The adequacy decision on Japan under the General Data Protection Regulation

Abstract

In January 2019, the European Commission adopted its first adequacy decision for international personal data transfers under the General Data Protection Regulation (GDPR). The subject of that decision was Japanese data protection law. The decision included findings for law enforcement cooperation between the EU and Japan that are important from a data protection perspective. This is because the decision assessed the rules surrounding access to personal data originating from the EU by Japanese public authorities, including law enforcement authorities, in a rather detailed manner. This chapter undertakes a critical analysis of this assessment from the perspective of EU data protection law as interpreted in the light of the Charter of Fundamental Rights of the EU (Charter) and in the recent case law of the Court of Justice of the EU (CJEU), especially its judgment in Schrems II. It also asks how far the assessment gives any indications with regard to future law enforcement cooperation initiatives with Japan from a data protection perspective. Concretely, it explores whether the assessment has any implications for a potential adequacy decision for Japan under the Law Enforcement Directive (LED), the ongoing negotiations for an international agreement for the exchange of passenger name record (PNR) data with Japan or the amendment of the Mutual Legal Assistance Treaty (MLAT) with Japan. The chapter concludes by finding that the assessment of the Japan adequacy decision under the GDPR would be a flawed source of inspiration for these potential and ongoing initiatives.