The European Commission adopted its long awaited adequacy decision on Japan. The same time, Japan recognized the European Union as a jurisdiction with adequate level of personal data protection (press release in Japanese). Both decisions took effect Jan. 23.
It took two years from the start of official discussions — with an eventful road — to reach this conclusion.
As a consequence, companies will be able to transfer personal data from the EU to Japan based on an adequacy decision pursuant to Article 45 of the General Data Protection Regulation without the need to arrange further safeguards on the transfer, such as entering into EU model clauses, or obtaining specific consent from the data subject on the transfer.
Note, however, that the idea of the EU Commission’s adequacy decision is to address relevant differences between Japanese and EU data protection laws by Japan’s issuance of Supplementary Rules, which shall bind Japanese companies with respect to their processing of personal data transferred from the EU. In contrast, Japan does not require European entities to comply with rules additional to the GDPR for the transfer of Japanese citizens’ personal data to Europe. This being said, complying with the Supplementary Rules should not be a major issue for Japanese companies, taking into account that these rules present rather minor adjustments to the domestic rules and data protection practices already existing in Japan.
Further, it has to be emphasized that this “adequacy” decision has impact only on the justification of cross-border transfers of personal data between Japan and the EU; that is, it will only eliminate the need to generate GDPR-unique paperwork like EU model clauses or binding corporate rules. Meanwhile, companies will still have to comply with the law of the jurisdiction where the data subject is resident from all other aspects, most noteworthy perhaps, when ensuring that the data is collected on appropriate legal grounds (consent, legitimate interest, ...). And since there are quite a few differences on the practicalities and fine details in the rules of the GDPR and those of Japanese data protection laws, legal advisors and consultants shall rest assured: Even after this adequacy decision, plenty of compliance work will remain when addressing data protection matters of Japanese multinationals!
photo credit: BWJones Japanese flag via photopin