EU and Japan Adequacy Decision published

The EU has published an adequacy decision relating to Japan’s adequate protection of personal data under its Act on the Protection of Personal Information (APPI). The Decision was published in the Official Journal of the European Union dated 19 March 2019.

The Decision means that transfers from EEA controllers and processors to businesses in Japan (except where the recipient is excluded from the APPI such as such as, the media, universities, religious bodies and political bodies) can take place without any further authorisation or safeguards.

The European Commission adopted the adequacy decision following their fining that Japan ensures an “essentially equivalent” level of protection to that provided by the GDPR for personal data transferred to organisations falling within the scope of the APPI.

By way of a reminder, the GDPR only permits transfers of personal data to a third country or international organisation if an adequacy decision has been made or one of the other recognised safeguards is in place:

• Adequacy Decision: Like the recent decision relating to Japan. Such a decision means that the Commission has found that the legal framework in place in that country, territory, sector or international organisation provides ‘adequate’ protection for individuals’ rights and freedoms for their personal data. As at February 2019 the Commission has made a full finding of adequacy about the following countries and territories: Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. The adequacy finding for the USA is limited to transfers of personal data which fall within the scope of the EU-USA Privacy Shield Framework.
• Appropriate Safeguards:
  • If you are a public authority or body and you are transferring to another public authority or body, and you have both signed a contract or another legal instrument which is legally binding and enforceable.
  • If both you and the recipient of the personal data have signed up to a group document called binding corporate rules (BCRs) and these have been approved by the EU data protection authority (the Information Commissioner’s Office (ICO) in the UK).
  • If you and the recipient of the personal data have entered into a contract incorporating the standard data protection clauses adopted by the Commission.

The adequacy decision for Japan creates the world’s largest area of safe and smooth data transfers. For global business operators transferring data between the EEA and Japan, this should be welcomed and it is expected to create operational and cost efficiencies which will benefit consumers.