European Commission adopts adequacy decision on Japan, creating the world’s largest area of safe data flows

The Commission has adopted its adequacy decision on Japan, allowing personal data to flow freely between the two economies on the basis of strong protection guarantees.

The last step in the EU-Japan agreement procedure was finalised yesterday, which allows the world’s largest area of safe data flows.

Launched in September 2018, the adequacy decision included the opinion of the European Data Protection Board (EDPB) and the agreement from a committee composed of representatives of the EU Member States. Together with its equivalent decision adopted by Japan, it started applying yesterday.

Věra Jourová, Commissioner for Justice, Consumers and Gender Equality said:
“This adequacy decision creates the world’s largest area of safe data flows. Europeans’ data will benefit from high privacy standards when their data is transferred to Japan. Our companies will also benefit from a privileged access to a 127 million consumers’ market. Investing in privacy pays off; this arrangement will serve as an example for future partnerships in this key area and help setting global standards.” 

The mutual adequacy arrangement with Japan is a part of the EU strategy in the field of international data flows and protection, as announced in January 2017 in the Commission’s Communication on Exchanging and Protecting Personal Data in a Globalised World.

The EU and Japan successfully concluded their talks on reciprocal adequacy on 17 July 2018, which agreed to recognise each other’s data protection systems as adequate, allowing personal data to be transferred safely between the EU and Japan.

Part of the EU’s General Data Protection Regulation (GDPR), provides different tools to transfer personal data to third countries, including adequacy decisions. The European Commission has the power to determine whether a country outside the EU offers an adequate level of data protection. The European Parliament and the Council can request the European Commission to maintain, amend or withdraw these decisions. 

The key elements of the adequacy decision

Before the Commission adopted its adequacy decision, Japan put in place additional safeguards to guarantee that data transferred from the EU enjoy protection guarantees in line with European standards.

This includes:

  • A set of rules (Supplementary Rules) that will bridge several differences between the two data protection systems. These additional safeguards will strengthen, for example, the protection of sensitive data, the exercise of individual rights and the conditions under which EU data can be further transferred from Japan to another third country. These Supplementary Rules will be binding on Japanese companies importing data from the EU and enforceable by the Japanese independent data protection authority (PPC) and courts.
  • The Japanese government also gave assurances to the Commission regarding safeguards concerning the access of Japanese public authorities for criminal law enforcement and national security purposes, ensuring that any such use of personal data would be limited to what is necessary and proportionate and subject to independent oversight and effective redress mechanisms.
  • A complaint-handling mechanism to investigate and resolve complaints from Europeans regarding access to their data by Japanese public authorities. This new mechanism will be administered and supervised by the Japanese independent data protection authority. 

The adequacy decisions also complement the EU-Japan Economic Partnership Agreement, which will enter into force in February 2019. Where European companies will benefit from free data flows with a key commercial partner, as well as from privileged access to the 127 million Japanese consumers. The EU and Japan affirm that, in the digital era, promoting high privacy and personal data protection standards and facilitating international trade must and can go hand in hand.

Next steps

After two years, a first joint review will be carried out to assess the functioning of the framework. This will cover all aspects of the adequacy finding, including the application of the Supplementary Rules and the assurances for government access to data. The Representatives of European Data Protection Board will participate in the review regarding access to data for law enforcement and national security purposes. Subsequently a review will take place at least every four years.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.