EU considers Japanese personal data protection law to be equivalent

The European Commission has taken an adequacy decision with regard to Japanese privacy protection legislation. This means that personal data can now be exchanged between the EU and Japan without further requirements.

The European Commission has made this adequacy decision because it believes that Japan offers a level of protection for personal data comparable to that of the EU. This concerns the safeguards arising from the Japanese Act on the Protection of Personal Information. This decision means that personal data from the EU, Norway, Liechtenstein and Iceland can be transferred to Japan without the need to create further safeguards or otherwise take privacy measures.

Before the Commission took this decision on Japan, the country introduced a number of additional rules to ensure that the protection of data transferred from the EU is in line with European standards. This concerns, for example, further rules on the protection of sensitive data or the conditions under which EU data may be transferred from Japan to another country. These additional rules are mandatory for Japanese companies that obtain data from the EU, compliance with which can be enforced by the Japanese independent data protection authority and courts.

Furthermore, Japan has established a mechanism through which Europeans can lodge a complaint about access by Japanese public authorities to the personal data. Japan must investigate and resolve these complaints. Finally, the Japanese government has assured the European Commission that, in the context of national security or criminal investigations, Japanese public authorities may only access EU personal data if this is strictly necessary and in a proportionate manner.

The Commission has already taken adequacy decisions for Argentina, Canada, Israel, New Zealand, Switzerland, Uruguay and the United States, among others. For Canada it is limited to commercial organizations and for the US it is limited to the Privacy Shield framework. The European Commission is currently in talks with South Korea to reach an adequacy decision for this country as well.

In accordance with Article 45 of the General Data Protection Regulation, the European Commission has the right to determine that a third country or organization ensures an adequate level of data protection, whether or not through national law or international obligations to which the country or organization has committed itself. . The European Parliament or the Council may at any time request the European Commission to withdraw or amend the adequacy decision. Such adequacy decisions do not cover the exchange of data in the context of law enforcement.

The adequacy decision for Japan complements the previously concluded trade agreement between the EU and Japan, which will come into effect on February 1. This trade deal and the adequacy decision should ensure that companies have a foothold when they work with personal data from each other’s regions and that citizens have the confidence that their data is well protected.