On July 17, 2018, the EU and Japan finalized an agreement termed the “Adequacy Deal,” whereby both parties are considered to have adequate levels of data protection, allowing for the safe transfer of data between the EU and Japan.  Earlier this year, we compared the EU’s GDPR with Japan’s APPI and discussed how this agreement has been in the works since early 2017, when the European Commission (“the Commission”) published discussions concerning possible adequacy decisions with “key trading partners,” such as Japan.

The Significance of an Adequacy Deal

The GDPR restricts the transfer of personal data outside of the European Economic Area (EEA) unless the third country has been deemed an adequate country to transfer data to. Countries are considered adequate when they have the same standards as the EU for safeguarding personal data, which is determined by a comprehensive assessment of a country's data protection framework. An adequacy deal signifies that a third country is aligned with the EU’s data protection laws and the transfer of data between the EU and this country is safe.

The Impact of the Agreement

What makes this agreement so monumental is that this is the first time the EU has recognized a country within the Asia-Pacific Economic Cooperation (APEC) as an equal in terms of privacy, which has led to the world’s largest safe-data-transfer partnership to date. This agreement was also paired with the EU-Japan Economic Partnership Agreement, which was signed on the same day. The coupling of these agreements demonstrates the critical connection between the free data flow and the trading of goods and services within these economies.  As stated by the EU Commission, “With this agreement, the EU and Japan affirm that, in the digital era, promoting high privacy standards and facilitating international trade go hand in hand.”

The new agreement will allow for the exchange of personal data for commercial purposes and for law enforcement purposes between EU and Japanese authorities, ensuring that a high level of data protection is applied in all these exchanges.

Benefits of the Agreement

Both Japan and the EU will benefit significantly from the new agreement. European companies and EU residents will reap the benefits of unhindered data transfers and an enhanced level of protection, and will also have the privilege of working in and interacting with the Japanese market. Japan is the first APEC country to meet the EU’s high privacy standard since the implementation of the GDPR, a notable achievement in the privacy world. In addition, Japanese companies will have a significant competitive advantage in the EU market. It is likely that this partnership will create a new path for data flows between the EU and other APEC countries.  

What Happens Next?

The Commission is planning on adopting the adequacy decision in autumn this year. The next steps for the commencement of the new agreement include:

• Approval of the draft adequacy decision under the GDPR;
• Opinion from the European Data Protection Board (EDPB), to include all of the Member State Data Protection Authorities (DPAs) followed by a comitology procedure; and
• Update of the European Parliament Committee on Civil Liberties, Justice and Home Affairs.

Once these steps have been completed, the Commission will adopt the adequacy decision. The Commission will carry out a first review of the adequacy decision two years after its adoption, and subsequently every four years thereafter.

However, Japan still has a few more steps to take to meet the adequacy standards of the EU. 

1. Japan must implement its version of a DPA, which will investigate and resolve complaints from European residents regarding access to their data by Japanese public authorities, and
2. Japan must also establish a set of policies for the conditions under which EU data will be protected, can be transferred to Japan, and can be moved out of Japan to another country. These policies will be enforced by Japan’s data protection authorities once they are established.

The GDPR’s implementation this year set off a chain reaction of global privacy reform, which has led to the creation and enforcement of stricter regulations in other countries. The new agreement between the EU and Japan now makes up 30% of global data output, which will push countries around the world to issue stricter data protection legislation.

To learn more about Japan’s privacy legislation and how it aligns with the GDPR, download our free guide to the GDPR and the APPI.

Disclaimer: Focal Point Data Risk, LLC is not a law firm and does not provide legal advice. This content is intended for informational purposes only.

Get more insights on the latest privacy news.

Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.