Questioning 'Adequacy' (Pt I) – Japan

(2017) 150 Privacy Laws & Business International Report, 1, 6-11

UNSW Law Research Paper No. 18-1

10 Pages Posted: 8 Jan 2018 Last revised: 13 Jul 2018

See all articles by Graham Greenleaf

Graham Greenleaf

University of New South Wales, Faculty of Law

Date Written: December 7, 2017


Assessments by the European Commission of whether non-EU countries provide an ‘adequate’ level of data protection so as to enable a positive EU decision under Article 25 of the 1995 data protection Directive (‘adequacy decisions’) usually receive little discussion while the process is underway. The criteria which have been used within the EU for the assessment of adequacy derive partly from the Directive itself, from the Schrems decision, and from the opinions of the Article 29 Working Party (A29WP). A simplified version of these complex criteria commences this article. [Note: This article was written before the Article 29 Working Party’s ‘Adequacy Referential (Updated)’ (November 2017) was available, but it makes no substantive difference to this article.]

It is therefore unusual that both Japan and South Korea made public in 2016 that they were applying for positive adequacy assessments by the EU, and that general comments about these assessments progressing have been made by the Commission and by representatives of the two countries. Japan and the EU are considering simultaneous findings of adequacy, which Japanese law also allows. Even more unusual is that Korea decided to make its own ‘Self Assessment’ of the adequacy of its data protection in 2016, and then updated it in 2017 after changing the scope of the assessment sought. This article considers Japan’s application, and Part II will consider that of Korea.

It is not the purpose of these articles to suggest what the Commission’s conclusions should be, or might be, in the case of either country. Any proper assessment of a country’s claims to adequacy of data protection is likely to take hundreds of pages, not a short article. Nevertheless, there needs to be public discussion of the strengths and weaknesses of the data protection offered by candidate countries, prior to any assessment being made, because of the importance of such decisions for both international trade, and for the protection of human rights. There also needs to be critical consideration of the quality of the decisions made by the EU bodies involved, once they are made, and analysis of what can be learned from them in relation to future assessments.

This article discusses three of the issues which the EU will have to take into account in its assessment of Japan’s application:

(i) The definition of ‘personal information’ in Japan’s legislation includes two ‘carve-outs’. It only includes data which ‘which can be readily collated with other information and thereby identify a specific individual’. Its 2015 amendments exempted a new concept of ‘anonymously processed information’, prescribing measures of anonymisation potentially different from those accepted in the EU.

(ii) Japan’s restrictions on personal data exports include an exception designed to allow compliance by exports to overseas businesses (at present, only in the US) certified under the APEC Cross-border Privacy Rules system (CBPRs). The issue raised for the EU is whether this would allow onward transfer of personal data originating from the EU, without providing adequate protection.

(iii) Prior to enactment of slightly expanded enforcement powers, and creation of a data protection authority (DPA) in 2015, Japan’s data privacy laws had received negligible enforcement. These new enforcement measures have only been in effect since May 2017, so it is therefore an issue that there has as yet been no time for the Japanese system to demonstrate the extent to which they will actually be used, that the failures of past enforcement have been reversed, and that compliance with the requirements of the Directive can be demonstrated.

How EU institutions address these issues is important for this and all future adequacy assessments, both under the Directive and under the GDPR.

Keywords: privacy, data protection, EU, Japan, adequacy. EU Directive, GDPR

Suggested Citation

Greenleaf, Graham, Questioning 'Adequacy' (Pt I) – Japan (December 7, 2017). (2017) 150 Privacy Laws & Business International Report, 1, 6-11, UNSW Law Research Paper No. 18-1, Available at SSRN:

Graham Greenleaf (Contact Author)

University of New South Wales, Faculty of Law ( email )

Sydney, New South Wales 2052
+61 2 9385 2233 (Phone)
+61 2 9385 1175 (Fax)


Do you have negative results from your research you’d like to share?

Paper statistics

Abstract Views
PlumX Metrics