While the transatlantic Privacy Shield faces suspension, the European Union (EU) has looked east to partner with Japan to create what’s being pitched as the world’s largest area of safe data flows in a classic example of ‘Llook, it can be done it we all try!’.
The Japanese Government has signed a reciprocal adequacy agreement with Brussels that means that its data protection regime and systems are regarded as equivalent to the standards required in the 28 EU member states. As such data can be presumed to flow safely between Japan and the European Economic Area (EEA) - the 28 EU nations, plus Norway, Liechtenstein and Iceland.
With the signing of the EU-Japan Economic Partnership Agreement yesterday, the data flow consensus removes issues with sending data to and from 127 million Japanese consumers, opening up a vast commercial market to European companies.
Věra Jourová, Commissioner for Justice, Consumers and Gender Equality, commented:
Japan and the EU are already strategic partners. Data is the fuel of global economy and this agreement will allow for data to travel safely between us to the benefit of both our citizens and our economies. At the same time we reaffirm our commitment to shared values concerning the protection of personal data. This is why I am fully confident that by working together, we can shape the global standards for data protection and show common leadership in this important area.
The EU now needs to get an opinion from the European Data Protection Board (EDPB) and the nod from a committee composed of representatives of the EU Member States after which the European Commission will adopt the adequacy decision. It’s basically a formality.
The wheels were oiled by efforts by the Japanese authorities to modernise the country’s data privacy regime. This has led to the recognition of data protection as a fundamental right, a common set of safeguards and individual rights, and supervision and enforcement by an independent data protection authority.
Despite this, there are still some fundamental differences in attitudes to data privacy that meant that the EU needed some additional safeguards to be put in place. For example, Japan’s definition of sensitive data was not as wide as that of the EU.
Japan has also agreed to establish a system of handling and resolution of complaints, under the supervision of the Japanese data protection authority (the Personal Information Protection Commission). This is intended to to ensure that potential complaints from Europeans in relation to data by Japanese law enforcement and national security authorities will be effectively investigated and resolved.
It is essentially the role that’s supposed to be played by an official Ombudsperson in the US as part of the Privacy Shield arrangement, were it not for the fact that President Trump’s administration has failed to appoint one...
The deal will be watched with considerable interest by the UK. As part of the Brexit negotiations, the British Government has offered an Adequacy Plus stance on data protection, but this has been rejected to date by the EU negotiator Michel Barnier.
The significance of the Japan decision is that while the EU has unilateral adequacy decisions in place with several non-EU countries, this is the first reciprocal recognition with a third party nation.
So, does this open up potential for the UK to come to a satisfactory post-Brexit deal with the EU around data? Antony Walker, CEO for trade association techUK, sees the Japan decision as very important in its own right:
[The] landmark announcement of EU-Japan mutual adequacy agreements demonstrates the fundamental importance of the free flow of data sitting alongside free trade in both goods and services. The fact that the EU and Japan have agreed mutual adequacy decisions is hugely significant in unlocking data flows between advanced digital economies.
Japan is the first country to agree adequacy under the GDPR and as a member of the Asia-Pacific Economic Cooperation (APEC). This means the agreement potentially opens up a new pathway for onward data transfer through APEC countries. It will be important to see how the specific additional safeguards agreed by Japan will operate in practice and what that means for the operational effectiveness of this agreement.
And as for any Brexit implications, he adds:
It will also be an important test-case as the UK and EU seek to agree a data flows agreement post-Brexit, by setting out the key requirements to meet the ‘essentially equivalent’ test under GDPR. Given the UK and EU’s data protection regimes are significantly more aligned than Japan and the EU, techUK would hope the UK and EU will be able to agree mutual adequacy decisions as soon as possible.
In a global digital economy, data and trade go hand in hand, so it is positive that the EU and Japan have been able to agree both a trade deal and data flows agreement side by side. It is still not clear whether the UK will be able to roll over existing EU adequacy decisions, and what the process for doing so will be. More clarity on this issue is needed to ensure data can continue to flow between the UK and countries it already has agreements with. The new Japan adequacy agreement will be a crucial one to consider as part of that process.
This deal with Japan looks like the end result of the sort of effort that ought to have been put into a viable Safe Harbor replacement with the US. Instead, as noted before, there was far too much posturing and anti-US grandstanding going on in Brussels for anything other to emerge than the ‘lipstick on a pig’ fudge that’s collapsing before everyone’s eyes.