The EU and Japan agree on reciprocal adequacy for data transfers

The EU and Japan have agreed to recognize each other's data protection systems as 'equivalent', allowing the transfer of personal information between the EU countries and Japan. The agreement was announced during an economic summit in Tokyo. The agreement is due to enter into effect at the end of the year, after the European Data Protection Board (the pan-EU privacy regulator) gives its opinion on recognizing Japan as a country compatible with the European standards for the protection of personal data. 

The GDPR states that transfer of personal data to a third country may take place only where the European Commission has determined that the country in question ensures an adequate level of protection of personal data. To date, thirteen countries have been recognized as ensuring an adequate level of protection, including Israel.

To live up to the European standards, Japan will have to implement changes in two areas: 

  • Japanese legislation should be amended to provide individuals in the EU whose personal data are transferred to Japan, with additional safeguards that will bridge gaps between the two data protection systems. For example, these additional safeguards will strengthen the protection of sensitive data, the conditions under which EU data can be further transferred from Japan to another country and the exercise of individual rights to access and rectification. 
  • A complaint-handling mechanism to investigate and resolve complaints from Europeans regarding access to their data by Japanese public authorities. This new mechanism will be administered and supervised by the independent Japanese data protection authority