EU and Japan Adopt Adequacy Decision


On the 23rd January 2019 the EU adopted an adequacy decision on Japan while on the same day Japan recognised the EU as a jurisdiction with an adequate level of personal data protection. The justification of having a third country qualify under the “adequacy” decision relates to cross-border transfer of personal data between the EU and a third country. The objective is to eliminate the need of further specific paperwork under GDPR such as the EU model clauses or binding corporate rules.

Pursuant to article 45 of the GDPR, companies will be able to transfer personal data from the EU to Japan based on the adequacy decision. This means that there will be no need of further safeguards or obtaining specific consent from the data subject for the transfer.

Having said so, “Supplementary Rules” based on the adequacy decision have been issued by the EU Commission vis-a-vis the differences between Japanese and EU data protection laws. These rules are binding on personal data handling business operators in respect of processing of personal data transferred from the EU to Japan. On the other hand, this does not apply to Japanese entities transferring personal data of Japanese citizens to Europe.

The EU Commission has the power to determine on the basis of article 45 of the GDPR whether a third country offers an adequate level of data protection. The adoption of an adequacy decision involves:

  • a proposal from the EU Commission;
  • a opinion of the EU data protection board;
  • an approval from representatives of the EU countries;
  • the adoption of the decision by the EU Commission.

The EU parliament and the Council may request the EU Commission to maintain, amend or withdraw the adequacy decision on the grounds that its act exceeds the implementing powers provided for the regulation.

Countries who are already recognised by the EU Commission are: Andorra; Argentina; Canada [commercial organisations]; Faroe Islands; Guernsey; Israel; Isle of man; Jersey; New Zealand; Switzerland; Uruguay; US [limited to the Privacy Shield] and now Japan.

Should you have any questions regarding GDPR, get in touch via or +356 2010 3020.

Leave a Reply