The EU and Japan have today announced a new personal data adequacy agreement between the two parties. This agreement will allow personal data to flow freely between the two parties on the basis that there are strong protective guarantees in place.
Before the agreement was put in place, Japan agreed to put additional safeguards in place for data transferred from the EU. These safeguards ensure data remains GDPR complaint if it is transferred to Japan. In brief, those additional safeguards are:
- A set of binding supplementary rules which must be applied by Japanese companies importing data from the EU. These rules are intended to harmonise the data rules between the parties and strengthen Japanese rules regarding individual data subject rights in Japan and the conditions under which EU data can be further transferred from Japan to another third country. These rules will be fully enforceable by the Japanese data protection authority.
- The Japanese government also assured the EU that Japanese public authorities access to any data transferred to the EU would be limited to what is necessary and proportionate and subject to independent oversight and effective redress mechanisms. Previously the EU had some concerns regarding the use of such powers by Japanese law enforcement bodies.
- Japan also introduced a new complaint-handling mechanism to investigate and resolve complaints from European citizens regarding access to their data by Japanese public authorities. This new mechanism will be administered and supervised by the Japanese independent data protection authority.
Haruhi Kumazawa, Personal Information Protection Commissioner for Japan stated: “This adequacy decision creates the world’s largest area of safe data flows. Europeans’ data will benefit from high privacy standards when their data is transferred to Japan. Our companies will also benefit from a privileged access to a 127 million consumers’ market. Investing in privacy pays off; this arrangement will serve as an example for future partnerships in this key area and help setting global standards.”
Japan joins the small list of approved countries, which includes Canada, Israel, Switzerland and the US ‘Privacy Shield’ compliant companies.
This is particularly good news for UK subsidiaries with Japanese parent companies, as there is no longer any need for standard form contracts to be in place if HR or other personal data is transferred to the Japanese head office.