You are here:
28 January 2019 / news

EU Japan adequacy decision reached

On 23 January 2019, the European Commission (EC) has adopted an adequacy decision on Japan allowing for a free flow of personal data between the EU Member States and Japan. This article will give you more insight into the background and content of the decision, and will also briefly discuss the expectations for future adequacy decisions.

EU Japan adequacy decision reached

Background

In January 2017, the European Commission (EC) launched the dialogue with Japan regarding the topic of reaching an adequacy decision. This dialogue was successfully concluded in July 2018 with the agreement that both parties will recognise each other’s data protection system as adequate, whereby allowing personal data to be transferred safely between the European Union (EU) and Japan. Following this agreement, a procedure was launched in September 2018 to realize this goal which included the opinion of the European Data Protection Board (EDPB) and the agreement from a committee composed of representatives of the EU Member States. The decision was adopted by both the EC and Japan and became applicable on 23 January 2019. This adequacy decision concerns the protections provided under the Japanese Act on the Protection of Personal Information (APPI) and will apply to all transfers of personal data to business operators in Japan.

What does an adequacy decision entail?

An adequacy decision is one of the mechanisms that the General Data Protection Regulation (GDPR) provides for the transfer of personal data from the European Economic Area (EEA) (the 28 EU Member States as well Norway, Liechtenstein and Iceland) to  a country outside of the EEA (third countries).  It is taken by the EC and establishes that a third country provides a level of data protection that is essentially equivalent to that provided for in the EU. Upon the adoption of an adequacy decision, personal data can flow safely from the EEA to the respective third country without being subject to further safeguards or authorizations.

It should be noted that the adequacy standard does not imply an exact replica of the standard in the EU, but it involves a comprehensive assessment of the third country’s relevant systems. The European Data Protection Authorities have established various elements that must be taken into account which include evaluating the country’s rules on access to personal data by public authorities for law enforcement as well as its national security and other public interest purposes. Accordingly, the EC has recognized various privacy systems as adequate, for instance that of Argentina, Israel and New Zealand. The EC has also adopted a partial adequacy finding for Canada and for the United States under the Privacy Shield (more information about the adequacy decisions can be found here).

How does Japan meet the adequacy criteria?

As described above, there are various elements that the EC considers in evaluating whether a country meets the standard of essential equivalence. For Japan to meet this standard, there were several safeguards that it had to implement in addition to modernizing its data protection legislation. The latter created an increased cohesion between the GDPR and Japan’s national legislation as the APPI now for instance recognizes data protection as a fundamental right and has also formalized the supervision and enforcement by an independent data protection authority (the Personal Information Protection Commission). Other safeguards that Japan implemented include its commitment to establish a system for addressing complaints under the supervision of the Personal Information Protection Commission in order to ensure that complaints from Europeans with regard to potential access to their personal data by Japanese law enforcement and national security authorities will be adequately examined and resolved. Moreover, Japan has ensured that the further transfer of Europeans' data from Japan to another third country will be subject to a higher level of protection.

Can we expect more adequacy decisions to be taken by the EC soon?

The EC has shared its intention to actively engage with other key trading partners as well, such as Korea, but also with India, Mercosur and other third countries that are keen on obtaining an adequacy finding. As commercial exchanges increasingly depend on personal data flows and considering that the privacy and security of such data is an absolute must under the GDPR, it is not surprising that countries are keen on obtaining such a decision. Additionally, greater compatibility between different data protection landscapes seems to be increasing. We will keep our readers updated regarding developments around other adequacy findings.



New address for Loyens & Loeff Belgium

New address for Loyens & Loeff Belgium

We are pleased to announce that Loyens & Loeff Belgium has a new address as from 17 June 2019. read more
A legal framework for pop-up stores in the Brussels-Capital Region

A legal framework for pop-up stores in the Brussels-Capital Region

Since 19 May 2019, the Brussels Capital Region has a legal basis for short-term commercial leases. read more
First Belgian GDPR fine

First Belgian GDPR fine

On 28 May 2019, the Belgian Data Protection Authority imposed its first GDPR fine for misusing personal data for electoral campaign purposes. read more
Stay informed

Don't miss out. Stay up to date about our latest news and events.

Subscribe