After reaching an initial deal in 2018, the European Union and Japan have now begun to implement a landmark agreement to ease data transfer restrictions between them. This is a major development in the global economy because it will boost commercial opportunities for both European and Japanese companies by opening up the free flow of personal information.
An official press release from the European Commission that announced the approval of the agreement by both parties celebrated the new EU-Japan data transfer agreement for creating “the world’s largest area of safe data flows.” In parallel, Japan recognised the EU’s data protection laws under the Personal Information Protection Commission of Japan, marking the first time ever that reciprocal agreements have been adopted.
This agreement is crucial because it was made possible by a formal adequacy decision put in place under the General Data Protection Regulation (GDPR). This is the process the EU established to determine if a non-EU country has an adequate level of data protection for personal data to flow from the EU to that other country without any further safeguard being necessary.
Věra Jourová, the European Commission’s Commissioner for Justice, Consumers and Gender Equality, said: “This adequacy decision creates the world’s largest area of safe data flows. Europeans' data will benefit from high privacy standards when their data is transferred to Japan. Our companies will also benefit from a privileged access to a 127 million consumers’ market. Investing in privacy pays off; this arrangement will serve as an example for future partnerships in this key area and help set global standards.”
The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay and the U.S. (limited to the Privacy Shield framework) as providing adequate protection. Negotiations continue with other countries.
The EU-Japan agreement is especially noteworthy because it is the first “mutual recognition” data transfer agreement under GDPR. To facilitate the agreement, Japan put in place additional safeguards that guarantee any data transferred from the EU complies with protections put in place by new European standards. Those include:
- Supplementary Rules that bridge several differences between the two data protection systems, strengthening the protection of sensitive data, the exercise of individual rights and the conditions under which EU data can be further transferred from Japan to another country;
- Assurances to the European Commission of limited access of Japanese public authorities for criminal law enforcement and national security purposes, ensuring that any such use of personal data would be limited to what is necessary and proportionate; and
- A mechanism to investigate and resolve complaints from Europeans regarding access to their data by Japanese public authorities, which will be administered and supervised by the Japanese independent data protection authority.
The result of this landmark agreement is that EU and Japanese businesses are now able to transfer data between them without being required by the other party to provide further safeguards or comply with additional conditions. In effect, the transfer of data between organisations in the EU and Japan is now treated the same as data transferred within the EU itself, and likewise all data from EU member countries is “white listed” by Japan’s Personal Information Protection Commission. This means that companies in these two major economic zones can freely exchange personal data on employees or customers, an important aid to boosting trade and commerce between the regions.
The new EU-Japan data transfer agreement may serve as a model for other countries to strike comprehensive data privacy pacts with the EU to enable uninhibited data flow. Now is a good time for companies to revisit their data management policies and procedures under GDPR, which is made much easier by leveraging powerful software tools that can be put to work in this effort.
Here is a quick summary of best practices from our experience working with clients on GDPR compliance:
- Locate the Data
Identifying electronically stored information of relevance within an enterprise is nothing new, but being confident that you understand where data is has never been more important. Therefore, searching for and locating data of relevance against a backdrop of information governance is a good place to focus. For example, it’s important to understand the data within the organisation by knowing the range of data formats that contain personal information (e.g., multimedia files, metadata associated with image files, etc.). Moreover, in order to keep pace with this expanded range of data structure, search capabilities need to be advanced in order to accurately find the data that falls within the scope of the GDPR.
- Define Access
One of the key attributes of the GDPR is to encourage a “high standard of protection” for personal data and for this standard to be maintained across the enterprise, which includes third parties and operations in other countries. With respect to the GDPR, these points of access are defined by their physical location, rather than virtual data locations. This includes both third-party data controllers as well as third parties that are merely processors of data. It’s also important to consider that the rise in mobility and mobile applications is becoming more predominant in Internet usage, so understanding and defining access requires a special consideration of mobile technology. A structured data audit plan—together with good compliance monitoring—will allow the organisation to clearly define and visualise access.
- Understand the Framework
It’s crucial to understand the legal framework in order to shape data management policy. The GDPR is essentially the final regulation that formalises an earlier EU data protection directive—one key aspect of this is that the GDPR aims to introduce Binding Corporate Rules. These can be repeatedly used for the exchange and control of data across different jurisdictions within the EU and externally, enabling governance and policies to be written once and assessed within a single country of residence. For example, data must be collected in a forensically sound manner with best practices and reliable software tools. Also, in the event of a litigation review, data must be properly shared with individuals, critical staff members, attorneys and appropriate regulators.
- Know the Security Risks
Any organisation that has been victimised by a data breach or other cybersecurity problem can point to at least two major security risks related to their management of personal data: liability associated with loss of that data and damage to the corporate brand as a result. When we talk about knowing the security risks, what EU companies really need to understand are the threats associated with these risks versus how their controls and measures are performing; the combination of these two factors gives the ability to quantify risk and identify areas for improvement and investment. A thorough data compliance audit is the first step toward quantifying that risk and building a proactive security culture within the business.
- Assess the Future
Keeping pace and planning for the future in a world that is rapidly evolving—such as the migration to storing data in the cloud—drives a different level of interaction between executives, internal data management teams and outside service providers. An effective plan for data management under the GDPR needs to anticipate what is around the corner by considering what the future of personal data will entail. Technology is also changing rapidly, so it’s important to choose IT partners very wisely and work with them to provide guidance on product roadmaps that will meet the needs of the future. Also, start data mapping as soon as possible so that flowcharts can be used to guide a long-term data management strategy that is fully compliant with the GDPR.
The EU-Japan data transfer agreement is a true landmark agreement for companies in both economic zones and it is especially noteworthy because it is the first “mutual recognition” data transfer agreement under GDPR. We will soon find out whether or not this was the first in a series of agreements leading to global cooperation in data privacy, but it would behoove any organisation doing business in these two regions to be prepared for their responsibilities governing the exchange of personal data.
# # #
About the Author
Sam Holt is a Senior International Engineer at AccessData and compliance champion, authoring papers on GDPR, ISO27001, PCI-DSS, and writing privacy and IT policies to adhere and comply. For more information, please go to www.accessdata.com.