buren-logoburen-chinalegalangle-rightangle-left
04-02-2019

European Commission adopts privacy adequacy decision on Japan

On 23 January 2019, the European Commission (the “Commission”) adopted its adequacy decision on Japan.

Since 25 May 2018 the General Data Protection Regulation (EU) 2016/679 ("GDPR") applies, a regulation in EU law on data protection and privacy for all individuals within the European Union ("EU") and the European Economic Area (the EU Member States plus Norway, Liechtenstein and Iceland: "EEA"). The GDPR also regulates the transfer of personal data from the EU/EEA to third countries. Data export to third countries may only take place if the Commission has decided that the third country involved ensures an adequate level of protection or under specific conditions as stipulated in the GDPR, for instance, explicit consent of the date subject, the individual whose personal date is processed.

Until the adequacy decision of 23 January 2019, the Commission considered that Japan did not provide a level of protection of personal data comparable to that in the EU. Therefore, in order to be able to transfer personal data from the EU/EEA to Japan, companies, such as subsidiaries or affiliates of Japanese companies, were required to provide appropriate safeguards in accordance with the Article 46 of the GDPR. In practice, this meant that companies had to adopt Binding Corporate Rules ("BCR") or use the standard date protection clauses adopted by the Commission, which allow for the transfer of personal data from the EU/EEA to a third country on which no adequacy decision is issued by the Commission.

The adequacy decision adopted by the Commission is the result of the EU and Japan successfully concluding their talks on reciprocal adequacy on 17 July 2018, and their agreement to recognise each other's data protection systems as adequate, allowing personal data to be transferred safely between the EU and Japan.

Further to the adequacy decision, personal data may be transferred from the EU/EEA to Japan without the necessity of BCRs or standard data protection clauses. This brings less administration burden and costs for companies transferring personal data to Japan. As a result the transfer of personal data of employees or customers, for instance, will be much simpler and smoother.

Please note that the adequacy decision only concerns the transfer of personal data: the other rules regarding the processing of personal data under the GDPR remain unaffected by the adequacy decision.

On 23 January 2019, also Japan adopted an equivalent decision in accordance with the Act on the Protection of Personal Information. This was accompanied by a joint press statement of the Japanese Personal Information Protection Commission (PPC) and the EU recognising that each other’s personal data protection system is equivalent.

The adequacy decision shall be monitored and reviewed after 2 years and subsequently a review shall take place at least every four years. 

Related news & updates