GDPR Brief: Japan obtains the first adequacy agreement under the GDPR

3 Oct 2019

On January 23, 2019, the European Commission (EC) issued its adequacy decision on Japan. As one of the most active countries in large-scale OMICS research, with participation in initiatives such as the International Cancer Genome consortium (ICGC), the International Epigenome Consortium (IHEC), GA4GH and the Human Cell Atlas, this is welcome news for Japanese researchers. In addition to being the first adequacy decision since the GDPR entered into force, it also marks the first mutual decision. As such, Japan has also deemed the EU adequate under its Act on the Protection of Personal Information (APPI).

Data transfer from the European Union to third countries or international organizations may only occur if they offer an adequate level of data protection, which generally means an equivalent level as the GDPR. On January 23, 2019, the European Commission (EC) issued its adequacy decision on Japan. As one of the most active countries in large-scale OMICS research, with participation in initiatives such as the International Cancer Genome consortium (ICGC), the International Epigenome Consortium (IHEC), GA4GH and the Human Cell Atlas, this is welcome news for Japanese researchers. In addition to being the first adequacy decision since the GDPR entered into force, it also marks the first mutual decision. As such, Japan has also deemed the EU adequate under its Act on the Protection of Personal Information (APPI). Given that the APPI only applies to business operators who handle personal information, the adequacy decision only covers the private sector.

The European Data Protection Board (EDPB)’s Opinion 28/2018, released on December 5, 2018, examined the level of convergence between the two regimes and identified challenges using the principles in the WP 254 working document, an interpretative aid to the GDPR. For instance, the EDPB expressed its concerns regarding the linguistic and institutional barriers in the redress mechanisms under Japan’s APPI. Given these concerns, Japan and the EU agreed on a set of Supplementary Rules applicable to Japanese companies importing European data. These rules bridge the gaps between the two systems by strengthening the protection of sensitive data and providing higher protection for onward transfers. The Japanese government also ensured that public authorities would only use personal data for criminal law enforcement or national security purposes in a necessary and proportionate manner. Finally, Japan will establish a complaint mechanism to investigate and resolve complaints from Europeans.

As a result of the adequacy decision and Supplementary Rules, genomic and health-related data from both European and Japanese participants can flow freely between the EU and Japan without any additional contractual privacy specifications or safeguards. Importantly, however, since the regime only applies to the private sector, transfers of personal data between public entities such as local governments or administrative are excluded. Furthermore, the scope of the decision contains sectorial exclusions: universities processing personal information for academic studies is one such category.

The EU-Japan Economic Partnership Agreement, which entered into force in February 2019, likely influenced the outcome of the decision. Although the EDPB and the EC were critical of some aspects of the Japanese privacy framework, free data flow between Japan and the EU facilitates the execution of the bilateral trade agreement, which may explain the flexible process. Allowing a third country to provide further guarantees is mentioned in neither the GDPR nor the WP 254 document. Nevertheless, the EDPB invited the EC to closely monitor the application of the Supplementary Rules, as “their legal value is an absolutely essential element of the EU – Japan adequacy”.

Conversely, the WP29’s 2014 Quebec Opinion did not benefit from such flexibility to clarify the relationship between the provincial and federal data protection law and thus achieve adequacy. This suggests that the EC prioritized trade over a GDPR-like data protection scheme. Should a flexible approach remain, we can expect more adequacy decisions, which would facilitate genomic and health-related data sharing. However, the EC should be open and transparent about its flexibility and avoid unfettered discretion, which could create an impression it bases its decision on extraneous considerations and predetermined outcomes.

• Julian Wagner, “The transfer of personal data to third countries under the GDPR: when does a recipient country provide an adequate level of protection?” International Data Privacy Law, 2018, 8(4)

• European Data Protection Board, Opinion 28/2018 regarding the European Commission Draft Implementing Decision on the adequate protection of personal data in Japan, Adopted on 5 December 2018

Relevant GDPR Provisions

• Article 44 – General principle for transfers
• Article 45 – Transfers on basis of adequacy decision
• Article 46 – Transfers subject to appropriate safeguards
• Recital 101 – General principles for data transfers outside the EU
• Recital 103 – Commission to determine adequacy of data protection for countries outside the EU

Handi Xu is research assistant at the Centre of Genomics and Policy at McGill University.
Jennifer Stoddart is a strategic advisor at Fasken and former Privacy Commissioner of Canada.
Yann Joly is research director of the Centre of Genomics and Policy and an associate professor at the Faculty of Medicine, Department of Human Genetics, cross-appointed at the Bioethics Unit, at McGill University.

See all previous briefs.

Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.