Japan's part in Apec data-transfer system not a big risk for EU privacy deal, official says

Japan Flag

10 November 2017. By Vesela Gladicheva and Magnus Franklin.

Japan's chances of reaching a deal with Europe on data-privacy standards is unlikely to suffer from its entry into an Asia-Pacific data-transfer deal, according to a senior EU official.

Bruno Gencarelli told MLex in the sidelines of a conference* that "Japan's compliance with privacy law is not simply, or not mainly, to do with its adherence to the Apec [Cross Border Privacy Rules] system. It has a much harder law."

Gencarelli, who heads the European Commission's international data flows and protection unit, was referring to Japan becoming the first fully functional member — besides the US — of the Asia-Pacific Economic Cooperation forum's CBPR.

The US-based system is intended to build international digital commerce and data transfers between economies in Asia and in North and South America.

Gencarelli's comments come at a time when Japan is racing to win a finding of "adequacy" status from the EU by next May, when Europe's sweeping new privacy law, the General Data Protection Regulation, or GDPR, takes effect.

Proponents of the CBPR say they see no conflict between the two, and the secretary general of Japan's Personal Information Protection Commission, Mari Sonoda, has said Japan’s membership has not been a significant topic of interest for EU officials as the two sides work on the mutual adequacy finding.

Gencarelli's comments will discomfit experts who have predicted that the CBPR agreement could prove a headache for Japan in its EU adequacy push.

"What we are assessing is the level of protection ensured by the new Japanese law, which entered into force last May, and the creation of an independent supervisor," Gencarelli said. A new Japanese privacy law was implemented in May, following the establishment last year of the Personal Information Protection Commission.

Japan's CBPR membership is just "part of the context," said Gencarelli, referring to concerns over whether companies handling EU citizens' personal data can transfer them to countries where privacy systems do qualify for the Asia-Pacific rules, but not for the higher EU standards.

"Japan has a law and a data-protection authority," said Gencarelli, adding that the country "doesn't only rely on a certification" to ensure high standards of privacy, suggesting robust underlying structures for protecting privacy.

* "IAPP Europe Data Protection Congress 2017," Brussels, Nov. 8-9, 2017

Countdown to the GDPR