marketude Adriano Garofalo, Diritto Europeo e della Concorrenza, Federico Aluigi, Prospettive, Protezione dei Dati e Cybersecurity, Pubblicazioni, Roberto A. Jacchia

On 19 July 2023, the European Data Protection Board (EDPB) announced that it adopted a statement[1] on the European Commission’s first review of the functioning of the adequacy decision for Japan[2].

The adoption of an Adequacy Decision regarding Japan had already taken place on 23 January 2019, following the adequacy procedure under Article 45 of Regulation (EU) 2016/679 (GDPR), and as a result of the additional safeguards that Japan put in place to ensure that data transferred from the Union enjoy protection in line with European standards[3]. The adequacy decision addresses the Japanese Act on the Protection of Personal Information (APPI), as complemented by the Supplementary Rules that were introduced to bridge certain relevant differences between the APPI and the GDPR.

Subsequently, the European Commission conducted its review which was completed on 3 April 2023 with a positive outcome, thus witnessing that the convergence between either system further improved in the past four years and that the Adequacy Decision had been successfully implemented[4].

On the one hand, in the light of a number of amendments introduced to the APPI in recent years[5], the European Commission was able to recognize the following achievements[6]: i) some of the additional safeguards provided under the Supplementary Rules for personal data coming from the EU, i.e. as regards data retention and the conditions for informed consent in respect of cross border transfers, were incorporated into the APPI, thereby making them generally applicable to all personal data, irrespective of their source; ii) the APPI was transformed into a comprehensive data protection framework covering both the private and public sector, and subject to the exclusive supervision of the Personal Information Protection Commission[7] (PPC). The EU Commission considers that this legislative process could lead to an extension of the adequacy decision mechanism to other areas of regulatory cooperation and research; iii) the publication by the PPC of updated guidelines, in particular, regarding international data transfers; the EU indicated that it believes the guidelines will increase the accessibility of the APPI rules on the subject and make them more user-friendly; iv) the establishment of dedicated contact points for EU individuals who have questions or concerns about the processing of their personal data in Japan, be it by commercial operators (Inquiry Line) or public authorities (Complaint Mediation Line); v) the announcement by the PPC that it will carry out random checks to ensure compliance with the Supplementary Rules, rather than continuing with the exclusive use of the non-coercive, soft-law powers of guidance, was hitherto the case.

On the other hand, certain critical issues worthy of reconsideration for the next review are reported by the Commission. For instance, “pseudonymized personal information”[8] are currently exempted from certain obligations, such as the duty to report a data breach (Article 26 APPI) and provisions regarding data subject rights. Emphasis is placed on the fact that “pseudonymized personal information” processed for statistical purposes should not be used to adopt measures or take decisions concerning any particular individual. In the same vein, “pseudonymized personal information” originally received from the EU will always be considered “personal information” under the APPI, to ensure that the continuity of protection of data considered as personal data under the GDPR is not affected when it is transferred to Japan on the basis of the Adequacy Decision.

Taking the lead from the Commission, the EDPB likewise took certain actions, with particular focus on the commercial aspects of the adequacy decision. These are the most significant points: i) the new definition of “personal data held by the company” introduced by the amendment to APPI 2020[9] was favourably acknowledged; ii) it was appreciated that the 2020 APPI amendment extended the right to object[10] and the introduction of a duty to promptly notify the PPC and the data subjects of any data breach that is “likely to harm individual rights and interest”[11]; iii) greater detail was hoped for regarding enhanced requirements for informed consent where used as a legal basis for (onward) transfers to third countries, with the EDPB welcoming further reassurances on the fact “that consent will not be used as a basis for transfer in case of clear imbalance of power”, and the Commission asking to monitor this particular aspect in the next review ; iv) the Commission was invited to maintain a close supervisions on the use of “pseudonymized personal information,” as companies that use it are exempt from certain obligations such as the obligation to report a data breach; v) the drafting of model clauses in collaboration between the European Union and Japan will be encouraged, in order to achieve greater uniformity and thus more robust safeguards in connection with the transfer of personal data.

The EDPB, thus, stated that it concurs with the Commission’s proposal to consult the Committee[12] and establish a review of the Adequacy Decision in 4 years[13].

The statement, issued just a few days after the EU-US Adequacy Decision[14], is part of a broader framework devised to implement a policy of openness on the part of the European Union towards third countries in the matter of personal data, in an environment characterized by exponential technological advancement and the confirmed central importance of personal data, against a foreground increasingly designed by Artificial Intelligence.

Scarica l’articolo

[1] EDPB, Statement 1/2023 on the first review of the functioning of the adequacy decision for Japan, Adopted on 18 July 2023.

[2] See the following LINK for the EDPB press release.

For a definition of “adequacy decision”, see Article 45(1), GDPR, for which “A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.”.

[3] More information in our previous article at the following LINK.

[4] See the Joint Press Statement at the following LINK.

[5] The APPI was amended twice: on 5 June 2020, through the Amendment Act of the 2020 Act on the Protection of Personal Information (2020 APPI amendment) that entered into force on 1 April 2022; and on 12 May 2021, through the Act on the Arrangement of Related Acts for the Formation of a Digital Society (2021 APPI amendment). The Supplementary Rules were adapted to reflect these amendments, in consultation with the European Commission.

For the full text in English, see the following LINK.

[6] COM (2023) 275 final, Report from the Commission to the European Parliament and the Council on the first review of the functioning of the adequacy decision for Japan, 3 April 2023.

[7] The Personal Information Protection Commission is a Japanese government commission charged with the protection of personal information.

For more information see the following LINK.

[8] “Pseudonymized personal information” means information relating to an individual that can be prepared in a way that makes it not possible to identify a specific individual unless collated with other information by taking any of the measures prescribed in each following item in accordance with the divisions of personal information set forth in those items (Art. 2 APPI)

[9] See the Article 16(4) of the amended APPI.

The statement reports that “…every data subject (irrespective of nationality or residence) now benefits from the enhanced protection which had previously only applied to personal data transferred from the European Economic Area according to the Supplementary Rule…”.

[10] See the Article 35 of the amended APPI.

[11] See the Article 26 of the amended APPI.

[12] See the Article 93(1) of the GDPR.

[13] The review of the adequacy decision is provided for in Article 45(3) of the GDPR, which states “the implementing act shall provide for a mechanism for a periodic review, at least every four years, which shall take into account all relevant developments in the third country or international organisation.”.

[14] More information in our previous article in the following LINK.