On 17 July 2018, the EU and Japan concluded their discussions on personal data transfers and recognised that the data protection regimes between the two are equivalent, which means that personal data will be able to flow freely between them once each side has completed the necessary procedures to adopt an adequacy decision.
The agreement is good news for businesses which transfer data from the EU to Japan as transfers outside of the European Economic Area are, at present, generally prohibited by the General Data Protection Regulation 2016/679. There are ways around this prohibition, though often they involve the data exporter and importer entering into additional contracts, which can be an added cost, complexity and administrative burden for organisations.
Once the adequacy decision is adopted by the EU, the transfer of personal data to controllers and processors in Japan will no longer be prohibited and can be undertaken without data transfer contracts. There may still be a need for data sharing or processing agreements, but this is often the case even for domestic transfers between two parties established in the EU. According to the terms agreed between the EU and Japan, where data is exported from the EU it will be subject to additional safeguards and affected individuals will have access to a special complaints mechanism.
The next step in the EU’s adoption process will be to obtain an opinion on the decision from the European Data Protection Board, after which the decision will need to be approved by a committee made up of the EU Member States later this year. The EU has issued a press release which has more information about the agreement, and links to information about the EU-Japan Economic Partnership Agreement which will complement the adequacy decision: http://europa.eu/rapid/press-release_IP-18-4501_en.htm
The implementation of the General Data Protection Regulation (GDPR) on 25 May 2018 was intended to provide individuals with increased transparency and control over how their personal data is used in the digital age. The GDPR aimed to redress the privacy imbalances created by the rapid rise of the Internet, social media, online advertising, automated […]
DATA REGULATORY UPDATE UK COURT OF APPEAL CONFIRMS EMPLOYERS CAN, EVEN IF NOT AT FAULT, BE HELD LIABLE FOR DATA BREACHES CAUSED BY A ROGUE EMPLOYEE On 22 October 2018, the UK Court of Appeal ruled, in WM Morrison Supermarkets PLC v Various Claimants  EWCA Civ 2339, that employers can be sued for data […]
On 17 July 2018, the EU and Japan concluded their discussions on personal data transfers and recognised that the data protection regimes between the two are equivalent, which means that personal data will be able to flow freely between them once each side has completed the necessary procedures to adopt an adequacy decision. The agreement is […]
GDPR is finally here. However, this is just the beginning. Most businesses aren’t ready for the changes and, even for those that are, the real test will be whether the policies, procedures and contracts they’ve put into place recently can be implemented and kept going in the long term. For practical advice on what the […]
This month we are delighted to welcome Nick Mathys as a new Partner at Lewis Townsend. Nick is a fluent Japanese speaking commercial, technology and data protection lawyer who brings with him a wealth of experience in both UK and Japanese markets, including many years with Herbert Smith Freehill’s Tokyo office where he worked closely […]