Data Transfer Rules as Geopolitics?
Prof. Hiroshi Miyashita, Chuo University

Data Traveling from Japan

Data travel around the clock and across the globe.

According to a survey by the Personal Information Protection Commission, nearly two-thirds (66.4 percent) of Japanese companies received personal data from the European Union, and approximately a quarter (26.5 percent) of all companies circulate personal data from the EU to the United States via Japan. The results also demonstrate that personal data are transferred to those in Asian jurisdictions which have relatively new data protection legislations.

PPC, Survey on the Cross-border personal data transfers among Japan, the U.S., and Europe (27 January 2022) (in Japanese). The survey targeted 113 Japanese corporations which belong to the Japan Business Federation.  

Data flow is an integral component of international trade transactions and economic growth, as the  flow of personal data enables a large number of transactions of goods and services. Encouraging data flows can have positive societal impacts, such as improved digitization of medical data, that can help save lives and  improve health care during pandemics, as well as fostering the. . he free exchange of ideas that are vital to democratic functions.. In Japan, it is clearthat people have learned the lesson from the Edo era (sakoku), which closed the door to foreign countries, and thus believe that free flow of data will create prosperity.

Why Regulate Data Transfer?

The rationale of regulating data transfer stems from various motivations. First, the modern state was created to register (‘erfassen’ in German) an individual as its own nationality. Personal data are essential to maintain national duties and services such as taxation and social welfare, as is seen in the My Number system in Japan. Unscrupulous personal data transfers outside the nation distort national duties and services.

Second, personal data may be abused if transferred to a third country which has low standards or no legislation to protect personal data. The history of Nazi abuse of personal data via IBM punch cards shows a typical infringement of human rights. The idea of protecting personal data regardless of borders is to defend the dignity of human beings wherever they live. Improvident sharing or transfer of personal data undermines fundamental human rights inherent in personal data.

Third, economic or market integration may require the same rules on data transfer. If acompany transfers personal data to a low-standard country, that data may be exploited or even stolen by an organisation in the third country. In addition, the different standards for protecting personal data burden a global company to adjust to each regulation. A simple and high standard of data protection increases efficiency for global companies and trust for consumers.

Fourth, some countries are motivated to regulate personal data for national security reasons. Pokémon Go was prohibited by the Israeli military because of the possible leakage of sensitive military information to a third country. The U.S. Foreign Investment Risk Review Modernization Act is another example of restricting the export of sensitive personal data that may be exploited in a manner that threatens national security. The LINE data scandal, where Japanese user data were accessed by a Chinese company without transparency, exemplified the risk of possible data breach in the cross-border context.

Barriers to data flows, regardless of the motivations, are a major concern in the digital age.

Japanese Data Transfer Rules: Relying on OECD Guidelines 

What is the Japanese legal regime on data transfer?

Japan is a member of the G7, the Organisation for Economic Co-operation and Development (OECD), the Asia-Pacific Economic Cooperation (APEC), and the Global Privacy Assembly (GPA) to enhance cooperation with foreign authorities. Each international forum has periodic meetings on data protection. In addition to the EU’s most influential data protection laws, the Japanese strategy is clearly based on the OECD Privacy Guidelines for transferring personal data.

The original Act on the Protection of Personal Information (APPI) did not include any provisions regarding cross-border data transfer regulations. With the goal of obtaining an adequacy decision with the EU, the APPI introduced data transfer restriction rules in the amendments in 2015, modelling the EU’s data protection rules.  The APPI provides that personal data may be exported if one of the following items is met:

1) where the data subjects consent,  2) where business operator establishes a system conforming to the standards prescribed by Personal Information Protection Commission (PCC) rules, or 3) where the third country ensures the equivalent standards to the Japanese personal information protection system (Art. 28 (1)).

Further details are provided in the PPC Rules and the Guidelines. Regarding the standards for an importer to properly and reasonably ensure adherence to APPI obligations, the PPC’s Guidelines exemplify the contract or memorandum of understanding (MoU) between the exporter and importer in a foreign country, or the common privacy policy within the same corporate group. The Guidelines also note that the OECD Privacy Guidelines as well as the APEC Privacy Framework must be considered in assessing fulfilment of the obligations in a proper and reasonable way under the APPI. The PPC Rules also authorise APEC Cross-Border Privacy Rules (CBPR) certifications, although only five Japanese companies have been certified as of December 2022, compared with the over 17,000 certifications by the Japan Institute for Promotion of Digital Economy and Community (JIPDEC) in the domestic regime.  

In summary, the PPC clearly relies on the eight principles in the OECD Privacy Guidelines as the main criteria for assessing data transfer risks unless the third country obtains an EU adequacy decision or participates in the APEC CBPR system. Given the EU’s stringent standards, it is highly debatable whether the OECD’s eight principles, due to flexible applications, are sufficient safeguards for transferring personal data including onward transfers..

For instance, the OECD guideline that calls for a data transfer impact assessment by an individual company is not always realistic, given the limited research ability and frequent amendments to the third country’s legal regime. In practice, legal scholars and practitioners have published the legal regimes in the various countries. The PPC also published an overview of the legal regimes of 40 jurisdictions in Japanese to assist in data transfer impact assessment.

DFFT as a Political Solution?

At the 2019 Davos Conference, then-German Chancellor Angela Merkel mapped the digital strategies of the world’s major powers.  One is the U.S. approach of leaving the decisions to the market,, where data are in the hands of private stakeholders, and the other is the Chinese national management approach, where the state has extensive access to all data. According to Merkel, Europe’s approach is a third way, in which private companies are required to ensure protection of personal data.

On the same day at the Davos Conference, then-Prime Minister Shinzo Abe stated the fourth way, or perhaps a mixture of some of these approaches, that is Data Free Flow with Trust (DFFT).  DFFT means ‘to put our personal data and data embodying intellectual property, national security intelligence, and so on, under careful protection, while … enable[ing] the free flow of medical, industrial, traffic and other most useful, non-personal, anonymous data to see no borders’. It is the individual, and not the few big capital-intensive industries, that benefits from DFFT. To realise the DFFT regime, the Japanese government called for World Trade Organisation reform in the digital age.

It is still under consideration whether the DFFT concept will point only to  the WTO to  play a crucial role in protecting personal data as a human right. Other international fora such as the Council of Europe and UNESCO, together with the OECD and the APEC, may also join to ‘level up’ the international standard of protection of personal data in the face of emerging technologies. Streamlining multiple standards is complex for transferring personal data; thus, a simple high standard is desired, while respecting the cultural context of sensitivity. In this global ambitious process, success may depend on the degree of consensus over the protection of personal data as a human right. It will also be important to examine potential shortcomings of the OECD guidelines if those form the basis of Japan's DFFT approach. Other factors, such as economic motivations or innovations, are certainly important but rapidly changing in the digital age, while the human rights value of the protection of personal data has become universal across borders.

DFFT became a political agenda initiated by the Japanese government, which was also shared among the G7 data protection communities at the last meeting in September 2022. In May 2023, Japan will host the G7 Summit, where DFFT is expected to be tabled to enhance mutual trust and cooperation as the high political will. Whether the outcome of the G7 at the high political level will enhance the digital service for people across borders will be carefully observed by multiple stakeholders.