The European Commission has announced that it has adopted an adequacy decision in respect of Japan, simplifying the process for transferring personal data between the EU and Japan.
The adequacy decision follows last month's announcement on an EU-Japan trade agreement, though the Commission has emphasised that privacy is not a tradable commodity and that the adequacy decision stands separately.
How long did it take to approve?
The process has taken around two years. The Commission began discussions in January 2017. Talks concluded in July 2018, with the formal process for adopting the adequacy decision beginning in September 2018.
The adoption process includes an opinion from the European Data Protection Board, which is made up of representatives from the national supervisory authorities, and approval from a committee of representatives from EU member states.
The adequacy decision has immediate effect.
First adequacy decision under GDPR
The Japanese adequacy decision is the first to be made under the General Data Protection Regulation, which imposes stricter standards than those under the previous Directive.
It is also the first country-wide adequacy decision to be adopted since the fall of Safe Harbor and the Edward Snowden revelations. For that reason, it is not surprising that assurances relating to government access for law enforcement and national security feature strongly in the adequacy decision and the accompanying press release.
What does this mean if I share personal data with an organisation in Japan?
Organisations in the EU can now share personal data with organisations in Japan, without needing to through the processes in Chapter 5 of GDPR.
In practice, this means that organisations in the UK will no longer need to use the Commission's standard contractual clauses or adopt binding corporate rules. This will simplify the process for data exchanges within multinational organisations and businesses in the EU that use data processors in Japan.
As part of the additional safeguards that have been adopted by Japan, data subjects in the EU will also benefit from new rights and processes for dealing with complaints.
Japan has also adopted a decision regarding the adequacy of EU data protection law, which will simplify the process for Japanese organisations wishing to transfer personal data to the EU, potentially providing easier access to the Japanese market for businesses in the EU.
The UK Government has indicated that it will adopt all current adequacy decisions of the EU upon exit day, meaning that UK organisations should be able to continue benefiting from the Japanese adequacy decision post Brexit. Whether Japan would automatically extend its adequacy decision in respect of the UK post Brexit is unclear.
In terms of an EU adequacy decision for the UK post Brexit, the EU has made clear that it will not commence until the UK is a third country, but has said it will undertake the assessment with a view to adopting a decision by the end of 2020 (ie the end of the proposed transitional period).
Looking at the timescales for the Japanese adequacy decision, the formal adoption process took four months, but this followed 18 months of talks between the EU and Japan. It is anticipated that those initial talks will be much shorter for the UK, given the UK's proposal to adopt GDPR into UK domestic law. Instead, the focus will will be on the changes that the UK is proposing to make to "UK GDPR" and the powers of UK law enforcement and national security agencies.
If your organisation shares personal data with Japan and would like to discuss what changes you should make to take advantage of the new adequacy decision, please get in touch.