Japan was the first country to secure a unique position regarding cross-border transfers of personal data. In 2019, it was granted an adequacy decision by the European Union (EU), which marked the creation of the largest area of cross-border flows of personal data between the EU and Japan to be considered compliant with the General Data Protection Regulation (GDPR). Around the same time, Japan also undertook broad commitments to maintain free cross-border flows under the Comprehensive and Progressive Agreement for Trans-pacific Partnership (CPTPP) and the U.S.-Japan Digital Trade Agreement (USJDTA). Together, these two trade agreements require free cross-border transfers of information, including personal data, from Japan to 11 countries: Australia, Brunei, Canada, Chile, Malaysia, Mexico, New Zealand, Peru, Singapore, Vietnam and the United States.
Each of these free data flow areas in which Japan participates – the one created by the EU adequacy decision under the GDPR and the other by trade agreements –functions according to its own rulebook. This blogpost argues that the two rulebooks are likely incompatible with each other, which means Japan may not be able to comply with one without violating the other. This blogpost is based on a report which discusses this issue in much greater detail.
Adequacy Decisions and Restrictions on Onward Transfers
An “adequacy decision” is one of the mechanisms that makes regular transfers of personal data outside the EU lawful under the GDPR. The “adequacy” of a third country’s data protection framework – and legal system more generally – is assessed by the European Commission. If that assessment is positive, the European Commission adopts a unilateral “adequacy decision.” Among other things, the adequacy decision for Japan requires Japan to restrict onward transfers of personal data originating from the European Union (for simplicity, “EU personal data”) from Japan to any other country that has not itself been afforded adequacy. Out of 11 countries mentioned above, only Canada and New Zealand have so far been afforded adequacy (though both are currently under review), with an adequacy decision for the U.S. underway. This means that Japan must restrict onward transfers of EU personal data to all other parties of the CPTPP.
Under the adequacy decision for Japan, EU personal data can be transferred to other countries only if an individual has given their informed consent for such transfer. In the absence of an individual’s consent, EU personal data can be transferred to a country that has been recognized by Japan as providing an equivalent level of personal data protection. It can also be transferred if an arrangement between the Japanese data exporter and the data importer in another country ensures an “equivalent” level of personal data protection.
Free Data Flow Provisions in Trade Agreements
The free data flow provisions in the trade agreements discussed in this blogpost are similar. They read as follows:
According to Article 14.11(2) CPTPP,
Each Party shall allow the cross-border transfer of information by electronic means, including personal information, when this activity is for the conduct of the business of a covered person.
According to Article 11(1) USJDTA,
Neither Party shall prohibit or restrict the cross-border transfer of information, including personal information, by electronic means, if this activity is for the conduct of the business of a covered person.
Note that the two provisions are formulated slightly differently. The main difference lies in the modality of the obligations. The CPTPP requires parties to “allow” free cross-border transfers of information, and the USJDTA requires parties not to “prohibit or restrict” such transfers. These differences, however, are likely purely semantic. In essence, both provisions require that cross-border transfers of information must not be restricted.
Restrictions on onward transfers of EU personal data from Japan are likely to fall into the scope of the free data flow provisions in both the CPTPP and the USJDTA. Both are likely to run afoul of the obligations they contain to ensure free flow of information, including personal data.
Difficulties of Justifying Violations of Free Data Flow Provisions with Exceptions
A violation of the free data Flow provisions is not necessarily a problem per se insofar as it can be justified under the relevant exceptions from these provisions, which are included in both trade agreements (Article 14.11(3) CPTPP and 11(2) USJDTA). Similar to the so-called General Exceptions in World Trade Organization (WTO) Agreements, in particular, Article XX of the General Agreement on Tariffs and Trade 1994 (GATT) and Article XIV of the General Agreement on Trade in Services (GATS), exceptions from the free data flow provisions require a two-step assessment. First, it must be established that restrictions on cross-border transfers of data are not more restrictive than is required or is necessary to achieve a legitimate public policy objective. Second, such restrictions must not be applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade.
Considering their novelty, exceptions from the free data flow provisions in the CPTPP and USJDTA have not yet been interpreted by any dispute settlement body. In fact, the USJDTA does not provide for any dispute settlement mechanism. For this reason, the impact of these provisions on restrictions of onward transfers of EU personal data from Japan is uncertain. However, because of the similarities between the CPTPP and USJDTA free data flow provisions and the WTO General Exceptions, it is relevant to examine WTO case law. It should be emphasized, however, that the application of the exceptions, both in the GATT and GATS as well as in the CPTPP and USJDTA, remains a case-by-case assessment, a matter in which dispute settlement bodies in charge of such application maintain substantial discretion. It is ultimately up to the adjudicators of the CPTPP (and potentially the USJDTA if a dispute settlement mechanism is created to enforce it) to determine to what extent to rely on WTO case law in a particular dispute. Furthermore, as I argued in my prior work, WTO case law on the interpretation of the General Exceptions has been uneven and inconsistent over time.
Keeping in mind these caveats, there are three situations where restrictions on onward transfers of EU personal data from Japan cannot be justified under those exceptions.
First, it’s important to note that in the WTO’s 27+ years of existence, general exceptions in the GATT and GATS were successfully invoked in only two out of 48 cases, which does not inspire optimism. It is common practice to interpret those exceptions narrowly.
Second, in its representations to the EU, which are reflected in the adequacy decision, Japan committed to a level of personal data protection higher than the level of protection that is viewed as sufficient under the CPTPP and USJDTA. For example, footnote 6 to Article 14.8(5) CPTPP states that different approaches to protecting personal data, such as a comprehensive privacy framework and laws that provide for the enforcement of voluntary undertakings by enterprises relating to privacy are equally acceptable. As a result, the level of restrictions on onward transfers required by the adequacy decision could be viewed by trade adjudicators as disproportionately trade restrictive and more trade restrictive than is necessary. As a point of comparison, the approach taken in the Asia-Pacific Economic Cooperation (APEC) Privacy Framework and the APEC Cross-Border Privacy Rules (CBPR) could be viewed as a less trade restrictive alternative to the restrictions on onward transfers of EU personal data prescribed by the adequacy decision. It would be hard for Japan to argue that this alternative is not reasonably available to it (in which case it wouldn’t be considered in the assessment) because the APEC Privacy Framework (on which the CBPR are based) has been endorsed by Japan’s Personal Information Protection Commission’s Guidelines on the Act on the Protection of Personal Information.
Importantly, the content of the EU adequacy decision (including its statement that the APEC CBPR system is not viewed as sufficiently robust) will not have any direct legal significance in a trade adjudicator’s application of the exceptions from free data flow provisions. Furthermore, restrictions on onward transfers of EU personal data from Japan are unlikely to meet the additional USJDTA requirement that such restrictions may not discriminate transfers solely for the reason of them being “cross-border” in a way that alters conditions of competition between Japanese and non-Japanese providers to the detriment of the latter.
Third, and finally, the way restrictions on onward transfers of EU personal data are designed and applied could also constitute a means of arbitrary or unjustifiable discrimination or disguised restrictions on trade. Based on the interpretation of this criterion in WTO jurisprudence, one of the main risks here is that these restrictions apply horizontally to any country outside Japan, unless it has been recognized as ensuring equivalent protection of personal data by Japan. If there is no official recognition of equivalency, applicable conditions and the levels of personal data protection in each of those countries are not considered on a case-by-case basis (e.g., restrictions would still apply even if the level of protection is realistically higher than in Japan). So far Japan has only recognized countries of the European Economic Area and the UK. Since it is alleged that Japan did not “negotiate in good faith” to achieve similar recognition of the CPTPP parties or the U.S., these actions could be viewed as unjustifiable discrimination.
As discussed above, there are concrete risks that, in a hypothetical dispute under the CPTPP or USJDTA, restrictions of onward transfer of EU personal data from Japan could be found in violation of free data flow provisions and could not be justified under the exceptions from such provisions. Should this situation occur, Japan would be faced with a difficult choice. On the one hand, Japan could lift restrictions of onward transfers in compliance with the CPTPP or USJDTA requirements, thus breaching the conditions for the EU adequacy decision. On the other hand, Japan could continue to comply with the conditions of the EU adequacy decision, thus enforcing its restrictions on onward transfers in violation of the CPTPP or USJDTA. While the USJDTA does not currently have a binding dispute settlement mechanism for enforcement it cannot be excluded that such a mechanism could be created in the future.
The potential clash between the free data flow provisions in trade agreements and the restrictions on onward transfers of EU personal data under the adequacy decision is, of course, primarily a challenge for Japan which must reconcile the two in its domestic law. Because adequacy decisions are unilateral acts of the European Commissions, they can in theory be suspended or withdrawn by the Commission if Japan no longer meets the adequacy requirements. That is, in theory at least, because the Commission has never actually suspended or withdrawn adequacy decisions, not even in the case of the U.S. when it had clear concerns regarding the adequacy of the EU-U.S. Privacy Shield, later invalidated by the European Union’s highest court. Add to this the new cross-border data flow provisions that the European Commission is currently negotiating with Japan as part of the EU-Japan Economic Partnership Agreement, which could create an additional legal hurdle before the Commission can withdraw or suspend the adequacy decision (namely, satisfying the exception from the provisions prohibiting certain restrictions on data flows). This remains an interesting story to keep on the radar for all those interested in cross-border flows of personal data.