On 23 January 2019, Japan was recognised by the EU Commission as having sufficient data protection laws for the purposes of data transfers. This means that personal data can be transferred from the EU to Japan without the need for additional measures under Chapter V of the GDPR (though note that all the other requirements of the GDPR still need to be met in relation to such transfers).
The EU Commission’s adequacy decision formalised the EU’s side of a reciprocal adequacy agreement in 2018, when both the EU and Japan agreed to recognise each other’s data protection systems as adequate for the purposes of international data transfers.
Japan put in place additional safeguards prior to being determined as adequate. These include:
The reciprocal adequacy decisions complement an EU-Japan Economic Partnership Agreement from February 2019.
Japan joins the now 12-strong list of adequate countries: Andorra, Argentina, Canada (for commercial organisations), Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. Also ‘adequate’ are transfers to US organisations which have signed up to the EU-US Privacy Shield.
Post-Brexit, these countries are likely to be deemed adequate for transfers from the UK, too. However, there may be restrictions under the laws of Japan, other ‘adequate’ countries and the EU in transferring data to the UK, which need to be reviewed (as the UK itself will not be ‘adequate’ at the date of Brexit). Article number 11 in my series discusses this.
Olivia Whitcroft, principal of OBEP, 6 June 2019
This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details