On 23 January 2019, the EU commission announced its decision that Japan ensures adequate levels of data protections – as a consequence, it is now possible to freely transfer personal data from the EU (and the EEA) to Japan without the application of any further requirements.
Transfers of personal data originating from the European Economic Area (“EEA”) to third countries are regulated by the General Data Protection Regulation 2016/679) (“GDPR”) .
Non EU countries may be recognised by the Commission following a specific procedure as offering equivalent data protection to the GDPR. At this time only a selected few countries have been recognised as such.
This kind of recognition means that the recognized country is deemed to be equivalent to an EU Member State in relation to personal data transferred to them and therefore cross border transfer of personal data to such country is no longer subject to the requirements of Articles 46 and following of the GDPR (such as the adoption of binding corporate rules or the execution of the standard contractual clauses adopted by the EU Commission) that applicable for non EU countries which have not obtained such recognition.
Recognition is done through the adoption of an “adequacy decision” taken by the EU Commission on the basis of Articles 45 and 93 of the GDPR. The decision acknowledges that a third country, a territory or specified sectors within a third country ensures an adequate level of data protection. (The adequacy decision has relevance for the entire European Economic Area (“EEA”), which means that the three EEA Member States (Iceland, Liechtenstein and Norway) are also bound by the adequacy decision – on the basis of the Joint Committee Decision (JCD) adopted on 6 July 2018 which incorporates the GDPR into Annex XI of the European Economic Area Agreement).