authority (PPC) can investigate the processing of personal data by Japanese business operators and, if it finds irregularities, can issue binding decisions.
  • Because of Brexit, it remains to be seen whether and to what extent the new framework will apply to UK-Japan data transfers.
  • For EU-Japan-US data transfers, EU data must NOT be further transferred to individuals or entities abroad who do not guarantee an adequate level of protection, unless consent of EU individuals is obtained for such a transfer. A valid Privacy Shield certification in the United States may guarantee an adequate level of protection.
  • A joint review will be carried out after two years to assess the functioning of the framework.

We will continue to monitor this decision and keep you posted on further developments.

 

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morgan Lewis | Attorney Advertising

Written by:

Morgan Lewis
Morgan Lewis
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Morgan Lewis on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide