EU-Japan Economic Partnership Agreement: Data Protection in the Era of Digital Trade and Economy

By Machiko Kanetake and Sybe de Vries

On 12 December 2018, the European Parliament approved the EU-Japan Economic Partnership Agreement (EPA) which the parties have been negotiating since April 2013. The Agreement, sometimes called as the “cars-for-cheese” deal in a symbolic sense, aims to vitalize economies which represent approximately 30% of global gross domestic product. The Commission presented the final text to the Council on 18 April 2018, which authorized, on 6 July, the signing of the deal. The parties have signed the agreement on 17 July, and, on 8 December 2018, the National Diet of Japan approved the agreement. In light of the Court of Justice’s Opinion 2/15 on the EU-Singapore Free Trade Agreement, the Commission assumes that the EU-Japan EPA does not require ratification by individual EU member states since the agreement is within the EU’s exclusive competence. Investment protection standards and investment protection dispute resolution, which fall under shared competences, have been subject to separate negotiations. The EPA, which is expected to enter into force on 1 February 2019, is arguably the biggest trade-related achievement of the current Commission, which ends its mandate in 2019.

Digital economy strategies and data flow as a trade commodity

One of the ambitions behind the conclusion of the EU-Japan EPA is to vitalize the digital economy. The cross-border flow of data is a trade commodity, and its importance has been increasing for both Japan and the EU due to their strong focus on digital economy. To cultivate digital economy is one of the core pillars of Japan’s growth strategy, and, within the EU, the Digital Single Market is one of the ten priorities of the European Commission for the period 2015-2019. The EU’s strategy is built upon three pillars:

• Better access for consumers and business to online goods, helping to make the EU’s digital world a seamless and level marketplace to buy and sell;
• Creating the right environment for digital networks and services;
• Ensuring that Europe’s economy, industry and employment take full advantage of what digitalization offers.

With respect to the third pillar, the Commission has proposed a Regulation to ensure the free flow of non-personaldata and to address barriers to the European Data Economy. It specifically aims at the removal of unjustified or disproportionate national rules that hamper or restrict companies in choosing a location for storage or processing of their data. According to a member of the European Parliament, Anna Maria Corazzo Bildt, “this regulation de facto establishes data as the fifth freedom on the EU Single Market,” next to the four freedoms as enshrined in the Treaty: free movement of goods, persons, services and capital. Herewith the EU legislator has recognized that data are indispensable for the very existence and function of new forms of product and factors of production, including service provision.

Tensions between cross-border data flow and data protection

When it comes to the free flow of data with third countries, however, the situation is more complex. For now, the EU-Japan EPA has postponed the provision on the “free flow of data.” The parties are expected to reassess the topic within 3 years (Article 8.81). Nevertheless, this does not mean that the current EPA does not facilitate cross-border data flow. For instance, the Agreement provides for the processing of financial information (Article 8.63), which necessarily includes personal data (see the article by Marija Bartl and Kristina Irion, 2017).

The policy to facilitate cross-border data flow, however, gives rise to tensionswith the protection of personaldata, which means that individuals become directly or indirectly identifiable. And there could perhaps be situations where non-personal data contain information that may ultimately lead to the identification of a person. Within the EU these tensions are dealt with by the EU legislator, who, next to fostering the free flow of non-personal data, adopted stringent rules to protect personaldata and privacy of EU citizens through the General Data Protection Regulation (GDPR) adopted in April 2016.

How these tensions ought to be resolved at the international level is unclear and loomed large in the negotiation of the Agreement. Concerns persist despite the fact that the incentives to seal the deal had been strengthened by the Brexit referendum in June 2016 and the election in November of US President Donald Trump, who disapproved of the Trans-Pacific Partnership. Dutch MEP Marietje Schaake reportedly made it clear that “the European Parliament will not ratify an agreement that undermines data protection in the EU and the Commission knows this.”

Gaps in data protection

The European Parliament’s concerns were indeed legitimate, in light of some of the noticeable differences between the EU and Japanese data protection regimes. The EU introduced its own systematic data protection already in 1995 under Directive 95/46/EC. As stated above, the GDPR significantly strengthened the protection of personal data by, for instance, extending its extraterritorial reach, strengthening the rights of data subjects, responding to new forms of data processing, obliging private entities to designate a Data Protection Officer and conduct impact assessment, and introducing a hefty fine.

On the Japanese side, in 2003, the country introduced the Act on the Protection of Personal Information (APPI) which became effective in 2005. While the legislation marked a watershed in the protection of personal information, there were many shortcomings. For instance, uncertainties arose as to whether the APPI covered information such as DNA data, finger prints, and voice data. Entities which handled the personal information of less than 5.000 individuals were exempt from the APPI’s requirements. Also, there were no specific provisions regarding the transfer of data to third parties outside Japan. Finally, the APPI did not establish a specific body in charge of supervising the implementation of the Act. Some of these shortcomings became problematic, not only for domestic constituencies, but also for those involved in the negotiation of an EU-Japan trade agreement.

Remedying the gaps in data protection

To close the gaps, either Japan should strengthen its regulatory mechanisms or the EU should lower its threshold. Officially, the latter was not an available option. The European Commission has maintained the narrative that data protection, which is a fundamental right in the EU, is “not up for negotiation.” “Privacy is not a commodity to be traded,” reiterated the Commission. 

The task of remedying the gaps was thus left in the hands of the Japanese government which was also facing pressures from domestic stakeholders to improve regulation. A reform was necessary, not only for the sake of trade agreements, but also for the purpose of obtaining an “adequacy decision” under Article 25(6) of Directive 95/46/EC and Article 45 of the GDPR. The adequacy decision is the official recognition by the European Commission that a non-EU third country’s data protection laws are “essentially equivalent” to those of the EU. The existence of sucha decision eases the process of transferring personal data to non-EU third countries.

The Japanese government thus revised its regime on privacy protection. The revised APPI of 2015, which became effective in 2017, introduced a number of changes. For instance, the revision made it clear that the APPI protects DNA data, voice data, finger prints, passport numbers, and social security numbers. The revised APPI also created the special category of sensitive data, imposed record-keeping obligations, provided rules on third country data transfer, and, most importantly, established the Personal Information Protection Commission (PPC) with the supervising authority. These changes apparently bear resemblance to the EU’s data protection regime. 

Recognition of equivalence by the EU and Japan

The Japanese regulatory reform then brought a practical outcome. On 17 July 2018, the EU and Japanese delegations agreed to recognize each other’s data protection as “equivalent”. As carefully planned, this celebrated moment came on the same day as the EU and Japan signed their EPA. According to the European Commission’s brief explanation, Japan’s modernization of its data protection legislation “has increased the convergence between the two systems.” On 5 September 2018, the Commission published its draft texts regarding the adequacy decision according to the GDPR and launched the formal process to adopt such a decision.

Despite the recognition of equivalence, however, there are still noticeable differences between the EU and Japan’s regimes on the protection of personal information. Most fundamentally, the narrative of the “rights” of data subjects plays a much stronger role in the EU’s regulation. Truly, the Japanese APPI also aims at the protection of an individual’s “rights and interests.” Some of its provisions should be understood as providing individuals with the rights to request disclosure, correction, and suspension of use vis-à-vis private business operators (Articles 28-30).Furthermore, Japan has provided supplementary rules to the APPI in order to remedy the remaining gaps.Having said that, the GDPR of the EU ensures much more robust protection of the rights of data subjects, including the right to be forgotten under Article 17. The right was endorsed by the Court of Justice in its landmark case of Google Spain, based on Articles 7 (privacy) and 8 (personal data) of the EU Charter of Fundamental Rights (see the previous blog post by Mistale Taylor and Machiko Kanetake). Yet the EU’s GDPR and Japan’s APPI may remain conceptually different in terms of the weight given to individuals’ rights against other societal interests. To be sure, adequacy decisions are by no means meant to replicate the EU’s legal framework. What matters here is to provide the EU’s constituencies with a better and more accurate explanation about the gaps and their possible risks. At present, the narrative of “equivalence” may serve to discount some of the underlying differences.

Trading digital flow and data protection?

Given the inevitable gaps between the two legal systems, it may be safe to assume that data protection was indeed “up for negotiation”—contrary to the narrative maintained by the European Commission during the EPA negotiations. In principle, the EU’s Commissioner for Trade assured the European Parliament that data protection was not to be compromised. Nevertheless, the reality is not so straight-forward. The comparison between the EU and Japanese mechanisms to protect personal data leads us to presume that data protection has been part of the negotiating materials, not only between the EU and Japanese delegations, but also within their respective domestic constituencies. Overall, the process leading to the EU-Japan EPA demonstrates that data protection can be negotiated and traded—without, perhaps, entailing the awareness of the EU’s data subjects, who will ultimately be affected by the trade agreement in the near future.