International: Transferring data between Japanese companies and the UK post-Brexit
While Brexit is likely to cause uncertainty in many areas, the continuity of data transfers for countries such as Japan who have attained a positive adequacy decision from the EU is largely ensured. Stuart Beraha and Takaki Sato, Partner and Associate respectively at Latham & Watkins, discuss the legal framework governing personal data transferred from the UK to Japan and how the gaps between the two countries' data protection rules are made up for in this process.
On 31 January 2020, the UK exited the EU. While there are many issues likely to be affected by Brexit, this article focuses on the effect of Brexit on the UK's data protection regime, particularly in relation to the requirements applicable to Japanese companies with respect to transfers of personal data between the UK and Japan. The Japanese data privacy regulatory authority, the Personal Information Protection Commission ('PPC'), is primarily concerned with whether Brexit is likely to result in changes to the existing Japan-EU regime with respect to cross-border transfers of personal data. In the lead up to Brexit, the Japanese regulators kept a close eye on the UK regulatory authority's policy with regard to such data transfers and determined how Japan would treat cross-border transfers of personal data between Japan and the UK in the post-Brexit world.
Framework governing data flow between the EU and Japan - to be imputed to Japan-UK data flow
In Japan, the Act on the Protection of Personal Information (Act No. 57 of 2003 as amended in 2015) ('APPI') includes regulations addressing cross-border transfers of personal data from Japan to foreign countries. The data privacy regulation of the EU, the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), similarly has regulations addressing cross-border transfers of personal data from the European Economic Area ('EEA') to non-EEA countries. A 'mutual adequacy agreement' has been adopted by Japan and the EU in order to allow smooth cross-border data flows between the two. Under this agreement, the EC allows personal data to be transferred from the EEA to Japan and, accordingly, EEA member states are included by the PPC on Japan's 'white list' of countries to which personal data transfers are permitted. In the post-Brexit era, the UK and Japan will each retain the mutual adequacy arrangement vis-à-vis the other. Below, we discuss how the UK-Japan mutual adequacy arrangement works and its implications for the transfer of personal data between the UK and Japan.
Personal Data to be transferred from the UK to Japan
The transfer of personal data by a UK company to a Japanese company is permitted under UK law due to the mutual adequacy arrangement. The Japanese recipient company is then obligated to handle such transferred personal data in compliance with the APPI. In addition to the generally applicable Japanese regulations, the PPC has established additional Japanese data privacy guidelines which address the handling of personal data transferred from the UK to Japan pursuant to the UK-Japan mutual adequacy arrangement ('the Adequacy Guidelines'). The Adequacy Guidelines, which simply apply the EU-Japan mutual adequacy arrangement to the UK, impose additional obligations on the Japanese recipient with respect to handling personal data transferred from the UK to Japan ('UK Personal Data') in order to fill certain gaps that would have existed under the generally applicable Japanese regulations in relation to the personal data protections that apply in the UK.
For purposes of this discussion, the GDPR currently constitutes the personal data protections applicable in the UK. In the post-Brexit era, the GDPR will continue to apply in the UK during a transition period lasting until the end of 2020. Although the GDPR will no longer apply to the UK upon expiration of this transition period, the UK government has nevertheless stated that it intends to incorporate the terms of the GDPR directly into UK data protection laws with little change. References made below to the GDPR refer collectively to both the GDPR itself (i.e. the EU regulation with applies in the UK until the end of 2020) and the version of the GDPR to be adopted by the UK. The additional obligations that apply to UK Personal Data are summarised below.
Additional special categories of personal data
The GDPR imposes a higher standard of protection to categories of personal data considered particularly sensitive. The APPI adopts a similar framework, under which sensitive data may not be collected without the consent of the relevant data subject. Although the GDPR and APPI structures are similar in this respect, the categories of sensitive personal data are narrower under the APPI than they are under the GDPR. Specifically, unlike the GDPR, the APPI does not recognise data revealing a data subject's 'sex life,' 'sexual orientation,' or 'trade union membership' as falling within the special category of sensitive personal data.
The Adequacy Guidelines address this gap by recognising as sensitive UK Personal Data revealing a data subject's 'sex life,' 'sexual orientation,' or 'trade union membership'. A Japanese recipient of these types of UK Personal Data therefore must treat such UK Personal Data in compliance with the Japanese regulations applicable to the special category of sensitive personal data.
Eliminating exceptions to right to request deletion, correction, or non-use/disclosure of personal data
The APPI entitles data subjects to require a company processing his/her personal data to delete, correct, cease to use, and cease the disclosure of the data subject's personal data. However, this right does not apply to personal data that has been retained by the processing company for less than six months.
The Adequacy Guidelines remove this six-month minimum retention period with respect to UK Personal Data. Accordingly, the data recipient is obliged to satisfy such requests from data subjects with respect to UK Personal Data, regardless of how long the UK Personal Data has been retained by the recipient.
Imputed restriction on purpose of use
The APPI does not explicitly state that a data recipient's use of personal data must be limited to the purpose of use specified by the data provider.
To obtain consistency with the GDPR, the Adequacy Guidelines obligate a Japanese recipient of UK Personal Data to use the UK Personal Data only for the purposes permitted by the data provider transferring the UK Personal Data to the Japanese recipient.
Higher standard of protection for anonymised data
The APPI includes regulations addressing the creation and handling of 'anonymised data.' For the process of anonymising personal data, a particular technological processing method is required, which includes the removal of certain items/records/cells, generalisation, and micro-aggregation. Anonymisation also requires the removal from personal data of descriptions and identifiers by which a specific individual can be identified. Under the APPI, the party creating anonymised data is permitted to retain data that could allow the anonymisation process to be reversed, as well as the removed personal data, if the creating party takes security measures to prevent data breaches with respect thereto.
Under the GDPR, however, this retention will not be permissible. To obtain consistency with the GDPR as to anonymised data, the Adequacy Guidelines therefore require the creating party to completely delete such forms of data.
Additional requirements for onward transfers of received UK Personal Data
The APPI's regulations regarding cross-border transfers of personal data from Japan to foreign countries require the party transferring the data to obligate by contract or, in the case of a foreign recipient that is an affiliate of the transferring Japanese company, by binding group corporate rules. Due to the similarity of these requirements to the Standard Contractual Clauses ('SCC') and Binding Corporate Rules ('BCRs') adopted under the GDPR, the foreign recipient would process transferred personal data in compliance with substantially the same obligations as would apply to a Japanese company under the APPI.
In the case of onward transfer of UK Personal Data from a Japanese data transferor to a foreign data recipient, the additional requirements explained in the above must be included in the applicable Japanese SCC/BCRs.
Personal data to be transferred from Japan to the UK
As discussed above, when a Japanese company transfers non-UK personal data to a foreign company, the Japanese company must enter into a contract with or ensure binding corporate group rules apply to the foreign data recipient. The mutual adequacy arrangement removed this requirement with respect to cross-border transfers to UK companies. As a result, Japanese companies are able to transfer personal data to UK companies as if such a personal data transfer takes place entirely within Japan. As a general matter, under the APPI, domestic personal data transfers are subject to the following restrictions:
- In principle, the data provider must obtain the data subject's prior consent.
- In practice, data providers rely on statutory exemptions from the 'consent collection' regime, with statutory exemptions applying where:
- personal data is transferred in the course of consignment of handling of such personal data (e.g. providing customer lists to a marketing company for the purpose of a direct mailing campaign, or providing employee profile data to a payroll company for the purpose of enabling salary payment services);
- personal data is transferred in the course of a corporate merger or certain other business transfer transactions; or
- personal data is shared pursuant to a 'Joint Utilisation' structure meeting certain procedural requirements.
- In theory, a data provider may satisfy the consent requirement via an opt-out structure. This approach is however comparatively uncommon in practice (only 186 enterprises across the entire country as of the end of March 2019), partly because the associated procedural requirements are onerous. This is in particular due to the fact that the procedure includes a requirement to file with the PPC, which appears unattractive to data providers.