In September 2018 the EU launched its process for adopting an adequacy decision under the GDPR after negotiations concluded between the EU and Japan in July 2018. This process completed on 23rd January 2019 when the European Commission formally adopted the adequacy decision. The agreement, which comes into effect immediately means that it is now possible for the free flow of EU citizen data to Japan on the basis that Japan’s data protection framework is equivalent or “adequate” when compared to the EU’s GDPR requirements.
What are adequacy decisions?
The GDPR forbids the processing of EU citizens’ personal data outside the EU unless appropriate and equivalent data protection safeguards are in place.
There are a number of ways this equivalence can be achieved:
- Countries agree adequacy decisions between themselves and the EU, where the EU essentially rubber stamp that the countries data protection law is equivalent to the expected standards set in the EU – this is what has happened with Japan
- Partial adequacy is agreed whereby an agreement is put in place – the EU-US Privacy Shield is an example of this, whereby US organisations processing EU data, self-certify they apply EU standards to data protection by signing up to the Privacy Shield
- Companies can put in place standard model-clauses (pre-defined contract terms) between them and their non-EU processor, or, for inter-group transfers, binding corporate rules. These contractual terms bind both parties to applying EU standards of data protection
Why are adequacy decisions useful?
Having an adequacy decision in place means that data can flow, unhindered, outside the EU to these “adequate” countries without the need for contracts or other processes. And a full adequacy decision, whilst monitored for compliance, is a formal agreement and recognition of the standard of data protection law, unlike something like the Privacy Shield that can be withdrawn by the EU at any sign of non-compliance and requires the signatories to apply the rules rather than the rules being enshrined in their national laws.
It also means that there is no need for companies to look at alternatives like the contractual clauses if they’re transferring/processing data in one of the adequate countries (a full list of adequate countries can be found here).
Need help with your international transfer compliance?
If you are unsure whether you need a model-clause or can rely on an adequacy decision or want to discuss your options when considering an international transfer of data that is restricted, then becoming a member of the Digital Compliance Hub can help. We provide a support helpline backed up by a library of resources – sign up for a 14-day free trial here.