EU adopts data protection adequacy decision regarding Japan

Share This Post

In September 2018 the EU launched its process for adopting an adequacy decision under the GDPR after negotiations concluded between the EU and Japan in July 2018. This process completed on 23rd January 2019 when the European Commission formally adopted the adequacy decision. The agreement, which comes into effect immediately means that it is now possible for the free flow of EU citizen data to Japan on the basis that Japan’s data protection framework is equivalent or “adequate” when compared to the EU’s GDPR requirements.

What are adequacy decisions?

The GDPR forbids the processing of EU citizens’ personal data outside the EU unless appropriate and equivalent data protection safeguards are in place.

There are a number of ways this equivalence can be achieved:

  • Countries agree adequacy decisions between themselves and the EU, where the EU essentially rubber stamp that the countries data protection law is equivalent to the expected standards set in the EU – this is what has happened with Japan
  • Partial adequacy is agreed whereby an agreement is put in place – the EU-US Privacy Shield is an example of this, whereby US organisations processing EU data, self-certify they apply EU standards to data protection by signing up to the Privacy Shield
  • Companies can put in place standard model-clauses (pre-defined contract terms) between them and their non-EU processor, or, for inter-group transfers, binding corporate rules. These contractual terms bind both parties to applying EU standards of data protection

Why are adequacy decisions useful?

Having an adequacy decision in place means that data can flow, unhindered, outside the EU to these “adequate” countries without the need for contracts or other processes. And a full adequacy decision, whilst monitored for compliance, is a formal agreement and recognition of the standard of data protection law, unlike something like the Privacy Shield that can be withdrawn by the EU at any sign of non-compliance and requires the signatories to apply the rules rather than the rules being enshrined in their national laws.

It also means that there is no need for companies to look at alternatives like the contractual clauses if they’re transferring/processing data in one of the adequate countries (a full list of adequate countries can be found here).

Need help with your international transfer compliance?

If you are unsure whether you need a model-clause or can rely on an adequacy decision or want to discuss your options when considering an international transfer of data that is restricted, then becoming a member of the Digital Compliance Hub can help. We provide a support helpline backed up by a library of resources – sign up for a 14-day free trial here.

More To Explore

Eat. Sleep. GDPR. Repeat.

We live and breathe GDPR and ePrivacy compliance, so you don’t have too. Our GDPR UNLIMITED helpline is all about offering you help and support, whenever you need it most. As well as the unlimited helpline, you get up to 4 hours “hands-on” help each month, which we can configure to help you in anyway you need such as a GDPR review, or acting as your DPO.

As well as the unlimited helpline and hands-on help you get GDPR and privacy updates, access to our GDPR knowledge centre and webinars.

Unlimited email & phone support

Unlimited email and phone support. Email or organise a voice call as often as you need each month.​

Up to 4 hours "hands-on" help per month

We use these "hands-on" hours to do the GDPR work for you, such as reviews, acting as your DPO, checking DPIA, dealing with breaches, training your staff, etc. (Additional hours: £100+VAT per hour)

Online resources

Our Knowledge Centre gives you access to information, guidance, topic related guides and other tools to support your GDPR and PECR compliance

Updates, alerts & briefings

We provide updates and alerts and a monthly compliance briefing. You can either sign into the Knowledge Centre or sign up via email to receive an email every time we add a new update or alert

DPO services

Whether mandated or not we can act as your Data Protection Officer (DPO) and manage your day to day compliance

Webinars, workshops & training

Whether updates on the latest issue, workshops or team training, it's all included in your monthly retainer.

LIKE WHAT YOU'RE READING? join our email list

Sign up for monthly briefings and the occasional emails about our webinars and services

Want to know more about how we use your data? Check out our privacy policy