EU, Japan Aim to Mutually Recognize Data Privacy Regimes in 2018

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

The European Union and Japan have announced they are aiming to officially approve in early 2018 each other’s privacy regimes as being adequate to protect the privacy of personal data.

A mutual adequacy finding would be a boon to Japan-based companies as Toyota Motor Corp. and Sumitomo Mitsui Banking Corp. because an EU privacy adequacy approval allows companies in non-EU countries to more easily transfer personal data from the EU. It would also help EU companies doing business in Japan to more easily transfer personal data from Japan.

EU Justice Commissioner Vera Jourova and Japan’s Data Protection Commissioner Haruhi Kumazawa issued a joint statement July 4, saying the process is underway to allow a final adequacy ruling in early 2018. The reform of the EU’s privacy regime through the EU General Data Protection Regulation (GDPR), and recent amendments to Japan’s Personal Information Protection Act, have “increased the convergence” of their privacy protection laws, they said.

A “simultaneous finding of an adequate level of protection by both sides” would “facilitate smooth and mutual data flows,” the officials, who met in Brussels July 3, said.

Michio Moriwaki, digital innovation policy manager at the Japan Business Council in Europe, told Bloomberg BNA July 5 that, in general, such an adequacy decision would be “very good news.” But companies must await the details of any official adequacy determinations to be able to fully judge the situation, Moriwaki said. The Japan Business Council in Europe represents “almost 80 multinational companies of Japanese parentage operating in Europe,” according to the group’s website.

Updated Privacy Regimes

The EU GDPR was finalized in late 2015 and takes full effect May 25, 2018. The amendments to the Japanese privacy law went into effect May 30.

Both laws include:

  •  a distinction between sensitive and nonsensitive data, with tighter processing rules for sensitive data;
  •  requirements that companies appoint data protection officers;
  •  data breach notification obligations; and
  •  limitations on international data transfers.
The European Commission, the EU’s executive arm, may adopt adequacy decisions after getting approval from a regulatory committee and input from the Article 29 Working Party of EU privacy officials from the 28 EU countries.

The EU has so far adopted adequacy decisions for only a handful of countries: Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, and Uruguay.

An EU official working with Jourova, who asked not to be identified by name, told Bloomberg BNA July 5 that the EU-Japan privacy adequacy talks are “going well” but are in early stages, so no further details are available.

The EU doesn’t recognize the U.S. as having an adequate privacy regime. However, it has said certain specific agreements—such as the EU-U.S. Privacy Shield framework to allow certain corporate data transfers to the U.S. and the U.S.-EU agreement to let law enforcement agencies share airline traveler information—are adequate.

To contact the reporter on this story: Stephen Gardner in Brussels at

To contact the editor responsible for this story: Donald G. Aplin at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security