The European Commission has adopted an adequacy decision on Japan, creating the world’s largest area of safe data flows. The decision means that EU organisations can transfer personal data to organisations in Japan, without having to put in place a transfer mechanism laid down in Chapter 5 of the GDPR (such as the Commission’s standard contractual clauses or Binding Corporate rules). Japan has adopted an equivalent decision, making it simpler for Japanese organisations to transfer personal data to the EU. The adequacy decision, as well as the equivalent decision on the Japanese side, came into force on 23 January 2019.
Before the European Commission adopted its adequacy decision, Japan put in place additional safeguards to ensure that personal data transferred from the EU is protected in line with EU standards, including:
- A set of Supplementary Rules that will bridge differences between the EU and Japanese data protection systems. These safeguards will ensure the protection of sensitive data, the exercise of individual rights and the conditions under which EU data can be transferred from Japan to another third country. The Supplementary Rules will be binding on Japanese companies importing data from the EU and enforceable by the Japanese data protection authority and the courts.
- The Japanese government also gave assurances regarding how Japanese public authorities access EU personal data for criminal law enforcement and national security purposes.
- A complaint-handling mechanism to investigate and resolve complaints from Europeans over how Japanese public authorities access their personal data. The Japanese data protection authority will administer and supervise this new mechanism.
The adequacy decision complements the EU-Japan Economic Partnership Agreement, which enters into force in February 2019, to become the world’s biggest trade deal. The EU and Japan affirm that, promoting high data protection standards and facilitating international trade must go hand in hand.