Skip to content

ChannelsContributorsSubscribe
LexBlog, Inc. logo
LexBlog, Inc. logo
AboutProductsJoin
Search
Close

Japan and South Korea in the Pipeline for Adequacy Decision

By Paul Van den Bulck & Morgane Poppe
September 5, 2017
EmailTweetLikeLinkedIn

In early 2017, the EU Commission published a communication about “Exchanging and Protecting Personal Data in a Globalized World” in which the EU Commission prioritizes discussions on possible adequacy decision with key trading partners, starting from Japan and South Korea in 2017.  More particularly, on July 3, 2017, the EU Commission and a representative of the Japanese Personal Information Protection Commission met in Brussels to move forward on a possible adequacy decision.

With the recent reform of the Japanese Act on the Protection of Personal Information on May 30, 2017 and with the new EU General Data Protection Regulation (the “GDPR”, which will apply from May 25, 2018), Japan and the EU have strengthened their respective data protection regimes. As a result, both countries have a very similar regime and ensure a very high level of protection for personal data. This convergence offers new opportunities to pursue a dialogue on adequacy decision.

The EU Commission considers that, in particular, the following criteria should be taken into account to assess with which countries a dialogue on adequacy should be pursued:

  • The extent of the EU’s (actual or potential) commercial relation with a given third country;
  • The extent of personal data flows from the EU, reflecting geographical and/or cultural ties;
  • The pioneering role that the third country plays in the field of privacy and data protection that could serve a model for other countries in its region; and
  • The overall political relationship with the third country in question.

An adequacy decision is an implementing decision taken by the EU Commission to make a determination that a third country ensures an adequate level of protection of personal data. Once an adequate level of protection is recognized by the EU Commission, transfers can be made without specific authorizations. For now, the Commission has adopted 12 adequacy decisions, including the EU-US Privacy Shield.

The EU Commission, when determining whether a third country has an adequate level of protection, must take into account among others (GDPR, art. 45.2):

  • “the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred;”
  • “the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States”; and
  • “the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.”

The overall evaluation does not require a level of protection identical to that offered within the EU, but requires a level of protection that is “essentially equivalent”.

Under the GDPR, an adequacy decision is not a definitive decision but a decision that once adopted needs close monitoring by the EU Commission and review, at least every four years, to take into account all relevant developments affecting the level of protection ensured by the third country.

This two-way dialogue with Japan will include exploring ways to increase convergence of Japan’s laws and practice with the EU data protection rules. The EU Commission and Japan have reaffirmed their commitment to intensify their efforts and to conclude this dialogue by early 2018.

Photo of Paul Van den Bulck Paul Van den Bulck

Paul Van den Bulck’s practice focuses on legal issues around information technology (IT), data privacy and security, intellectual property (IP), media and entertainment, and fair trade practices. He counsels clients from a broad spectrum of industries on day-to-day IT and IP issues. Paul…

Paul Van den Bulck’s practice focuses on legal issues around information technology (IT), data privacy and security, intellectual property (IP), media and entertainment, and fair trade practices. He counsels clients from a broad spectrum of industries on day-to-day IT and IP issues. Paul provides strategic advice to clients on all aspects of international and domestic data privacy and security, including compliance, security and data breaches, data transfer to support discovery or whistleblowing schemes, and processing of sensitive data. In addition, he assists clients in their relationships with certain national data protection authorities. Paul holds the CIPP/E certification as a Certified Information Privacy Professional from the International Association of Privacy Professionals (IAPP).

Read more about Paul Van den Bulck Paul's Twitter Profile
Show more Show less
  • Posted in:
    Privacy & Data Security
  • Blog:
    Password Protected
  • Organization:
    McGuireWoods LLP
  • Article: View Original Source

Stay Connected

Facebook LinkedIn Twitter RSS
Publishing Solutions
Real Lawyers

Company

  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service

Support

  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status

New to the Network

  • Capital Markets Litigation Blog
  • lien-law-news
  • LawBiz Blog
  • Conroy Creative Counsel
  • Trellis
Copyright © 2019, LexBlog, Inc. All Rights Reserved.
Powered By LexBlog