The European Union (EU)-Japan Economic Partnership Agreement (EPA) was signed at the EU-Japan Summit held in Tokyo on July 17. A reciprocal adequacy arrangement was also finalized, establishing the equivalence of the EU’s General Data Protection Regulation (GDPR) and Japan’s Act on the Protection of Personal Information (APPI) and enabling cross-border data transfers between the two. Japan was previously not included in the EU’s whitelist of countries considered as having adequate levels of personal data protection, but the country enforced its reformed law in May 2017. The arrangement is a landmark one given that it is the first time the EU has recognized reciprocal data protection adequacy with a third country.
An adequacy decision means “a third country provides a comparable level of protection of personal data to that in the European Union, through its domestic law or its international commitments.” Such a decision enables data exchange for commercial purposes to be unimpeded as it assures equivalence in data protection frameworks. The existence of Japan’s Personal Information Protection Commission (PPC), additional protections, mechanisms for investigations, and venues for complaint resolutions reinforce the reciprocal adequacy decision with the EU. For instance, Japan’s PPC may be called on by the European Data Protection Board (EDPB) as the point of contact for extra-territorial jurisdiction in the event of a breach in Japan affecting the personal data of EU citizens, and vice versa. The EU also has unilateral adequacy decisions with countries like the U.S. (only through the Privacy Shield framework), Canada (commercial organizations), Argentina, Israel, New Zealand, and Switzerland.
Signed by European Commission President Jean-Claude Juncker and European Council President Donald Tusk and Japan Prime Minister Shinzo Abe, the EPA is already in line for ratification by the European Parliament and the Japanese Diet. Likewise, the adoption of the adequacy decision on data protection will require corresponding reviews and procedures by the relevant EU and Japanese bodies.
As the trade partners make up almost a third of the world’s Gross Domestic Product (GDP), the EU’s reciprocal adequacy agreement with Japan highlights the extent of the GDPR’s economic and regulatory impact. Given the expected increase and ease in trade-related activity between the two, businesses will have the advantage of free as well as safe data flows for commercial purposes. The European Commission stated that through the agreement, “the EU and Japan affirm that, in the digital era, promoting high privacy standards and facilitating international trade go hand in hand.”
Other countries such as Australia, Canada, Qatar, China, and the UAE have implemented their respective data privacy laws in recognition of the importance of secure and borderless data transfer and in an effort to strengthen both political and economic partnerships. These legislative and regulatory reforms allow enterprises based outside the EU to also realize their role in the continued advancement of technology and trade along with protection of data flows post-GDPR implementation.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).