Japanese law on personal data protection (APPI – Act on the Protection of Personal Information), in force since the 30thmay 2017 with the amendments approved in December 2017, allows to transfer data from Japan to third countries, only if it’s ensured that the receiving party provides “adequate” standards of data protection.
The GDPR’s importance is highlighted also by the fact that the European Union is the only jurisdiction engaged in dealing with Japan on adequacy standards and that Japan isn’t willing to start dealing with other countries, not even with the USA.
Japan is not intending to issue a general declaration asserting that US data protection standards are adequate; for this reason, companies that want to transfer data from Japan to the US will have to rely on cross-border rules on privacy, developed by the Asia Pacific Economic Cooperation (APEC).
This is possible because, since 2012, the United States was the first non-Asian country to adhere to the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (“CBPR”) System (http://www.cbprs.org/). For this reason, companies can voluntarily comply with the CBPR System and transfer data to APEC members, without any additional restrictions or warrantee on transferred data protection and privacy.
The CBPR Stystem is characterized by four elements1:
- compliance verification;
- recognition / acceptance;
- disputes resolution and application.
APEC Privacy Framework is formally recognized by Canada, Japan, Mexico, South Corea and the US and it could be adopted by all 21 APEC members.
Companies that proceed without an express consent when transferring data from Japan, or without CBPR certification, will be subject to the executive action of the Japanese Personal Information Protection Commission, in the case PIPC receives any complaint.
The Regulation (EU) 2016/679 (GDPR), which has been the legislative basis for many other countries, is the differentiator that puts the EU and the US on two different levels, with regard to cross-border transfers to and from Japan. Indeed, EU and Japan are negotiating on adequacy, while Japan does not intend to start this kind of negotiations with the US.
Since July, Japan and the EU are engaged in dealings, in order to mutually recognize the adequacy of the respective privacy and data protection regimes. In many respects, Japan’s APPI is modelled on GDPR, which will be entirely applied from May 2018.
The objective of the two delegations is to get to an agreement in principle on mutual recognition of adequacy standards by the end of 2018.
(translated by Matilde Bobbio)