The European Commission and Japan have mutually recognized each other’s data protection laws as providing an adequate level of data protection. This mutual adequacy decision allows personal data to flow freely between EU countries and Japan, in accordance with European data protection law which generally restrict the transfer of personal data to destinations outside of the EU. The adequacy decision is also the first such decision adopted by the European Commission under the new and stricter rules of the GDPR.
With this decision, Japan joins 12 other countries - including Canada, New Zealand, the United States (with regard to the Privacy Shield) and Israel – that have been recognized over the years as adequate by the European Commission. However, this is the first time the EU and a third country agreed on a mutual recognition of the adequate level of data protection.
Before the Commission adopted its adequacy decision, Japan had established additional safeguards to guarantee that data transferred from the EU enjoys protection up to par with European standards, including:
- Special Japanese rules on the protection of sensitive data, the exercise of rights by data subjects and the conditions under which EU data can be transferred from Japan onward to another country.
- Japanese government assurances regarding safeguards concerning the access to personal data by Japanese public authorities for criminal law enforcement and national security purposes, designed to ensure that any such use of personal data would be limited to what is necessary and proportionate and subject to independent oversight and effective redress mechanisms.
- A complaint-handling mechanism to investigate and resolve complaints from Europeans regarding access to their data by Japanese public authorities.
The first Japan and EU joint review of the functioning of the adopted framework will take place in two years.
CLICK HERE to read the EU Commission’s Adequacy Decision regarding Japan.