Japan GDPR adequacy to create the world’s largest area of safe data flows
With a successful conclusion to their talks on reciprocal adequacy, the EU and Japan have agreed to recognise each other’s data protection systems as ‘equivalent’, which will allow data to flow safely between the EU and Japan.
Each side will now launch its relevant internal procedures for the adoption of its adequacy finding. For the EU, this involves obtaining an opinion from the European Data Protection Board (EDPB) and the green light from a committee composed of representatives of the EU Member States. Once this procedure will have been completed, the Commission will adopt the adequacy decision on Japan.
Věra Jourová, Commissioner for Justice, Consumers and Gender Equality: “Japan and EU are already strategic partners. Data is the fuel of global economy and this agreement will allow for data to travel safely between us to the benefit of both our citizens and our economies. At the same time we reaffirm our commitment to shared values concerning the protection of personal data. This is why I am fully confident that by working together, we can shape the global standards for data protection and show common leadership in this important area.”
This mutual adequacy arrangement will create the world’s largest area of safe transfers of data based on a high level of protection for personal data. Europeans will benefit from strong protection of their personal data in line with EU privacy standards when their data is transferred to Japan. This arrangement will also complement the EU-Japan Economic Partnership Agreement, European companies will benefit from uninhibited flow of data with this key commercial partner, as well as from privileged access to the 127 million Japanese consumers. With this agreement, the EU and Japan affirm that, in the digital era, promoting high privacy standards and facilitating international trade go hand in hand. Under the GDPR, an adequacy decision is the most straightforward way to ensure secure and stable data flows.
The key elements of the adequacy decisions
The agreement found on the 17 of July, foresees a mutual recognition of an equivalent level of data protection by the EU and Japan. Once adopted, this will cover personal data exchanged for commercial purposes, ensuring that in all exchanges a high level of data protection is applied.
To live up to European standards, Japan has committed to implementing the following additional safeguards to protect EU citizens’ personal data, before the Commission formally adopts its adequacy decision:
- A set of rules providing individuals in the EU whose personal data are transferred to Japan, with additional safeguards that will bridge several differences between the two data protection systems. These additional safeguards will strengthen, for example, the protection of sensitive data, the conditions under which EU data can be further transferred from Japan to another third country, the exercise of individual rights to access and rectification. These rules will be binding on Japanese companies importing data from the EU and enforceable by the Japanese independent data protection authority (PPC) and courts.
- A complaint-handling mechanism to investigate and resolve complaints from Europeans regarding access to their data by Japanese public authorities. This new mechanism will be administered and supervised by the Japanese independent data protection authority.
Next steps
The Commission is planning on adopting the adequacy decision in autumn this year, following the usual procedure:
- Approval of the draft adequacy decision by the College
- Opinion from the European Data Protection Board (EDPB), followed by a comitology procedure
- Update of the European Parliament Committee on Civil Liberties, Justice and Home Affairs
- Adoption of the adequacy decision by the College
In parallel, Japan will finalise the adequacy finding on their side.
