New research from the Digital Trade Alliance, supported by the Digital Freedom Fund, warns that the reality of “Data Free Flow with Trust” (DFFT) in Japan appears to be signing up to different sets of rules that are likely incompatible with each other.

Japan’s ‘Data Free Flow with Trust’ Versus Digital Trade Agreement Commitments

Japan is currently home to two “free data flow areas,” one deemed compliant with EU privacy rules on personal data, namely adequacy under the General Data Protection Regulation (GDPR); and the other under recent trade agreements like the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) and the US-Japan Digital Trade Agreement (USJDTA). Japan has committed to some restrictions on EU data hopping freely across to the United States and Pacific countries, but this two-tier regime could mean breaching its digital trade obligations.

The DTA has carried out a project supported by the Digital Freedom Fund to look at the problems created by the EU’s adequacy decision in relation to Japan. We look at how this decision fails to protect personal data, particularly by not preventing onwards data transfers to high risk third countries under Japan’s conflicting digital trade commitments. Japan’s two-sided approach creates legal uncertainty and risks.

We focus on Japan because it is the first country to have an adequacy decision after GDPR came into force and it is a major policy actor in global data governance. Japan champions the concept of Data Free Flow with Trust (DFFT): enabling cross-border data flows while preserving privacy and security. Our research shows that the application of this concept by Japan is problematic and not conducive to the necessary convergence towards higher standards required for DFFT to work.

Our main aim is not to promote the EU data protection regime over Japan’s, but instead to stop the spread of data governance regimes locked in viatrade deals that lower the standards of data protection around the world. These agreements enable the free flow of personal information to jurisdictions where data rights are weaker in the name of interoperability.

The research we commissioned from Professor Hiroshi Miyashita found that, despite the ongoing improvements to the Japanese data protection framework, partly to obtain adequacy with the EU, concerns remain. Transparency loopholes and weak enforcement of the complex rules for international transfers create risks for individuals.

We also commissioned the translation of a key Japanese legal document that was not previously available in English. The Guidelines on the Act on the Protection of Personal Information (Version for Provision to Third Parties in Foreign Countries) prepared by the Japanese Personal Information Protection Commission (PPC) specifies how Japanese companies transferring data to a third country can comply with the latest changes to Japanese privacy law.

The report from Professor Hiroshi Miyashita shows that the Japanese standard for regulating cross-border data transfers is weaker than the EU standard and that it enables “seemingly incompatible” trade agreements.

The report also shows that there is limited enforcement of privacy breaches in Japan. In March 2021, the Korean social media company LINE, with 86 million users in Japan, allowed a Chinese contracting company to access personal data. This caused a public outcry due to fears of surveillance by the Chinese government. LINE received a slap on the wrist, although the scandal led to further reforms and showed the complexities of data transfers in the connected Japanese economy.

The EU agreement bans the use of various compliance and private certification mechanisms in place in Japan to forward EU data from Japan to third countries, specifically the Asia Pacific Economic Cooperation Cross-Border Privacy Rules (APEC-CBPR) regime. This leaves consent as the only available path for onward transfers of data received under adequacy, in the absence of daisy-chaining a Japanese adequacy decision.

The analysis of the official guidelines for transfers from the PPC finds several loopholes in the requirements for information to be provided when getting consent. For example, organisations in Japan do not have to name the countries where data is sent, if they can give some explanations for why this is not possible. It is hard to see how this would comply with the requirements for informed consent in the EU.

The commitments made by Japan around EU data do not reflect the general data protection regime of the country, but create instead a two-tier regime with a safe harbor for EU data. This is not helpful to people in Japan, who see their own data treated as second-class.

These conflicts between the adequacy agreement and Japan’s trade agreements on the control of cross-border data flows point to the problems of creating interoperability of data regimes without convergence towards higher standards.

Japan has a wide range of trade agreements and 21 existing economic partnership agreements, free trade agreements, and related initiatives with 24 countries or regions. Our project found that the restrictions placed on Japan by the EU agreement may clash with some of Japan’s digital trade agreements, such as the CPTPP or USJDTA. A report by Dr. Svetlana Iakovleva commissioned by the DTA suggests that countries like the US could subject Japan to a legal challenge — a trade dispute — for restricting data flows. In such a hypothetical trade dispute, Japan may struggle to justify these restrictions under the exceptions regime contained in these agreements.

The critical aspect is that Japan has committed to a higher level of personal data protection with the EU than what is required as sufficient under the CPTPP and USJDTA. As a result, trade adjudicators could view restrictions on onward transfers as disproportionate and more trade restrictive than necessary, and potentially discriminatory.

This is not clear-cut. As Professor Miyashita explains in his report, the EU-Japan regulatory framework may be accepted by a trade tribunal because it is not mandatory. Adequacy makes it easier to send data, but organizations can use other approaches that provide safeguards for consumers.

Dr. Iakovleva also warns that any analysis is uncertain because exceptions from free data flow provisions in the agreements signed by Japan have never been interpreted by any dispute-settlement body, making the WTO case-law the main guide. The report points out that in the WTO’s 26 years of existence, similar exceptions were successfully invoked in only two out of 48 cases. This presents additional issues for consumers because the overall Japanese strategy for global data governance is to shift the forum of dispute resolution to the WTO, as explained by Prof. Miyashita:

“While the WTO is not primarily a forum for resolving human rights issues including the right to privacy and personal data protection, the Japanese government has insisted that the WTO may play a role in promoting the free flow of data without non-tariff barriers. In 2019, then Prime Minister Shinzo Abe stated that digital governance challenges related to privacy, data protection, intellectual property rights, and security should be addressed ‘under the roof of the WTO’.”

In our discussions with Japanese experts we have found concerns about data flows of Japanese residents such as health data being sent to the US, LINE messenger data being sent to China, and overall, a growing preoccupation in the country about data and privacy. These concerns are not hypothetical. Large Japanese companies send substantial data across the EU to Japan and eventually to the US, as explained by Prof. Miyashita:

“The 2022 survey for the 113 Japanese corporations belonging to the Japan Business Federation shows that 66.4 percent of them have received personal data from the EU. Among these, 39.7 percent (in total 26.5 percent of all the companies) circulate personal data from the EU to the U.S. via Japan.”

The DTA also commissioned a technical report from Eticas Consulting to provide a methodology for the collection of evidence of data transfers. They found that various gaming platforms send data across these jurisdictions:

“The Big Five Japanese game developers are Nintendo Co. Ltd., Square Enix, Sega Sammy Holdings, Bandai Namco Holdings, and Konami. All the big 5 developers have subsidiaries and affiliated companies in the United States and in their privacy policies/terms of service agree to data sharing with the United States.”

The use of the APEC-CBPR private certification is limited in Japan at present, and only three companies have registered with the Japanese certification entity in charge, JIPDEC. There is a clear sense of the conflict between this system and GDPR. One of those three companies, Yahoo Japan (no longer related to the global conglomerate), has since stopped any services or data transfers in relation to the EU. The Japanese regulator has not fully dealt with this incompatibility and continues to steer a vague approach of interoperability.

In our discussions with policy-makers and legal experts, everyone we spoke with agreed that there was a situation of legal uncertainty. The DTA is considering whether a legal challenge to the EU adequacy decision on Japan by a Euro-Pacific coalition of privacy and consumer groups could help raise privacy standards in the region.

We found that the threat of litigation could force the EU, Japan and other countries in the region to face the reality that free data flows need higher protections for consumers, but this is a high risk approach. One concern is that after the debacle of the EU-US Privacy Shield, further challenges by civil society could bring the overall EU data protection framework into disrepute. Groups in the DTA want to see the protections afforded by people in the EU extended beyond and improved upon, not undermined. The objective would be for Japan to amend their trade deals to raise the standards for consumer and privacy protection required for the free flow of data.

The issues raised in these reports apply more broadly, and our goal of protecting consumers and privacy rights from digital trade provisions has only become more relevant and urgent.

The European Commission has given South Korea an adequacy decision. As with Japan, the decision includes limitations to onward transfer of personal data and sidesteps the impact of trade commitments.

The APEC-CBPR that raised such concerns in the EU-Japan regime has now expanded beyond the region, and its proponents aim for it to become a global alternative to GDPR. The US, Canada, Japan, South Korea, the Philippines, Singapore and Taiwan have created a new framework for Global Cross-Border Privacy Rules (CBPR). This has no immediate legal impact on the adequacy decision, but it opens the way for expanded data flows with countries anywhere in the world, with important policy implications.

Our research has shown the need for better international collaboration between the European digital rights movement and the Asia-Pacific region to avoid missing policy and technical developments. General awareness of China and India’s tech developments does not extend to knowledge about countries like Japan and Korea.

There are few strong digital rights organizations in the Asia-Pacific region, where the consumer movement is more developed and has a longer history. Privacy experts in academia and think tanks also have a central role to play given the diversity of regulations and lack of expertise on privacy and digital rights among many consumer organizations.

The biggest achievement of this project has been to convene an intercontinental network of legal experts, consumer and privacy advocates that are interested in continuing collaborating on information sharing and advocacy around data, privacy, and trade.

As the host of the G7 in 2023, Japan will advance the details of its Data Free Flow with Trust initiative.This will be a ripe opportunity for privacy and consumer advocates to push for civil society voices to be included in shaping these proposals to ensure higher standards of data protection.

By: Javier Ruiz