10 things that happened whilst I was on maternity leave (and two that didn’t)
Number 3: Japan is now an ‘adequate’ country for personal data transfers

On 23 January 2019, Japan was recognised by the EU Commission as having sufficient data protection laws for the purposes of data transfers. This means that personal data can be transferred from the EU to Japan without the need for additional measures under Chapter V of the GDPR (though note that all the other requirements of the GDPR still need to be met in relation to such transfers).

The EU Commission’s adequacy decision formalised the EU’s side of a reciprocal adequacy agreement in 2018, when both the EU and Japan agreed to recognise each other’s data protection systems as adequate for the purposes of international data transfers.

Japan put in place additional safeguards prior to being determined as adequate. These include:

• strengthening the protection of sensitive data, the exercise of individual rights, and conditions for onward transfers to other countries;
• ensuring access to data by Japanese public authorities for criminal law enforcement and national security purposes is limited to that which is necessary and proportionate; and
• a complaint-handling mechanism to investigate and resolve complaints from European data subjects about access to their data by Japanese public authorities. This will be administered and supervised by the Japanese independent data protection authority.

The reciprocal adequacy decisions complement an EU-Japan Economic Partnership Agreement from February 2019.

Japan joins the now 12-strong list of adequate countries: Andorra, Argentina, Canada (for commercial organisations), Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. Also ‘adequate’ are transfers to US organisations which have signed up to the EU-US Privacy Shield.

Post-Brexit, these countries are likely to be deemed adequate for transfers from the UK, too. However, there may be restrictions under the laws of Japan, other ‘adequate’ countries and the EU in transferring data to the UK, which need to be reviewed (as the UK itself will not be ‘adequate’ at the date of Brexit). Article number 11 in my series discusses this.

Olivia Whitcroft, principal of OBEP, 6 June 2019

This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details